Bug 15583 - r7 uninitialized in ports/sysdeps/arm/armv6/strcpy.S when ARM_HAS_T2 undefined
Summary: r7 uninitialized in ports/sysdeps/arm/armv6/strcpy.S when ARM_HAS_T2 undefined
Status: RESOLVED FIXED
Alias: None
Product: glibc
Classification: Unclassified
Component: ports (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: 2.18
Assignee: Richard Henderson
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-06-05 18:06 UTC by Chris
Modified: 2014-06-13 15:10 UTC (History)
4 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris 2013-06-05 18:06:58 UTC 
The version of strcpy.S for ARM uses the following to initialize a value in r7 to detect end-of-string.

  84         @ Subtracting (unsigned saturating) from 1 for any byte means result
  85         @ of 1 for any byte that was originally zero and 0 otherwise.
  86         @ Therefore we consider the lsb of each byte the "found" bit.
  87 #ifdef ARCH_HAS_T2
  88         movw    r7, #0x0101
  89         tst     r0, #3                  @ Test alignment of DEST
  90         movt    r7, #0x0101
  91 #else
  92         ldr     ip, =0x01010101
  93         tst     r0, #3
  94 #endif

If ARCH_HAS_T2 is not defined, then ip (r12) gets initialized rather than r7.  The subsequent code will then attempt to use the uninitialized value in r7, which can cause strcpy() to walk past the end of the string.
Comment 1 jsm-csl@polyomino.org.uk 2013-06-05 20:04:04 UTC 
Richard, this is your strcpy implementation....
Comment 2 Richard Henderson 2013-06-05 21:12:08 UTC 
Oops, a clear bug introduced during code rearrangements.
Comment 3 Richard Henderson 2013-06-05 22:53:01 UTC 
Fix committed: ecdaa7c9207615a1dc5882560095389a18b1e2ca