From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <glibc-bugs-return-18847-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Received: (qmail 30557 invoked by alias); 5 Jun 2013 18:07:08 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Received: (qmail 30464 invoked by uid 48); 5 Jun 2013 18:06:58 -0000
From: "chris_s_jones at yahoo dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug ports/15583] New: r7 uninitialized in ports/sysdeps/arm/armv6/strcpy.S when ARM_HAS_T2 undefined
Date: Wed, 05 Jun 2013 18:07:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: ports
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: chris_s_jones at yahoo dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc
Message-ID: <bug-15583-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2013-06/txt/msg00026.txt.bz2

http://sourceware.org/bugzilla/show_bug.cgi?id=15583

            Bug ID: 15583
           Summary: r7 uninitialized in ports/sysdeps/arm/armv6/strcpy.S
                    when ARM_HAS_T2 undefined
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ports
          Assignee: unassigned at sourceware dot org
          Reporter: chris_s_jones at yahoo dot com
                CC: carlos at redhat dot com, roland at gnu dot org

The version of strcpy.S for ARM uses the following to initialize a value in r7
to detect end-of-string.

  84         @ Subtracting (unsigned saturating) from 1 for any byte means
result
  85         @ of 1 for any byte that was originally zero and 0 otherwise.
  86         @ Therefore we consider the lsb of each byte the "found" bit.
  87 #ifdef ARCH_HAS_T2
  88         movw    r7, #0x0101
  89         tst     r0, #3                  @ Test alignment of DEST
  90         movt    r7, #0x0101
  91 #else
  92         ldr     ip, =0x01010101
  93         tst     r0, #3
  94 #endif

If ARCH_HAS_T2 is not defined, then ip (r12) gets initialized rather than r7. 
The subsequent code will then attempt to use the uninitialized value in r7,
which can cause strcpy() to walk past the end of the string.

-- 
You are receiving this mail because:
You are on the CC list for the bug.