Bug 16885 - strcmp() on sparc64 can return wrong result
Summary: strcmp() on sparc64 can return wrong result
Status: RESOLVED FIXED
Alias: None
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: 2.18
: P2 normal
Target Milestone: ---
Assignee: David S. Miller
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-29 19:48 UTC by Patrick Baggett
Modified: 2015-01-30 08:46 UTC (History)
3 users (show)

See Also:
Host:
Target: sparc64
Build:
Last reconfirmed:
fweimer: security+


Attachments
Fix for v9/64-bit sparc strcmp bug. (1.17 KB, patch)
2014-04-30 20:03 UTC, David S. Miller
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Patrick Baggett 2014-04-29 19:48:13 UTC
In 2011, strcmp() was rewritten for sparc64 to be faster in ad69cc2652c0422ebac3296d914c25e470498ce1 by David S. Miller. However, there is a particularly strange case where it can return the wrong value: if the bytes after the last bytes being compared are both zero.

e.g.

char a[2] = { 0, 0 };
char b[2] = { 1, 0 };

printf("%d", strcmp(a,b));

This should print "-1" because the first byte differs by 1. The second byte should not be examined. However, it erroneously prints "0". Changing either a[1] or b[1] to a non-zero value causes the "-1" to be correctly returned. For example, this returns the correct value of -1:

char a[2] = { 0, 0xaa };
char b[2] = { 1, 0 };

printf("%d", strcmp(a,b));
Comment 1 David S. Miller 2014-04-30 20:03:24 UTC
Created attachment 7570 [details]
Fix for v9/64-bit sparc strcmp bug.
Comment 2 cvs-commit@gcc.gnu.org 2014-05-01 19:15:51 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  5331255b6eeafa74865b2e6af627cb712c41dafd (commit)
      from  4fdfe821e20a70670b3d03deb2abed5d8c83e51b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5331255b6eeafa74865b2e6af627cb712c41dafd

commit 5331255b6eeafa74865b2e6af627cb712c41dafd
Author: David S. Miller <davem@davemloft.net>
Date:   Wed Apr 30 12:57:51 2014 -0700

    Fix v9/64-bit strcmp when string ends in multiple zero bytes.
    
    	[BZ #16885]
    	* sysdeps/sparc/sparc64/strcmp.S: Fix end comparison handling when
    	multiple zero bytes exist at the end of a string.
    	Reported by Aurelien Jarno <aurelien@aurel32.net>
    
    	* string/test-strcmp.c (check): Add explicit test for situations where
    	there are multiple zero bytes after the first.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                      |   10 ++++++++++
 string/test-strcmp.c           |   28 ++++++++++++++++++++++++++++
 sysdeps/sparc/sparc64/strcmp.S |   31 +++++++++++++++++++++++++++++++
 3 files changed, 69 insertions(+), 0 deletions(-)
Comment 3 cvs-commit@gcc.gnu.org 2014-05-01 20:19:49 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.15/master has been updated
       via  df137ce8ce4ed11dd4e5efd724c1d249493fb9af (commit)
      from  d9ba4bd3ea5f4c004d8894120e2613a9518a88d6 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=df137ce8ce4ed11dd4e5efd724c1d249493fb9af

commit df137ce8ce4ed11dd4e5efd724c1d249493fb9af
Author: David S. Miller <davem@davemloft.net>
Date:   Wed Apr 30 12:57:51 2014 -0700

    Fix v9/64-bit strcmp when string ends in multiple zero bytes.
    
    	[BZ #16885]
    	* sysdeps/sparc/sparc64/strcmp.S: Fix end comparison handling when
    	multiple zero bytes exist at the end of a string.
    	Reported by Aurelien Jarno <aurelien@aurel32.net>
    
    	* string/test-strcmp.c (check): Add explicit test for situations where
    	there are multiple zero bytes after the first.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                      |   10 ++++++++++
 string/test-strcmp.c           |   28 ++++++++++++++++++++++++++++
 sysdeps/sparc/sparc64/strcmp.S |   31 +++++++++++++++++++++++++++++++
 3 files changed, 69 insertions(+), 0 deletions(-)
Comment 4 cvs-commit@gcc.gnu.org 2014-05-01 20:21:52 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.16/master has been updated
       via  6427ccf5a004a70d8308bdadc46c7da3ac43932c (commit)
      from  e9586e58a55ea2a22b899bbb3adb5364f4b6596b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6427ccf5a004a70d8308bdadc46c7da3ac43932c

commit 6427ccf5a004a70d8308bdadc46c7da3ac43932c
Author: David S. Miller <davem@davemloft.net>
Date:   Wed Apr 30 12:57:51 2014 -0700

    Fix v9/64-bit strcmp when string ends in multiple zero bytes.
    
