[Bug libc/12077] New: strncmp over-reads its buffer, may cause SIGSEGV

[Bug libc/12077] New: strncmp over-reads its buffer, may cause SIGSEGV

[ppluzhnikov at google dot com]

Attached test case crashes in 64-bit mode
  ./a.out $j
  ./a.out $j 1
for all values of $j between 1 and 15

It does not crash in 32-bit mode (the bug appears to be in sysdeps/x86_64/strcmp.S).

The bug is not present in glibc-2.7; is present in 2.11.1 and current trunk.

-- 
           Summary: strncmp over-reads its buffer, may cause SIGSEGV
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: critical
          Priority: P2
         Component: libc
        AssignedTo: drepper dot fsp at gmail dot com
        ReportedBy: ppluzhnikov at google dot com
                CC: glibc-bugs at sources dot redhat dot com
 GCC build triplet: x86_64-linux-gnu
  GCC host triplet: x86_64-linux-gnu
GCC target triplet: x86_64-linux-gnu


http://sourceware.org/bugzilla/show_bug.cgi?id=12077

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/12077] strncmp over-reads its buffer, may cause SIGSEGV

[ppluzhnikov at google dot com]

------- Additional Comments From ppluzhnikov at google dot com  2010-10-01 12:04 -------
Created an attachment (id=5022)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=5022&action=view)
test case


-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=12077

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/12077] strncmp over-reads its buffer, may cause SIGSEGV

[drepper dot fsp at gmail dot com]

------- Additional Comments From drepper dot fsp at gmail dot com  2010-10-01 13:23 -------
Why can't you be specific and describe exactly what type of machine you're using?  
You better know meanwhile that there are multiple implementations available.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|critical                    |normal


http://sourceware.org/bugzilla/show_bug.cgi?id=12077

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/12077] strncmp over-reads its buffer, may cause SIGSEGV

[ppluzhnikov at google dot com]

------- Additional Comments From ppluzhnikov at google dot com  2010-10-01 14:00 -------
(In reply to comment #2)
> Why can't you be specific and describe exactly what type of machine you're using?

Sorry. The crash shows on every x86_64 linux machine I have tried.

Here is /proc/cpuinfo from one:

processor	: 0
vendor_id	: AuthenticAMD
cpu family	: 15
model		: 65
model name	: Dual-Core AMD Opteron(tm) Processor 8214 HE
stepping	: 2
cpu MHz		: 2200.000
cache size	: 1024 KB
physical id	: 0
siblings	: 2
core id		: 0
cpu cores	: 2
fpu		: yes
fpu_exception	: yes
cpuid level	: 1
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36
clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt rdtscp lm 3dnowext 3dnow
rep_good pni cx16 lahf_lm cmp_legacy svm extapic cr8_legacy
bogomips	: 4420.36
TLB size	: 1024 4K pages
clflush size	: 64
cache_alignment	: 64
address sizes	: 40 bits physical, 48 bits virtual
power management: ts fid vid ttp tm stc


> You better know meanwhile that there are multiple implementations available.

Right, sorry about it. On above AMD, the crash is here:

(gdb) r 15
region 1: [0x7ffff7ff4000, 0x7ffff7ff5000)
region 2: [0x7ffff7ff2000, 0x7ffff7ff4000)
strncmp(0x7ffff7ff400f, 0x7ffff7ff200f, 4081) = 0

Program received signal SIGSEGV, Segmentation fault.
__strncmp_sse2 () at ../sysdeps/x86_64/multiarch/../strcmp.S:2149
2149		movdqa	(%rdi, %rcx), %xmm2

Same on model name    : Intel(R) Pentium(R) 4 CPU 3.40GHz

On model name    : Intel(R) Core(TM)2 CPU          6600  @ 2.40GHz
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36
clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc
arch_perfmon pebs bts rep_good aperfmperf pni dtes64 monitor ds_cpl vmx est tm2
ssse3 cx16 xtpr pdcm lahf_lm tpr_shadow

the crash is here:

(gdb) r 15
region 1: [0x7ffff7ff5000, 0x7ffff7ff6000)
region 2: [0x7ffff7ff3000, 0x7ffff7ff5000)
strncmp(0x7ffff7ff500f, 0x7ffff7ff300f, 4081) = 0

Program received signal SIGSEGV, Segmentation fault.
__strncmp_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:2149
2149	../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.
	in ../sysdeps/x86_64/multiarch/../strcmp.S

I can't find any SSE4 machines at the moment.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=12077

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/12077] strncmp over-reads its buffer, may cause SIGSEGV

[ppluzhnikov at google dot com]

------- Additional Comments From ppluzhnikov at google dot com  2010-10-01 17:14 -------
On SSE4_2 capable machine:

model name      : Intel(R) Xeon(R) CPU           X5550  @ 2.67GHz
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov
pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm
constant_tsc arch_perfmon pebs bts rep_good pni monitor ds_cpl vmx est tm2 ssse3
cx16 xtpr dca sse4_1 sse4_2 popcnt lahf_lm ida

the test does not crash for any combination of parameters, so __strncmp_sse42
does not have the bug.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=12077

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/12077] strncmp over-reads its buffer, may cause SIGSEGV

[drepper dot fsp at gmail dot com]

------- Additional Comments From drepper dot fsp at gmail dot com  2010-10-03 03:11 -------
I cannot reproduce a problem on a SSE4.2 system when the SSE4.2 version is used.  
You'll also have to make sure you're using th multiarch version.

I think I can reproduce a problem in the SSSE3 and SSE2 versions.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=12077

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/12077] strncmp over-reads its buffer, may cause SIGSEGV

[ppluzhnikov at google dot com]

------- Additional Comments From ppluzhnikov at google dot com  2010-10-03 03:23 -------
(In reply to comment #5)
> I cannot reproduce a problem on a SSE4.2 system when the SSE4.2 version is used.  

Neither can I. In comment #4: "On SSE4_2 capable machine ... the test does *not*
crash".


-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=12077

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/12077] strncmp over-reads its buffer, may cause SIGSEGV

[drepper dot fsp at gmail dot com]

------- Additional Comments From drepper dot fsp at gmail dot com  2010-10-04 02:11 -------
Should be fixed in git.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED


http://sourceware.org/bugzilla/show_bug.cgi?id=12077

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.