This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug libc/15674] New: __memcmp_ssse3 tries to read past the array bounary

            Bug ID: 15674
           Summary: __memcmp_ssse3 tries to read past the array bounary
           Product: glibc
           Version: 2.18
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: ronis at google dot com
                CC: drepper.fsp at gmail dot com

Created attachment 7093
patch for glibc/string/test-memcmp.c


The bug occurrs when "memcmp(s1, s2, 72)" calls __memcmp_ssse3, and when (s1 +
72) coinsides with a page boundary.

The instruction 

mov    -9(%rdi), %eax

in __memcmp_ssse3 () at ../sysdeps/x86_64/multiarch/memcmp-ssse3.S:1467 causes
a segmentation fault.

Example: the page is at the address range 0x2000 - 0x3000, s1=(0x3000 - 72),
and the next page is mprotected with PROT_NONE. $rdi=0x3008, and the "mov"
instruction tries to read 4 bytes starting at 0x3008-9, crossing the boundary.

The test case fails for the number of array sizes (72 is just one of them).
Other sizes are 48, 65-75, etc. 

The reported glibc version is 2.18, but the same issue occurs in 2.15.

How to reproduce:

(1) Modify glibc/string/test-memcmp.c (the patch is attached)

(2) Run "env LANGUAGE=C LC_ALL=C make check"

test-memcmp-ifunc will fail with segfault. In string/test-memcmp-ifunc.out:

check2: length=48, simple_memcmp
check2: length=48, __memcmp_sse4_1
check2: length=48, __memcmp_ssse3

Thank you.


You are receiving this mail because:
You are on the CC list for the bug.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]