This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

BZ#13592: Fix x86-64 memset

From: Andreas Jaeger <aj at suse dot com>
To: libc-alpha at sourceware dot org
Date: Mon, 26 Mar 2012 12:13:08 +0200
Subject: BZ#13592: Fix x86-64 memset

From bugzilla:

"This problem seems to exist since the x86_64 variant of memset was
improved years ago (certainly 2.11 already has the problem, as well as 
current git).  There are several signed compares of the size argument, 
whereas it really is unsigned.  Depending on situations e.g. a "memset(ptr, 
0, -1)" segfault (but for the wrong reasons, because jumping into nirvana) 
or succeeds even.

In normal use this is harmless, as a size with signbit set indicates more 
than half the address space which on x86_64 is impossible to allocate, but 
as the size is used to index some jump tables this potentially could have 
other unwanted side effects."

Ok to commit (I'll change the copyrigh header before commit)?

This was tested on x86-64,
Andreas

2012-03-26  Andreas Jaeger  <aj@suse.de>

	* sysdeps/x86_64/memset.S: Fix size paramater comparisions.
	Patch by Michael Matz <matz@suse.de>


Index: sysdeps/x86_64/memset.S
===================================================================
--- sysdeps/x86_64/memset.S.orig	2011-11-14 16:28:28.000000000 +0100
+++ sysdeps/x86_64/memset.S	2012-01-12 14:27:48.000000000 +0100
@@ -53,7 +53,7 @@ L(ck2):
 	imul   %r9,%rdx
 L(now_dw_aligned):
 	cmp    $0x90,%r8
-	jg     L(ck_mem_ops_method)
+	ja     L(ck_mem_ops_method)
 L(now_dw_aligned_small):
 	add    %r8,%rdi
 #ifndef PIC
@@ -605,7 +605,7 @@ L(aligned_now):
 	 punpcklqdq %xmm0,%xmm0
 
 	 cmp    $0xb0,%r8 # 176
-	 jge    L(byte32sse2_pre)
+	 jae    L(byte32sse2_pre)
 
 	 add    %r8,%rdi
 # ifndef PIC
@@ -865,7 +865,7 @@ L(byte32sse2_pre):
 
 	mov    __x86_64_shared_cache_size(%rip),%r9d  # The largest cache size
 	cmp    %r9,%r8
-	jg     L(sse2_nt_move_pre)
+	ja     L(sse2_nt_move_pre)
 	#jmp    L(byte32sse2)
 	.balign     16
 L(byte32sse2):
@@ -881,7 +881,7 @@ L(byte32sse2):
 	movdqa %xmm0,0x70(%rdi)
 
 	lea    0x80(%rdi),%rdi
-	jge    L(byte32sse2)
+	jae    L(byte32sse2)
 	add    %r8,%rdi
 # ifndef PIC
 	lea    L(SSExDx)(%rip),%r11
@@ -915,7 +915,7 @@ L(sse2_nt_move):
 	movntdq %xmm0,0x70(%rdi)
 
 	lea    0x80(%rdi),%rdi
-	jge    L(sse2_nt_move)
+	jae    L(sse2_nt_move)
 	sfence
 	add    %r8,%rdi
 # ifndef PIC


-- 
 Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi
  SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
   GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg)
    GPG fingerprint = 93A3 365E CE47 B889 DF7F  FED1 389A 563C C272 A126

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]