[Bug libc/13540] New: Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat, strncat

[Bug libc/13540] New: Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat, strncat

[liubov.dmitrieva at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13540

             Bug #: 13540
           Summary: Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat,
                    strncat
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: critical
          Priority: P2
         Component: libc
        AssignedTo: drepper.fsp@gmail.com
        ReportedBy: liubov.dmitrieva@gmail.com
    Classification: Unclassified


Created attachment 6128
  --> http://sourceware.org/bugzilla/attachment.cgi?id=6128
Test case.

I have a test case that reproduce a bug in ssse3 strcpy, strncpy, stpncpy,
stpcpy, strcat, strncat optimized routines for x86_32.

Test build command:
-- gcc test.c glibc/sysdeps/i386/i686/multiarch/strncpy-ssse3.S  -odo -m32
-lpthread  -std=c99 -I.

Runing (Segmentation Fault if parameter < 4):

-bash-4.2$ ./do 3 > /dev/null
Segmentation fault
-bash-4.2$ ./do 0 > /dev/null
Segmentation fault


The root cause of the problem is strncpy() algorithm. It uses the destination
memory beyond the string end for 16-byte load, puts changes into that part that
is relevant to destination string and writes whole 16-byte chunk into memory.
For this particular test the memory beyond the string end contains malloc/free
data, that appear corrupted in case free() updates it in between the 16-byte
read and 16-byte write.

The test calls strncpy but the bug is common since all strcpy, strncpy,
stpncpy, stpcpy, strcat, strncat uses shared algorithm from
glibc/sysdeps/i386/i686/multiarch/strcpy-ssse3.S file.

I have a patch that fixes the issue (I redeveloped algorithm for last bytes in
/i386/i686/multiarch/strcpy-ssse3.S file) and send it to
libc-alpha@sourceware.org.


--
Liubov Dmitrieva

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13540] Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat, strncat

[liubov.dmitrieva at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13540

--- Comment #1 from Liubov Dmitrieva <liubov.dmitrieva at gmail dot com> 2011-12-22 12:16:36 UTC ---
I would like to post some details:

the problem is in all such labels for last bytes copying like below.

L(ShlNLoopExit):
    movaps    (%edx), %xmm6
    psrldq    $N, %xmm6
    mov    $N, %esi
    palignr    $16-N, %xmm1, %xmm6
    movaps    %xmm6, (%edx)
    jmp    L(CopyFrom1To16Bytes)

Algorithm loads 16 bytes from dst (%edx), modifies some part (N bytes) and
loads  register back,
then goes to label where copies remaining M (can be from 1 to 16bytes).
In particalar cases when 16 - N > M, we can affect memory of other thread.
This thread can modify memory between load and store instructions here.
It can cause a corruption.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13540] Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat, strncat

[liubov.dmitrieva at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13540

--- Comment #2 from Liubov Dmitrieva <liubov.dmitrieva at gmail dot com> 2011-12-22 12:28:30 UTC ---
x86_64 routines uses similar algorithm of last bytes processing.
But this test case doesn't catch the bug in 64 bit mode.

It seems that malloc allocates memory parts not so closed to each other.
I will try to develop other test case for 64 bit mode.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13540] Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat, strncat

[liubov.dmitrieva at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13540

--- Comment #3 from Liubov Dmitrieva <liubov.dmitrieva at gmail dot com> 2011-12-22 16:23:54 UTC ---
Created attachment 6129
  --> http://sourceware.org/bugzilla/attachment.cgi?id=6129
Beta version of test case, bug reproducer

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13540] Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat, strncat

[liubov.dmitrieva at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13540

--- Comment #4 from Liubov Dmitrieva <liubov.dmitrieva at gmail dot com> 2011-12-22 16:26:03 UTC ---
I developed better stress test case (test1.tar)which covers more routines.

Compile string:

gcc test.c $GLIBC/strcpy-ssse3.S $GLIBC/strcat-ssse3.S $GLIBC/strncpy-ssse3.S
$GLIBC/strncat-ssse3.S $GLIBC/wcs*-ssse3.S  -odo -m32 -lpthread -g -std=c99 -I.

Run: ./do

After applying the patch I've sent to libc-alpha today I see that issues still
remains in wcscpy.

Output:

-bash-4.2$ ./do
strlen: 248
main thread(tid:776 pid:776 ppid:18191)!
Strncpy is ok
Strncat is ok
Strcpy is ok
Strcat is ok
*** glibc detected *** ./do: corrupted double-linked list: 0xf6600618 ***


Before applying the patch I've sent today I have no any function from tets list
is ok.:

-bash-4.2$ ./do
strlen: 248
main thread(tid:819 pid:819 ppid:18191)!
*** glibc detected *** ./do: double free or corruption (out): 0xf65004f0 ***


If I switch in test.c file all string implementation to standart I have on
Fedora 15 machine, every test is ok.