    	[BZ #16885]
    	* sysdeps/sparc/sparc64/strcmp.S: Fix end comparison handling when
    	multiple zero bytes exist at the end of a string.
    	Reported by Aurelien Jarno <aurelien@aurel32.net>
    
    	* string/test-strcmp.c (check): Add explicit test for situations where
    	there are multiple zero bytes after the first.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                      |   10 ++++++++++
 string/test-strcmp.c           |   28 ++++++++++++++++++++++++++++
 sysdeps/sparc/sparc64/strcmp.S |   31 +++++++++++++++++++++++++++++++
 3 files changed, 69 insertions(+), 0 deletions(-)
Comment 5 cvs-commit@gcc.gnu.org 2014-05-01 20:23:32 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.17/master has been updated
       via  726978490fe8a26a1343ac314d00dd48924a1799 (commit)
      from  cec24099fb06c785b89119aab93940312c2949ba (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=726978490fe8a26a1343ac314d00dd48924a1799

commit 726978490fe8a26a1343ac314d00dd48924a1799
Author: David S. Miller <davem@davemloft.net>
Date:   Wed Apr 30 12:57:51 2014 -0700

    Fix v9/64-bit strcmp when string ends in multiple zero bytes.
    
    	[BZ #16885]
    	* sysdeps/sparc/sparc64/strcmp.S: Fix end comparison handling when
    	multiple zero bytes exist at the end of a string.
    	Reported by Aurelien Jarno <aurelien@aurel32.net>
    
    	* string/test-strcmp.c (check): Add explicit test for situations where
    	there are multiple zero bytes after the first.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                      |   10 ++++++++++
 string/test-strcmp.c           |   28 ++++++++++++++++++++++++++++
 sysdeps/sparc/sparc64/strcmp.S |   31 +++++++++++++++++++++++++++++++
 3 files changed, 69 insertions(+), 0 deletions(-)
Comment 6 cvs-commit@gcc.gnu.org 2014-05-01 20:24:35 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.18/master has been updated
       via  bc273d38b147d67668e92a8f39dd696e28695c30 (commit)
      from  d680656b61891159d21a535f38219cf01d5edeea (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bc273d38b147d67668e92a8f39dd696e28695c30

commit bc273d38b147d67668e92a8f39dd696e28695c30
Author: David S. Miller <davem@davemloft.net>
Date:   Wed Apr 30 12:57:51 2014 -0700

    Fix v9/64-bit strcmp when string ends in multiple zero bytes.
    
    	[BZ #16885]
    	* sysdeps/sparc/sparc64/strcmp.S: Fix end comparison handling when
    	multiple zero bytes exist at the end of a string.
    	Reported by Aurelien Jarno <aurelien@aurel32.net>
    
    	* string/test-strcmp.c (check): Add explicit test for situations where
    	there are multiple zero bytes after the first.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                      |   10 ++++++++++
 string/test-strcmp.c           |   28 ++++++++++++++++++++++++++++
 sysdeps/sparc/sparc64/strcmp.S |   31 +++++++++++++++++++++++++++++++
 3 files changed, 69 insertions(+), 0 deletions(-)
Comment 7 cvs-commit@gcc.gnu.org 2014-05-01 20:25:44 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.19/master has been updated
       via  eec993cb1a38c0b35fa225adb481165fb7491f5b (commit)
      from  ffe768a90912f9bce43b70a82576b3dc99e3121c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eec993cb1a38c0b35fa225adb481165fb7491f5b

commit eec993cb1a38c0b35fa225adb481165fb7491f5b
Author: David S. Miller <davem@davemloft.net>
Date:   Wed Apr 30 12:57:51 2014 -0700

    Fix v9/64-bit strcmp when string ends in multiple zero bytes.
    
    	[BZ #16885]
    	* sysdeps/sparc/sparc64/strcmp.S: Fix end comparison handling when
    	multiple zero bytes exist at the end of a string.
    	Reported by Aurelien Jarno <aurelien@aurel32.net>
    
    	* string/test-strcmp.c (check): Add explicit test for situations where
    	there are multiple zero bytes after the first.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                      |   10 ++++++++++
 string/test-strcmp.c           |   28 ++++++++++++++++++++++++++++
 sysdeps/sparc/sparc64/strcmp.S |   31 +++++++++++++++++++++++++++++++
 3 files changed, 69 insertions(+), 0 deletions(-)
Comment 8 David S. Miller 2014-05-01 21:01:55 UTC
Fixed in mainline and all branches that contain the bug all the way back to 2.15
Comment 9 Florian Weimer 2015-01-30 08:46:52 UTC
Treating non-equal strings as equal seems likely to introduce security bugs in applications (think password comparisons), so I'm flagging this as security+.