Bug 20971 - powerpc64/power7 memchr overflows internal pointer check
Summary: powerpc64/power7 memchr overflows internal pointer check
Status: RESOLVED FIXED
Alias: None
Product: glibc
Classification: Unclassified
Component: string (show other bugs)
Version: 2.13
: P2 normal
Target Milestone: 2.25
Assignee: Adhemerval Zanella
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-15 11:53 UTC by Adhemerval Zanella
Modified: 2017-01-25 15:21 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Adhemerval Zanella 2016-12-15 11:53:20 UTC 
On POWER7 memchr.S:

 24 ENTRY (__memchr)
 25         CALL_MCOUNT 3
 26         dcbt    0,r3
 27         clrrdi  r8,r3,3
 28         insrdi  r4,r4,8,48
 29         add     r7,r3,r5      /* Calculate the last acceptable address.  */

The r7 addition should handle overflow, otherwise pointer check in the code may fail resulting in wrong output.  A simple test triggers the issue:

--
#define _GNU_SOURCE 1
#include <string.h>
#include <stdio.h>

void *
my_rawmemchr (const void *s, int c)
{ 
  if (c != '\0')
    return memchr (s, c, (size_t)-1);
  return (char *)s + strlen (s);
}

int main ()
{
  // p=0x3fffb057fe00 | aling=10
  int seek_char = 0x41;
  size_t align = 10;
  unsigned char input [32];
  input[10] = 0x34;
  input[11] = 0x78;
  input[12] = 0x3d;
  input[13] = 0x7b;
  input[14] = 0xa1;
  input[15] = seek_char;

  printf ("%p\n", my_rawmemchr (input+align, seek_char));
  printf ("%p\n", rawmemchr (input+align, seek_char));
  return 0;
}
--
Comment 1 Adhemerval Zanella 2016-12-19 18:06:43 UTC 
Fixed by b224637.
Comment 2 Florian Weimer 2017-01-25 15:21:30 UTC 
Setting security- until demonstrated application security impact.