Bug 17279

Summary:	strncat(..., ..., SIZE_MAX) behaves incorrectly
Product:	glibc	Reporter:	Xavier Roche <roche>
Component:	string	Assignee:	Not yet assigned to anyone <unassigned>
Status:	RESOLVED DUPLICATE
Severity:	normal	CC:	adhemerval.zanella, drepper.fsp, gulsenenginar, mark, mehmetgelisin, mervegunesli, ucelsanicin
Priority:	P2	Flags:	fweimer: security-
Version:	2.19
Target Milestone:	---
Host:		Target:
Build:		Last reconfirmed:
Attachments:	Test case

Description Xavier Roche 2014-08-16 09:58:17 UTC

Created attachment 7749 [details]
Test case

Using SIZE_MAX as third argument to strncat() should behave as if strcat() was used.

According to POSIX (http://pubs.opengroup.org/onlinepubs/009695399/functions/strncat.html),

"The strncat() function shall append not more than n bytes (a null byte and bytes that follow it are not appended) from the array pointed to by s2 to the end of the string pointed to by s1."

The wording imply that the third "n" argument is an additional boundary limit, not the destination buffer capacity (ie. the destination buffer is not implicitly SIZE_MAX), and both source and destination do not overlap (overlapping depends on the source and destination layout, not on the "n" value)

However, it seems that the optimized strncat version of the GLIBC behaves incorrectly, when using this value.

The culprit might be in the sysdeps/x86_64/multiarch/strcat-sse2-unaligned.S source file (see https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/x86_64/multiarch/strcat-sse2-unaligned.S;h=dc782f2c2370915f74673ff8184e5f2eaf2795db;hb=HEAD)

See also the comp.unix.programmer related discussion, with a possible location of the bug in the assembly source:
https://groups.google.com/forum/#!topic/comp.unix.programmer/qKMC4A_itLs

Comment 1 Adhemerval Zanella 2016-10-25 12:02:31 UTC

Marking as duplicate of BZ#19390.

*** This bug has been marked as a duplicate of bug 19390 ***

Comment 2 Ucel Sani 2021-08-10 11:45:03 UTC Comment hidden (spam)

https://komiya-dental.com/
http://steemfilter.space/
http://michielleunens.tech/
http://sleepypoetstuff.website/
http://biciclubvalencia.website/
http://reputation-management.site/
http://pitesti.online/
http://tobuweb.space/
http://ancientmariners.online/
http://betwsycoednet.online
http://kuzin.website
http://kundaliniyoga.tech
http://localpay.tech
http://my-iframe.online
http://getimov.xyz/
http://ooviv.xyz/
http://mirei.xyz
http://toblek.xyz/
http://sevenwonders.store
http://peralga.xyz/
https://texastourgear.live
http://freixenet.site/influencerprogramme/
http://timvanorden.store/
http://rhee.tech/
http://f3group.online/
https://www.hlungomare.store/
https://www.lungomarebikehotel.store
http://www.lvmaimai.xyz/
https://sozdanie.site/
http://agens128.site/
http://troubadourtunes.online/
http://ruirui.store/
http://www.foamhands.store/
http://www.i-obchody.info/
http://naughtyrobot.digital/
https://www.webb-dev.co.uk/
https://waytowhatsnext.com/
https://www.bilanmagazine.com/
https://www.web-mediaplacing.com/
https://fitnessblog.fr/
https://cbd-huile-blog.fr/
https://www.laptopkerja.com/
https://www.espresso-international.eu/
https://www.espresso-international.be
https://www.espresso-international.gr
https://besthotels.wiki
https://www.cherada.net/opus/verified-gmail-accounts
https://www.cherada.net/opus/10000-visitas-a-tu-video-en-youtube
https://www.cherada.net/opus/100-backlinks-en-comentarios-de-blog-a-la-medida
https://redwinecasino.com/
https://sharkcasinogames.com/
https://redbettips.com/
https://windows11iso.com/

Comment 3 Mehmet gelisin 2021-09-10 19:36:49 UTC Comment hidden (spam)

In collect_register() function of arc-linux-tdep.c, the "eret"
(exception return) register value is not being reported correctly.

