This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/13540] New: Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat, strncat
- From: "liubov.dmitrieva at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: Thu, 22 Dec 2011 11:48:51 +0000
- Subject: [Bug libc/13540] New: Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat, strncat
- Auto-submitted: auto-generated
http://sourceware.org/bugzilla/show_bug.cgi?id=13540
Bug #: 13540
Summary: Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat,
strncat
Product: glibc
Version: unspecified
Status: NEW
Severity: critical
Priority: P2
Component: libc
AssignedTo: drepper.fsp@gmail.com
ReportedBy: liubov.dmitrieva@gmail.com
Classification: Unclassified
Created attachment 6128
--> http://sourceware.org/bugzilla/attachment.cgi?id=6128
Test case.
I have a test case that reproduce a bug in ssse3 strcpy, strncpy, stpncpy,
stpcpy, strcat, strncat optimized routines for x86_32.
Test build command:
-- gcc test.c glibc/sysdeps/i386/i686/multiarch/strncpy-ssse3.S -odo -m32
-lpthread -std=c99 -I.
Runing (Segmentation Fault if parameter < 4):
-bash-4.2$ ./do 3 > /dev/null
Segmentation fault
-bash-4.2$ ./do 0 > /dev/null
Segmentation fault
The root cause of the problem is strncpy() algorithm. It uses the destination
memory beyond the string end for 16-byte load, puts changes into that part that
is relevant to destination string and writes whole 16-byte chunk into memory.
For this particular test the memory beyond the string end contains malloc/free
data, that appear corrupted in case free() updates it in between the 16-byte
read and 16-byte write.
The test calls strncpy but the bug is common since all strcpy, strncpy,
stpncpy, stpcpy, strcat, strncat uses shared algorithm from
glibc/sysdeps/i386/i686/multiarch/strcpy-ssse3.S file.
I have a patch that fixes the issue (I redeveloped algorithm for last bytes in
/i386/i686/multiarch/strcpy-ssse3.S file) and send it to
libc-alpha@sourceware.org.
--
Liubov Dmitrieva
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
- Follow-Ups:
- [Bug libc/13540] Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat, strncat
- From: liubov.dmitrieva at gmail dot com
- [Bug libc/13540] Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat, strncat
- From: liubov.dmitrieva at gmail dot com
- [Bug libc/13540] Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat, strncat
- From: liubov.dmitrieva at gmail dot com
- [Bug libc/13540] Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat, strncat
- From: liubov.dmitrieva at gmail dot com
- [Bug libc/13540] Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat, strncat
- From: schwab at linux-m68k dot org
- [Bug libc/13540] Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat, strncat
- From: ppluzhnikov at google dot com
- [Bug libc/13540] Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat, strncat
- From: drepper.fsp at gmail dot com
- [Bug libc/13540] Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat, strncat
- From: liubov.dmitrieva at gmail dot com