[Bug libc/11230] New: memchr overshoots on ia64

[Bug libc/11230] New: memchr overshoots on ia64

[jrnieder at gmail dot com]

memchr can find a location past the end of its buffer:

#include <sys/stat.h>
#include <sys/mman.h>
#include <fcntl.h>

int main(int argc, const char * const argv[])
{
    struct stat st;
    lstat(argv[1], &st);

    int fd = open(argv[1], O_RDONLY);
    void *data = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
    void *t = memchr(data, 0, st.st_size);
    printf("ptr: %p, ret: %p, len: 0x%zx\n", data, t, st.st_size);
    return 0;
}

Example output:
| % ./test /etc/passwd
| ptr: 0x2000000000050000, ret: 0x200000000005040e, len: 0x40e

Tested using Debian libc6.1 2.10.2-5, whose memchr.S matches current glibc HEAD. 
Discovered because git diff uses similar code looking for null bytes to detect 
binary files.

Unfortunately, I do not have an ia64 to test this myself.  Still, I thought you 
might want to know.  Please let me know if any other details would be helpful.

See http://bugs.debian.org/563882 for the original report.  Thanks to Bastian 
Blank for the test case.

-- 
           Summary: memchr overshoots on ia64
           Product: glibc
           Version: 2.11
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: hjl dot tools at gmail dot com
        ReportedBy: jrnieder at gmail dot com
                CC: glibc-bugs at sources dot redhat dot com
 GCC build triplet: ia64-unknown-linux-gnu
  GCC host triplet: ia64-unknown-linux-gnu
GCC target triplet: ia64-unknown-linux-gnu


http://sourceware.org/bugzilla/show_bug.cgi?id=11230

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11230] memchr overshoots on ia64

[hjl dot tools at gmail dot com]

------- Additional Comments From hjl dot tools at gmail dot com  2010-01-28 03:52 -------
It looks like PR 10162, which is fixed in glibc 2.11.1. Please
try glibc 2.11.1.


-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |WAITING
            Version|2.11                        |2.10


http://sourceware.org/bugzilla/show_bug.cgi?id=11230

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11230] memchr overshoots on ia64

[aurelien at aurel32 dot net]

------- Additional Comments From aurelien at aurel32 dot net  2010-01-28 04:44 -------
(In reply to comment #1)
> It looks like PR 10162, which is fixed in glibc 2.11.1. Please
> try glibc 2.11.1.
> 

It is a different issue, that was present before the fix for PR 10162, and that 
is still present in 2.11.1 and HEAD. It seems a regression from previous 
versions though (at least from 2.7, I haven't investigated yet when it has been 
introduced).

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=11230

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11230] memchr overshoots on ia64

[hjl dot tools at gmail dot com]

------- Additional Comments From hjl dot tools at gmail dot com  2010-01-28 06:37 -------
Created an attachment (id=4559)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=4559&action=view)
A patch


-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=11230

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11230] memchr overshoots on ia64

[hjl dot tools at gmail dot com]

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|WAITING                     |NEW
            Version|2.10                        |2.12


http://sourceware.org/bugzilla/show_bug.cgi?id=11230

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11230] memchr overshoots on ia64

[aurelien at aurel32 dot net]

------- Additional Comments From aurelien at aurel32 dot net  2010-01-28 08:32 -------
Thanks for the patch, but it doesn't seems to fix the problem here.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=11230

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11230] memchr overshoots on ia64

[hjl dot tools at gmail dot com]

------- Additional Comments From hjl dot tools at gmail dot com  2010-01-28 14:02 -------
(In reply to comment #4)
> Thanks for the patch, but it doesn't seems to fix the problem here.

It works with the testcase for me.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|2.12                        |2.10


http://sourceware.org/bugzilla/show_bug.cgi?id=11230

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11230] memchr overshoots on ia64

[aurelien at aurel32 dot net]

------- Additional Comments From aurelien at aurel32 dot net  2010-02-01 14:55 -------
In your patch, it seems this part is wrong

+       add     last = str, in2         // last byte

The last byte to test has for address (str + in2 - 1). Substracting 1 to last 
make the testcase work here.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=11230

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11230] memchr overshoots on ia64

[hjl dot tools at gmail dot com]

------- Additional Comments From hjl dot tools at gmail dot com  2010-02-01 16:49 -------
(In reply to comment #6)
> In your patch, it seems this part is wrong
> 
> +       add     last = str, in2         // last byte
> 
> The last byte to test has for address (str + in2 - 1). Substracting 1 to last 
> make the testcase work here.

The check is

        adds    ret0 = 8, ret0;;        // load the next unchecked 8byte
        cmp.geu p6, p0 = ret0, last     // don't go over the last byte

It returns if ret0 >= (str + in2). Did I miss something?


-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=11230

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11230] memchr overshoots on ia64

[aurelien at aurel32 dot net]

------- Additional Comments From aurelien at aurel32 dot net  2010-02-01 17:08 -------
You are correct. Your patch is indeed course correct, but does not seems to fix 
all the issues, as I am still able to reproduce the original problem with it.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=11230

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11230] memchr overshoots on ia64

[hjl dot tools at gmail dot com]

------- Additional Comments From hjl dot tools at gmail dot com  2010-02-01 17:25 -------
(In reply to comment #8)
> You are correct. Your patch is indeed course correct, but does not seems to fix 
> all the issues, as I am still able to reproduce the original problem with it.

