File glibc-fix-avx512-mempcpy.patch of Package glibc.15121
[BZ #23196]
CVE-2018-11237
* sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
(L(preloop_large)): Save initial destination pointer in %r11 and
use it instead of %rax after the loop.
* string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
Index: glibc-2.26/string/test-mempcpy.c
===================================================================
--- glibc-2.26.orig/string/test-mempcpy.c
+++ glibc-2.26/string/test-mempcpy.c
@@ -18,6 +18,7 @@
<http://www.gnu.org/licenses/>. */
#define MEMCPY_RESULT(dst, len) (dst) + (len)
+#define MIN_PAGE_SIZE 131072
#define TEST_MAIN
#define TEST_NAME "mempcpy"
#include "test-string.h"
Index: glibc-2.26/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
===================================================================
--- glibc-2.26.orig/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+++ glibc-2.26/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
@@ -340,6 +340,7 @@ L(preloop_large):
vmovups (%rsi), %zmm4
vmovups 0x40(%rsi), %zmm5
+ mov %rdi, %r11
/* Align destination for access with non-temporal stores in the loop. */
mov %rdi, %r8
and $-0x80, %rdi
@@ -370,8 +371,8 @@ L(gobble_256bytes_nt_loop):
cmp $256, %rdx
ja L(gobble_256bytes_nt_loop)
sfence
- vmovups %zmm4, (%rax)
- vmovups %zmm5, 0x40(%rax)
+ vmovups %zmm4, (%r11)
+ vmovups %zmm5, 0x40(%r11)
jmp L(check)
L(preloop_large_bkw):