This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug stdio/22703] New: sprintf "%ls": uninitialized memory access because of using SSE 4.1 (__wcsnlen_sse4_1)
- From: "faragon.github at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 11 Jan 2018 22:38:43 +0000
- Subject: [Bug stdio/22703] New: sprintf "%ls": uninitialized memory access because of using SSE 4.1 (__wcsnlen_sse4_1)
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=22703
Bug ID: 22703
Summary: sprintf "%ls": uninitialized memory access because of
using SSE 4.1 (__wcsnlen_sse4_1)
Product: glibc
Version: 2.26
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: stdio
Assignee: unassigned at sourceware dot org
Reporter: faragon.github at gmail dot com
Target Milestone: ---
The uninitialized memory access comes from the internal function
__wcsnlen_sse4_1 (using SSE 4.1 on x86_64), both with and without optimizations
-O0/-O3). I've found it with a Valgrind test that reported an error after
updating the build machine from Ubuntu 16.04 to Ubuntu 17.10 (GCC 7.2.0, ldd
--version shows "Ubuntu GLIBC 2.26-0ubuntu2"). Actual behavior seems "right",
but because of Valgrind reporting conditional behavior based on uninitialized
memory, I've set the severity to critical.
Valgrind output:
$ uname -a
Linux luna 4.13.0-25-generic #29-Ubuntu SMP Mon Jan 8 21:14:41 UTC 2018 x86_64
x86_64 x86_64 GNU/Linux
$ gcc -O0 -ggdb sprintf_bug.c
$ valgrind --tool=memcheck ./a.out
(...)
==22373== Conditional jump or move depends on uninitialised value(s)
==22373== at 0x4F029D1: __wcsnlen_sse4_1 (strlen.S:161)
==22373== by 0x4EF0C4A: wcsrtombs (wcsrtombs.c:104)
==22373== by 0x4E91EE1: vfprintf (vfprintf.c:1643)
==22373== by 0x4EB513D: vsprintf (iovsprintf.c:42)
==22373== by 0x4E98FA3: sprintf (sprintf.c:32)
==22373== by 0x108833: main (sprintf_bug.c:13)
==22373== Uninitialised value was created by a heap allocation
==22373== at 0x4C2FB0F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==22373== by 0x1087ED: main (sprintf_bug.c:9)
(...)
$ gcc -O3 sprintf_bug.c
$ valgrind --tool=memcheck ./a.out
(...)
==22707== Conditional jump or move depends on uninitialised value(s)
==22707== at 0x4F029D1: __wcsnlen_sse4_1 (strlen.S:161)
==22707== by 0x4EF0C4A: wcsrtombs (wcsrtombs.c:104)
==22707== by 0x4E91EE1: vfprintf (vfprintf.c:1643)
==22707== by 0x4F60A8A: __vsprintf_chk (vsprintf_chk.c:82)
==22707== by 0x4F609B9: __sprintf_chk (sprintf_chk.c:31)
==22707== by 0x108757: main (in /r0/done/repos/mlibsrt/a.out)
(...)
Source code for reproducing the bug:
$ cat sprintf_bug.c
#include <stdio.h>
#include <string.h>
#include <malloc.h>
#include <wchar.h>
int main()
{
char tmp[4096];
wchar_t *hello_bug = (wchar_t *)malloc(sizeof(wchar_t) * 4096);
if (!hello_bug)
return 1;
wcscpy(hello_bug, L"Hello bug!");
sprintf(tmp, "%ls", hello_bug); /* <-- Valgrind blames this */
printf("%s\n", tmp);
free(hello_bug);
return 0;
}
--
You are receiving this mail because:
You are on the CC list for the bug.