If you can find a testcase, I will look into it.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |WAITING


http://sourceware.org/bugzilla/show_bug.cgi?id=11230

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11230] memchr overshoots on ia64

[pasky at suse dot cz]

------- Additional Comments From pasky at suse dot cz  2010-02-04 00:21 -------
I can confirm that I can _also_ reproduce the original issue at our SUSE
machines and the issue persists even with the patch applied. I use this test
file as an argument of the testcase program in bug description:

100644 346d4e61f111336a1443ef6b2e834aa5b1a7f91a 0       bozbar
100644 8e4020bb5a8d8c873b25de15933e75cc0fc275df 0       frotz
100644 dca6b92303befc93086aa025d90a5facd7eb2812 0       nitfol

hjl, are you sure you haven't overlooked something when testing your patch?

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pasky at suse dot cz
             Status|WAITING                     |NEW


http://sourceware.org/bugzilla/show_bug.cgi?id=11230

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11230] memchr overshoots on ia64

[hjl dot tools at gmail dot com]

------- Additional Comments From hjl dot tools at gmail dot com  2010-02-04 01:04 -------
(In reply to comment #10)
> I can confirm that I can _also_ reproduce the original issue at our SUSE
> machines and the issue persists even with the patch applied. I use this test
> file as an argument of the testcase program in bug description:
> 
> 100644 346d4e61f111336a1443ef6b2e834aa5b1a7f91a 0       bozbar
> 100644 8e4020bb5a8d8c873b25de15933e75cc0fc275df 0       frotz
> 100644 dca6b92303befc93086aa025d90a5facd7eb2812 0       nitfol
> 
> hjl, are you sure you haven't overlooked something when testing your patch?

Please show me how to reproduce it. I need exact step. Thanks.


-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=11230

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11230] memchr overshoots on ia64

[pasky at suse dot cz]

------- Additional Comments From pasky at suse dot cz  2010-02-04 01:22 -------
cat >memchr.c <<EOT
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <fcntl.h>

int main(int argc, const char * const argv[])
{
    struct stat st;
    lstat(argv[1], &st);

    int fd = open(argv[1], O_RDONLY);
    void *data = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
    void *t = memchr(data, 0, st.st_size);
    printf("ptr: %p, ret: %p, len: 0x%zx\n", data, t, st.st_size);
    return 0;
}
EOT
gcc -o memchr memchr.c
cat >memchr.t <<EOT
100644 346d4e61f111336a1443ef6b2e834aa5b1a7f91a 0       bozbar
100644 8e4020bb5a8d8c873b25de15933e75cc0fc275df 0       frotz
100644 dca6b92303befc93086aa025d90a5facd7eb2812 0       nitfol
EOT
./memchr memchr.t
# Reports that ret is non-NULL. ret should be NULL.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=11230

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11230] memchr overshoots on ia64

[jrnieder at gmail dot com]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 600 bytes --]


------- Additional Comments From jrnieder at gmail dot com  2010-02-04 01:32 -------
(In reply to comment #11)
> Please show me how to reproduce it. I need exact step. Thanks.

Here’s one way, I suspect:

 curl http://kernel.org/pub/software/scm/git/git-1.6.6.1.tar.gz | tar -zxf -
 cd git-1.6.6.1/
 make NO_OPENSSL=1 NO_CURL=1 test

The test suite uses git diff often enough to exercise memchr pretty heavily.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=11230

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11230] memchr overshoots on ia64

[hjl dot tools at gmail dot com]

------- Additional Comments From hjl dot tools at gmail dot com  2010-02-05 14:44 -------
Created an attachment (id=4573)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=4573&action=view)
An updated patch

Please try this one.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
Attachment #4559 is|0                           |1
           obsolete|                            |


http://sourceware.org/bugzilla/show_bug.cgi?id=11230

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11230] memchr overshoots on ia64

[hjl dot tools at gmail dot com]

------- Additional Comments From hjl dot tools at gmail dot com  2010-02-05 15:09 -------
Created an attachment (id=4574)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=4574&action=view)
A new patch

Please try this latest patch.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
Attachment #4573 is|0                           |1
           obsolete|                            |


http://sourceware.org/bugzilla/show_bug.cgi?id=11230

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11230] memchr overshoots on ia64

[aurelien at aurel32 dot net]

------- Additional Comments From aurelien at aurel32 dot net  2010-02-05 17:45 -------
I confirm it works, and I have seen no regression in the testsuite. Thanks a 
lot for your work.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=11230

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11230] memchr overshoots on ia64

[pasky at suse dot cz]

------- Additional Comments From pasky at suse dot cz  2010-02-05 20:27 -------
I can confirm it fixes the issue for us as well, thank you very much!

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=11230

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11230] memchr overshoots on ia64

[drepper at redhat dot com]

------- Additional Comments From drepper at redhat dot com  2010-02-06 10:20 -------
Patch is in git.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED


http://sourceware.org/bugzilla/show_bug.cgi?id=11230

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11230] memchr overshoots on ia64

[jrnieder at gmail dot com]

------- Additional Comments From jrnieder at gmail dot com  2010-02-08 19:48 -------
Thanks, all.  Pasky, do you plan to include a copy of commit 70b7d00 (memchr 
overshoots on ia64, 2010-02-06) in some stable release?

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=11230

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/11230] memchr overshoots on ia64

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=11230

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security-

-- 
You are receiving this mail because:
You are on the CC list for the bug.