[Bug libc/25620] New: ### Summary An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a

classic Classic list List threaded Threaded
33 messages Options
12
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25620] Signed comparison vulnerability in the ARMv7 memcpy() (CVE-2020-6096)

Sourceware - glibc-bugs mailing list
https://sourceware.org/bugzilla/show_bug.cgi?id=25620

--- Comment #19 from Wilco <wdijkstr at arm dot com> ---
(In reply to Carlos O'Donell from comment #17)
> Patch posted by zhuyan (Huawei):
> https://sourceware.org/pipermail/libc-alpha/2020-April/112671.html
>
> There is discussion about how much test coverage is needed.

Enough to be 100% sure the issue is really fixed. See
https://sourceware.org/pipermail/libc-alpha/2020-May/113521.html

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25620] Signed comparison vulnerability in the ARMv7 memcpy() (CVE-2020-6096)

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25620

--- Comment #20 from regiwils at cisco dot com ---
Is this issue confirmed for public disclosure release?

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25620] Signed comparison vulnerability in the ARMv7 memcpy() (CVE-2020-6096)

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25620

--- Comment #21 from Carlos O'Donell <carlos at redhat dot com> ---
(In reply to regiwils from comment #20)
> Is this issue confirmed for public disclosure release?

I'm not sure what you mean by this question.

This is a public bug tracker for glibc.

The CVE is public in the MITRE CVE database:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6096

There is a public bug for this within Red Hat's tracker:
https://access.redhat.com/security/cve/cve-2020-6096
https://bugzilla.redhat.com/show_bug.cgi?id=1820331

The CVE is thus already publicly disclosed.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25620] Signed comparison vulnerability in the ARMv7 memcpy() (CVE-2020-6096)

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25620

--- Comment #22 from regiwils at cisco dot com ---
Thank you confirming

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25620] Signed comparison vulnerability in the ARMv7 memcpy() (CVE-2020-6096)

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25620

--- Comment #23 from regiwils at cisco dot com ---
Will libc release notes be updated as well?

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25620] Signed comparison vulnerability in the ARMv7 memcpy() (CVE-2020-6096)

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25620

--- Comment #24 from Carlos O'Donell <carlos at redhat dot com> ---
(In reply to regiwils from comment #23)
> Will libc release notes be updated as well?

When a fix is committed there will be a release note added for CVE-2020-6096 in
the master branch top-level "NEWS" file under the "Security related changes:"
section.

The NEWS file information will go out with the release announcement email for
the release. The next time-boxed release is planned for August 1st, 2020 and
will be glibc 2.32.

As of today there is no committed fix for CVE-2020-6096.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25620] Signed comparison vulnerability in the ARMv7 memcpy() (CVE-2020-6096)

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25620

--- Comment #25 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Florian Weimer <[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eec0f4218cda936a6ab8f543e90b96b196df3fc2

commit eec0f4218cda936a6ab8f543e90b96b196df3fc2
Author: Florian Weimer <[hidden email]>
Date:   Tue May 12 19:02:08 2020 +0200

    string: Add string/tst-memmove-overflow, a test case for bug 25620

    Reviewed-by: Carlos O'Donell <[hidden email]>
    Tested-by: Carlos O'Donell <[hidden email]>

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25620] Signed comparison vulnerability in the ARMv7 memcpy() (CVE-2020-6096)

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25620

--- Comment #26 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Florian Weimer <[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eca1b233322914d9013f3ee4aabecaadc9245abd

commit eca1b233322914d9013f3ee4aabecaadc9245abd
Author: Florian Weimer <[hidden email]>
Date:   Wed May 13 16:45:29 2020 +0200

    arm: XFAIL string/tst-memmove-overflow due to bug 25620

    Also reduce the amount of output in case of a large-scale mismatch in
    the copied data.

    Reviewed-by: Carlos O'Donell <[hidden email]>

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25620] Signed comparison vulnerability in the ARMv7 memcpy() (CVE-2020-6096)

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25620

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED
            Version|2.3.1                       |2.32

--- Comment #27 from Florian Weimer <fweimer at redhat dot com> ---
Fixed for glibc 2.32 with:

commit beea361050728138b82c57dda0c4810402d342b9
Author: Alexander Anisimov <[hidden email]>
Date:   Wed Jul 8 14:18:31 2020 +0200

    arm: CVE-2020-6096: Fix multiarch memcpy for negative length [BZ #25620]

    Unsigned branch instructions could be used for r2 to fix the wrong
    behavior when a negative length is passed to memcpy.
    This commit fixes the armv7 version.

commit 79a4fa341b8a89cb03f84564fd72abaa1a2db394
Author: Evgeny Eremin <[hidden email]>
Date:   Wed Jul 8 14:18:19 2020 +0200

    arm: CVE-2020-6096: fix memcpy and memmove for negative length [BZ #25620]

    Unsigned branch instructions could be used for r2 to fix the wrong
    behavior when a negative length is passed to memcpy and memmove.
    This commit fixes the generic arm implementation of memcpy amd memmove.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25620] Signed comparison vulnerability in the ARMv7 memcpy() (CVE-2020-6096)

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25620

Joseph Myers <jsm28 at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |2.32

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25620] Signed comparison vulnerability in the ARMv7 memcpy() (CVE-2020-6096)

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25620

--- Comment #28 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Aurelien Jarno <[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7b5f02dc2a9278cd068a58a3db3644e24707be49

commit 7b5f02dc2a9278cd068a58a3db3644e24707be49
Author: Aurelien Jarno <[hidden email]>
Date:   Mon Jul 13 22:37:41 2020 +0200

    arm: remove string/tst-memmove-overflow XFAIL

    The arm string/tst-memmove-overflow XFAIL has been added in commit
    eca1b233322 ("arm: XFAIL string/tst-memmove-overflow due to bug 25620")
    as a way to reproduce the reported bug.

    Now that this bug has been fixed in commits 79a4fa341b8 ("arm:
    CVE-2020-6096: fix memcpy and memmove for negative length [BZ #25620]")
    and beea3610507 ("arm: CVE-2020-6096: Fix multiarch memcpy for negative
    length [BZ #25620]"), let's remove the XFAIL.

    Reviewed-by: Carlos O'Donell <[hidden email]>

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25620] Signed comparison vulnerability in the ARMv7 memcpy() (CVE-2020-6096)

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25620

--- Comment #29 from regiwils at cisco dot com ---
Is this publicly released?

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25620] Signed comparison vulnerability in the ARMv7 memcpy() (CVE-2020-6096)

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25620

--- Comment #30 from Carlos O'Donell <carlos at redhat dot com> ---
(In reply to regiwils from comment #29)
> Is this publicly released?

The version of glibc 2.32 will contain the fix for CVE-202-6096, and will be
released on August 3rd. The current git sources contain a fix for CVE-202-6096
and a regression test.

--
You are receiving this mail because:
You are on the CC list for the bug.
12