13592 – x86_64 memset buggy with large sizes

Bug 13592 - x86_64 memset buggy with large sizes

Summary: x86_64 memset buggy with large sizes

Status:	RESOLVED FIXED

Alias:	None

Product:	glibc
Classification:	Unclassified
Component:	libc (show other bugs)
Version:	2.15

Importance:	P2 normal
Target Milestone:	---
Assignee:	Ulrich Drepper

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-01-12 14:34 UTC by Michael Matz
Modified:	2014-06-27 11:13 UTC (History)
CC List:	2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Flags:	fweimer: security-

Attachments
Patch for the problem (493 bytes, patch) 2012-01-12 14:36 UTC, Michael Matz	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Matz 2012-01-12 14:34:22 UTC

This problem seems to exist since the x86_64 variant of memset was
improved years ago (certainly 2.11 already has the problem, as well as current
git).  There are several signed compares of the size argument, whereas
it really is unsigned.  Depending on situations e.g. a "memset(ptr, 0, -1)"
segfault (but for the wrong reasons, because jumping into nirvana) or
succeeds even.

In normal use this is harmless, as a size with signbit set indicates more than
half the address space which on x86_64 is impossible to allocate, but as the
size is used to index some jump tables this potentially could have other
unwanted side effects.

Comment 1 Michael Matz 2012-01-12 14:36:04 UTC

Created attachment 6158 [details]
Patch for the problem

This should fix the problems.

Comment 2 Andreas Jaeger 2012-04-05 08:56:42 UTC

Thanks for the patch, submitted to git