From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 13436 invoked by alias); 25 Jun 2013 00:20:40 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org Received: (qmail 13391 invoked by uid 48); 25 Jun 2013 00:20:33 -0000 From: "ronis at google dot com" To: glibc-bugs@sourceware.org Subject: [Bug libc/15674] New: __memcmp_ssse3 tries to read past the array bounary Date: Tue, 25 Jun 2013 00:20:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: libc X-Bugzilla-Version: 2.18 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: ronis at google dot com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2013-06/txt/msg00196.txt.bz2 http://sourceware.org/bugzilla/show_bug.cgi?id=15674 Bug ID: 15674 Summary: __memcmp_ssse3 tries to read past the array bounary Product: glibc Version: 2.18 Status: NEW Severity: normal Priority: P2 Component: libc Assignee: unassigned at sourceware dot org Reporter: ronis at google dot com CC: drepper.fsp at gmail dot com Created attachment 7093 --> http://sourceware.org/bugzilla/attachment.cgi?id=7093&action=edit patch for glibc/string/test-memcmp.c Hello, The bug occurrs when "memcmp(s1, s2, 72)" calls __memcmp_ssse3, and when (s1 + 72) coinsides with a page boundary. The instruction mov -9(%rdi), %eax in __memcmp_ssse3 () at ../sysdeps/x86_64/multiarch/memcmp-ssse3.S:1467 causes a segmentation fault. Example: the page is at the address range 0x2000 - 0x3000, s1=(0x3000 - 72), and the next page is mprotected with PROT_NONE. $rdi=0x3008, and the "mov" instruction tries to read 4 bytes starting at 0x3008-9, crossing the boundary. The test case fails for the number of array sizes (72 is just one of them). Other sizes are 48, 65-75, etc. The reported glibc version is 2.18, but the same issue occurs in 2.15. How to reproduce: (1) Modify glibc/string/test-memcmp.c (the patch is attached) (2) Run "env LANGUAGE=C LC_ALL=C make check" test-memcmp-ifunc will fail with segfault. In string/test-memcmp-ifunc.out: ..... check2: length=48, simple_memcmp check2: length=48, __memcmp_sse4_1 check2: length=48, __memcmp_ssse3 Thank you. Roni. -- You are receiving this mail because: You are on the CC list for the bug.