Background: https://komiya-dental.com/ 
When asked for the "pc" value, we have to update the "eret" register
with GDB's STOP_PC.  The "eret" instructs the kernel code where to
jump back when an instruction has stopped due to a breakpoint.  This
is how collect_register() is doing so:

--------------8<--------------
  if (regnum == gdbarch_pc_regnum (gdbarch))
    regnum = ARC_ERET_REGNUM;
  regcache->raw_collect (regnum, buf + arc_linux_core_reg_offsets[regnum]);
-------------->8--------------

Root cause: http://www.iu-bloomington.com/
Although this is using the correct offset (ERET register's), it is also
changing the REGNUM itself.  Therefore, raw_collect (regnum, ...) is
not reading from "pc" anymore.

Consequence:
This bug affects the "native ARC gdb" badly and causes kernel code to jump
to addresses after the breakpoint and not executing the "breakpoint"ed
instructions at all.  That "native ARC gdb" feature is not upstream yet and
is in review at the time of writing [1]. https://www.webb-dev.co.uk/ 

In collect_register() function of arc-linux-tdep.c, the "eret"
(exception return) register value is not being reported correctly.

Background: https://waytowhatsnext.com/  
When asked for the "pc" value, we have to update the "eret" register
with GDB's STOP_PC.  The "eret" instructs the kernel code where to
jump back when an instruction has stopped due to a breakpoint.  This
is how collect_register() is doing so:

--------------8<--------------
  if (regnum == gdbarch_pc_regnum (gdbarch))
    regnum = ARC_ERET_REGNUM; http://www.acpirateradio.co.uk/ 
  regcache->raw_collect (regnum, buf + arc_linux_core_reg_offsets[regnum]);
-------------->8--------------

Root cause:
Although this is using the correct offset (ERET register's), it is also
changing the REGNUM itself.  Therefore, raw_collect (regnum, ...) is
not reading from "pc" anymore. http://www.logoarts.co.uk/ 

Consequence:
This bug affects the "native ARC gdb" badly and causes kernel code to jump
to addresses after the breakpoint and not executing the "breakpoint"ed
instructions at all.  That "native ARC gdb" feature is not upstream yet and
is in review at the time of writing [1].
In collect_register() function of arc-linux-tdep.c, the "eret" http://www.slipstone.co.uk/ 
(exception return) register value is not being reported correctly.

Background:
When asked for the "pc" value, http://embermanchester.uk/  we have to update the "eret" register
with GDB's STOP_PC.  The "eret" instructs the kernel code where to
jump back when an instruction has stopped due to a breakpoint.  This
is how collect_register() is doing so: http://connstr.net/ 

--------------8<--------------
  if (regnum == gdbarch_pc_regnum (gdbarch)) http://joerg.li/
    regnum = ARC_ERET_REGNUM;
  regcache->raw_collect (regnum, buf + arc_linux_core_reg_offsets[regnum]);
-------------->8--------------
http://www.jopspeech.com/
Root cause:
Although this is using the correct offset (ERET register's), it is also
changing the REGNUM itself.  Therefore, raw_collect (regnum, ...) is
not reading from "pc" anymore. http://www.wearelondonmade.com/

Consequence:
This bug affects the "native ARC gdb" badly and causes kernel code to jump
to addresses http://www.compilatori.com/  after the breakpoint and not executing the "breakpoint"ed
instructions at all.  That "native ARC gdb" feature is not upstream yet and
is in review at the time of writing [1]. http://www-look-4.com/