I will submit remaining fix in wcscpy tomorrow.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13540] Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat, strncat

[schwab@linux-m68k.org]

http://sourceware.org/bugzilla/show_bug.cgi?id=13540

--- Comment #5 from Andreas Schwab <schwab@linux-m68k.org> 2011-12-22 16:36:15 UTC ---
You should be able to build upon the tests in string/stratcliff.c, avoiding the
need to depend on memory corruption.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13540] Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat, strncat

[ppluzhnikov at google dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13540

Paul Pluzhnikov <ppluzhnikov at google dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ppluzhnikov at google dot
                   |                            |com

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13540] Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat, strncat

[drepper.fsp at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13540

Ulrich Drepper <drepper.fsp at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #6 from Ulrich Drepper <drepper.fsp at gmail dot com> 2011-12-22 23:03:33 UTC ---
Patch is in.  The test case cna be handled separately.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13540] Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat, strncat

[liubov.dmitrieva at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13540

--- Comment #7 from Liubov Dmitrieva <liubov.dmitrieva at gmail dot com> 2011-12-23 11:21:50 UTC ---
I regret this bug wasn't caught earlier.
It's too early to think this bug to be fixed.
The bug is wide spread in glibc string routines.
I've sent a patch with wcscpy fix (for x86_32) today additionally to my
yesterday patch which fixes strcpy/pcpy, strncpy/pncpy, strcat/ncat.
But that was only work regarding with x86_64 string routines.

But the same issue exists for x86_64 routines.

Yes, my attached test1 has good recall in 32bit mode but doesn't catch anything
in 64 bit mode.
Unfortunately I don't have any reproducer for 64bit mode now, I think it can be
two thread application where one thread calls string copy routines, the second
thread keeps some char variable very closed to a buffer the first thread uses.
The second thread should update variable and check if the first thread doesn't
load a char before update and restore it after. Test should change lengths,
alignments since the bug exists only for restricted cases.
I'm going to work with patches for x86_64 ASAP. An algorithm shall be modified
in similar files: strpy-ssse3.S and wcscpy-ssse3.S

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13540] Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat, strncat

[tschwinge at sourceware dot org]

http://sourceware.org/bugzilla/show_bug.cgi?id=13540

Thomas Schwinge <tschwinge at sourceware dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tschwinge at sourceware dot
                   |                            |org

--- Comment #8 from Thomas Schwinge <tschwinge at sourceware dot org> 2012-02-20 18:06:21 UTC ---
Hi Liubov!

(This bug has been closed as RESOLVED, FIXED, but then apparently work
was resumed later on.)


(In reply to comment #7)
> It's too early to think this bug to be fixed.  [...]

I can't quite tell if these additional issues have been fixed or at least
reported by now?  Could you please give a summary about what remains to
be done here?  If appropriate, re-open this bug, or file new issues
instead.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13540] Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat, strncat

[liubov.dmitrieva at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13540

--- Comment #9 from Liubov Dmitrieva <liubov.dmitrieva at gmail dot com> 2012-02-21 19:35:29 UTC ---
(In reply to comment #8)
> Hi Liubov!
> 
> (This bug has been closed as RESOLVED, FIXED, but then apparently work
> was resumed later on.)
> 
> 
> (In reply to comment #7)
> > It's too early to think this bug to be fixed.  [...]
> 
> I can't quite tell if these additional issues have been fixed or at least
> reported by now?  Could you please give a summary about what remains to
> be done here?  If appropriate, re-open this bug, or file new issues
> instead.

The issue and similar issues were fixed by the following three patches:

http://sourceware.org/ml/libc-alpha/2011-12/msg00074.html
http://sourceware.org/ml/libc-alpha/2011-12/msg00079.html
http://sourceware.org/ml/libc-alpha/2011-12/msg00076.html

Thanks.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13540] Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat, strncat

[tschwinge at sourceware dot org]

http://sourceware.org/bugzilla/show_bug.cgi?id=13540

--- Comment #10 from Thomas Schwinge <tschwinge at sourceware dot org> 2012-02-22 09:39:30 UTC ---
> The issue and similar issues were fixed by the following three patches:
> 
> http://sourceware.org/ml/libc-alpha/2011-12/msg00074.html
> http://sourceware.org/ml/libc-alpha/2011-12/msg00079.html
> http://sourceware.org/ml/libc-alpha/2011-12/msg00076.html

Thanks, these have promptly been committed by Ulrich.  I understand it
that the last one is the fix for ``the same issue exists for x86_64
routines'' (your words), which you had raised after the bug had been
closed already.  Given this, we're fine.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13540] Bug in ssse3 strcpy, strncpy, stpncpy, stpcpy, strcat, strncat

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=13540

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security+

-- 
You are receiving this mail because:
You are on the CC list for the bug.