This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/15674] New: __memcmp_ssse3 tries to read past the array bounary
- From: "ronis at google dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 25 Jun 2013 00:20:31 +0000
- Subject: [Bug libc/15674] New: __memcmp_ssse3 tries to read past the array bounary
- Auto-submitted: auto-generated
http://sourceware.org/bugzilla/show_bug.cgi?id=15674
Bug ID: 15674
Summary: __memcmp_ssse3 tries to read past the array bounary
Product: glibc
Version: 2.18
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: ronis at google dot com
CC: drepper.fsp at gmail dot com
Created attachment 7093
--> http://sourceware.org/bugzilla/attachment.cgi?id=7093&action=edit
patch for glibc/string/test-memcmp.c
Hello,
The bug occurrs when "memcmp(s1, s2, 72)" calls __memcmp_ssse3, and when (s1 +
72) coinsides with a page boundary.
The instruction
mov -9(%rdi), %eax
in __memcmp_ssse3 () at ../sysdeps/x86_64/multiarch/memcmp-ssse3.S:1467 causes
a segmentation fault.
Example: the page is at the address range 0x2000 - 0x3000, s1=(0x3000 - 72),
and the next page is mprotected with PROT_NONE. $rdi=0x3008, and the "mov"
instruction tries to read 4 bytes starting at 0x3008-9, crossing the boundary.
The test case fails for the number of array sizes (72 is just one of them).
Other sizes are 48, 65-75, etc.
The reported glibc version is 2.18, but the same issue occurs in 2.15.
How to reproduce:
(1) Modify glibc/string/test-memcmp.c (the patch is attached)
(2) Run "env LANGUAGE=C LC_ALL=C make check"
test-memcmp-ifunc will fail with segfault. In string/test-memcmp-ifunc.out:
.....
check2: length=48, simple_memcmp
check2: length=48, __memcmp_sse4_1
check2: length=48, __memcmp_ssse3
Thank you.
Roni.
--
You are receiving this mail because:
You are on the CC list for the bug.