Comment 4 Merve Gunesli 2021-09-22 16:58:21 UTC Comment hidden (spam)

http://www.acpirateradio.co.uk/category/computers/
http://www.logoarts.co.uk/category/travel/
http://embermanchester.uk/category/travel/
http://connstr.net/computers/latest-car-deals/
http://www.jopspeech.com/category/travel/
http://www.wearelondonmade.com/category/property/
http://www.compilatori.com/travel/london/

Comment 5 Gulsen Engin 2021-10-09 11:00:11 UTC Comment hidden (spam)

"The strncat() function shall append not more than n bytes (a null byte and bytes that follow it are not appended) from the array pointed to by s2 to the end of the string pointed to by s1." http://www-look-4.com/category/technology/

The wording imply that the third "n" argument is an additional boundary limit, not the destination buffer capacity (ie. the destination buffer is not implicitly SIZE_MAX), https://komiya-dental.com/health/healthy-foods/ and both source and destination do not overlap (overlapping depends on the source and destination layout, not on the "n" value) http://www.iu-bloomington.com/computers/invisible-with-vpn/

However, it seems that the optimized strncat version of the GLIBC behaves incorrectly, when using this value. https://waytowhatsnext.com/sports/navona/
"The strncat() function shall append not more than n bytes (a null byte and bytes that follow it are not appended) from the array pointed to by s2 to the end of the string pointed to by s1."
https://www.webb-dev.co.uk/sports/sports-and-health/
The wording imply that the third "n" argument is an additional boundary limit, not the destination buffer capacity (ie. the destination buffer is not implicitly SIZE_MAX), and both source and destination http://www.wearelondonmade.com/category/tech/ do not overlap (overlapping depends on the source and destination layout, not on the "n" value)

However, it seems that the optimized strncat version of the GLIBC behaves incorrectly, when using this value. http://www.jopspeech.com/category/technology/
"The strncat() function shall append not more than n bytes (a null byte and bytes that follow it are not appended) from the array pointed to by s2 to the end of the string pointed to by s1."
http://joerg.li/category/technology/
The wording imply that the third "n" argument is an additional boundary limit, not the destination buffer capacity (ie. the destination buffer is not implicitly SIZE_MAX), and both source and destination do not http://connstr.net/category/technology/ overlap (overlapping depends on the source and destination layout, not on the "n" value)

However, it seems that the optimized strncat version of the GLIBC behaves incorrectly, when using this value. http://embermanchester.uk/category/technology/
"The strncat() function shall append not more than n bytes (a null byte and bytes that follow it are not appended) from the array pointed to by s2 to the end of the string pointed to by s1."
 http://www.slipstone.co.uk/category/technology/
The wording imply that the third "n" argument is an additional boundary limit, not the destination buffer capacity (ie. the destination buffer is not implicitly SIZE_MAX), and both source and destination do not overlap http://www.logoarts.co.uk/category/technology/ (overlapping depends on the source and destination layout, not on the "n" value)

However, it seems that the optimized strncat version of the GLIBC behaves incorrectly, when using this value. http://www.acpirateradio.co.uk/category/technology/
"The strncat() function shall append not more than n bytes (a null byte and bytes that follow it are not appended) from the array pointed to by s2 to the end of the string pointed to by s1." http://www.compilatori.com/category/technology/

The wording imply that the third "n" argument is an additional boundary limit, not the destination buffer capacity (ie. the destination buffer is not implicitly SIZE_MAX), and both source and destination do not overlap (overlapping depends on the source and destination layout, not on the "n" value) 

However, it seems that the optimized strncat version of the GLIBC behaves incorrectly, when using this value.

Comment 6 Joey Kim 2021-11-08 08:08:20 UTC Comment hidden (spam)

The wording imply that the third "n" argument is an additional boundary limit, not the destination buffer capacity (ie. the destination buffer is not implicitly SIZE_MAX), and both source and destination do not overlap (overlapping depends on the source and destination layout, not on the "n" value) https://www.worcesterroofingandsiding.com