[Bug 1999551] Re: glibc: backport AArch64 mem{cpy,cmp} improvements

Launchpad Bug Tracker 1999551 at bugs.launchpad.net
Thu Dec 7 15:48:16 UTC 2023 

This bug was fixed in the package glibc - 2.31-0ubuntu9.14

---------------
glibc (2.31-0ubuntu9.14) focal-security; urgency=medium

  * SECURITY UPDATE: use-after-free through getcanonname_r plugin call
    - debian/patches/any/CVE-2023-4806.patch: copy h_name over and free it at
      the end (getaddrinfo).
    - CVE-2023-4806
  * SECURITY UPDATE: use-after-free in gaih_inet function
    - debian/patches/any/CVE-2023-4813.patch: simplify allocations and fix
      merge and continue actions.
    - CVE-2023-4813
  * debian/testsuite-xfail-debian.mk: add tst-nss-gai-actions and
    tst-nss-gai-hv2-canonname to xfails (container tests).

 -- Camila Camargo de Matos <camila.camargodematos at canonical.com>  Wed,
22 Nov 2023 10:32:50 -0300

** Changed in: glibc (Ubuntu Focal)
       Status: Triaged => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4806

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4813

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1999551

Title:
  glibc: backport AArch64 mem{cpy,cmp} improvements

Status in glibc package in Ubuntu:
  Fix Released
Status in glibc source package in Focal:
  Fix Released
Status in glibc source package in Jammy:
  Triaged
Status in glibc source package in Kinetic:
  Fix Released

Bug description:
  [impact]

  There have been relatively recent improvements to the memcmp and
  memcpy routines for server-grade AArch64 implementation, in particular
  AWS's Graviton3.

  We'd like to backport those improvements to Jammy and Focal when
  appropriate, under the HWE umbrella.

  The relevant patches are

  https://sourceware.org/git/?p=glibc.git;a=commit;h=9f298bfe1f183804bb54b54ff9071afc0494906c (Jammy & Focal)
  https://sourceware.org/git/?p=glibc.git;a=commit;h=b51eb35c572b015641f03e3682c303f7631279b7 (Focal only, already present in Jammy)

  In addition, to be able to actually test the changes and its impact on
  all architectures, we'll need the following fix:

  https://sourceware.org/git/?p=glibc.git;a=commit;h=311a7e0256975275d97077f1af338bc9caf0c837

  [test case]

  Since those are optimization patches, we'll be relying on the
  autopkgtests triggered by the upload for regression detection.

  However, we'll also benchmark the optimizations on Graviton AWS
  instances as well as various Raspberry Pi models to ensure there is no
  severe performance regression on those platforms.

  To do the performance test, first install the libc from this PPA:

  https://launchpad.net/~schopin/+archive/ubuntu/glibc-benchmark

  that is the current Jammy glibc with the extra fix for benchmarking.

  Then, untar the attached archive bench-timing.tar.xz on the target
  platform, and follow the instructions from the README.

  [Regression potential]

  This could potentially impact performance on other, non-server-grade
  arm64 platforms such as RPi. Furthermore, there could be unforeseen
  issues with the newly optimized routine in edge cases (a recent amd64
  optimization had issues on page boundaries, for instance).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1999551/+subscriptions

More information about the foundations-bugs mailing list