This is the mail archive of the
mailing list for the glibc project.
[Bug libc/15674] New: __memcmp_ssse3 tries to read past the array bounary
- From: "ronis at google dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 25 Jun 2013 00:20:31 +0000
- Subject: [Bug libc/15674] New: __memcmp_ssse3 tries to read past the array bounary
- Auto-submitted: auto-generated
Bug ID: 15674
Summary: __memcmp_ssse3 tries to read past the array bounary
Assignee: unassigned at sourceware dot org
Reporter: ronis at google dot com
CC: drepper.fsp at gmail dot com
Created attachment 7093
patch for glibc/string/test-memcmp.c
The bug occurrs when "memcmp(s1, s2, 72)" calls __memcmp_ssse3, and when (s1 +
72) coinsides with a page boundary.
mov -9(%rdi), %eax
in __memcmp_ssse3 () at ../sysdeps/x86_64/multiarch/memcmp-ssse3.S:1467 causes
a segmentation fault.
Example: the page is at the address range 0x2000 - 0x3000, s1=(0x3000 - 72),
and the next page is mprotected with PROT_NONE. $rdi=0x3008, and the "mov"
instruction tries to read 4 bytes starting at 0x3008-9, crossing the boundary.
The test case fails for the number of array sizes (72 is just one of them).
Other sizes are 48, 65-75, etc.
The reported glibc version is 2.18, but the same issue occurs in 2.15.
How to reproduce:
(1) Modify glibc/string/test-memcmp.c (the patch is attached)
(2) Run "env LANGUAGE=C LC_ALL=C make check"
test-memcmp-ifunc will fail with segfault. In string/test-memcmp-ifunc.out:
check2: length=48, simple_memcmp
check2: length=48, __memcmp_sse4_1
check2: length=48, __memcmp_ssse3
You are receiving this mail because:
You are on the CC list for the bug.