Don't write beyond destination in __mempcpy_avx512_no_vzeroupper (bug 23196)

When compiled as mempcpy, the return value is the end of the destination
buffer, thus it cannot be used to refer to the start of it.

3 files changed, 13 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index 252b0993dc..8032adfca4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2018-05-23  Andreas Schwab  <schwab@suse.de>
+
+	[BZ #23196]
+	CVE-2018-11237
+	* sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+	(L(preloop_large)): Save initial destination pointer in %r11 and
+	use it instead of %rax after the loop.
+	* string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
+
 2018-05-22  Joseph Myers  <joseph@codesourcery.com>
 
 	* sysdeps/aarch64/Implies: Remove aarch64/soft-fp.
diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c
index c08fba895e..d98ecdd2d9 100644
--- a/string/test-mempcpy.c
+++ b/string/test-mempcpy.c
@@ -18,6 +18,7 @@
    <http://www.gnu.org/licenses/>.  */
 
 #define MEMCPY_RESULT(dst, len) (dst) + (len)
+#define MIN_PAGE_SIZE 131072
 #define TEST_MAIN
 #define TEST_NAME "mempcpy"
 #include "test-string.h"
diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
index 23c0f7a9ed..effc3ac2de 100644
--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
@@ -336,6 +336,7 @@ L(preloop_large):
 	vmovups	(%rsi), %zmm4
 	vmovups	0x40(%rsi), %zmm5
 
+	mov	%rdi, %r11
 /* Align destination for access with non-temporal stores in the loop.  */
 	mov	%rdi, %r8
 	and	$-0x80, %rdi
@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop):
 	cmp	$256, %rdx
 	ja	L(gobble_256bytes_nt_loop)
 	sfence
-	vmovups	%zmm4, (%rax)
-	vmovups	%zmm5, 0x40(%rax)
+	vmovups	%zmm4, (%r11)
+	vmovups	%zmm5, 0x40(%r11)
 	jmp	L(check)
 
 L(preloop_large_bkw):