[Bug libc/17495] New: strcmp strncmp over-reads, may cause SIGSEGV

[Bug libc/17495] New: strcmp strncmp over-reads, may cause SIGSEGV

[tstark at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17495

            Bug ID: 17495
           Summary: strcmp strncmp over-reads, may cause SIGSEGV
           Product: glibc
           Version: 2.20
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: tstark at gmail dot com
                CC: drepper.fsp at gmail dot com

Created attachment 7838
  --> https://sourceware.org/bugzilla/attachment.cgi?id=7838&action=edit
Test case

Hi,

This is my first bug report. I know there are similar duplicates on this, they
are marked as fixed and I want to re-escalate this.

OS: Linux x86 64
glibc: Verified on 2.11.3 and most recent 2.20, probably also on anything in
between.
       Verified not to occur on 2.4.

Summary - 
Using strcmp() and strncmp() may cause buffer over-read, and even a page-fault
and crash if the over-read crosses a page into an un-mapped page.

Description -
This was first experienced with malloc, though the problem is obviously
reproducible with mmap as well.

There is a buffer alignment that may cause the following assembly instruction
over-read 16B after the end of a buffer (even with strncmp!) -
sysdeps/x86_64/strcmp.S : __strncmp_sse42 : movdqa (%rdi, %rcx), %xmm2

Let's assume we have two strings, str1 and str2.
Under my configuration, str1 ends (terminating null byte) at the end of a 64B
block. i.e. ( str1 + str1_length ) % 64 = 0.
str2 begins at some byte, which is not aligned to 16B, i.e. str2 % 16 != 0.
This configuration is not uncommon when looking for sub-strings manually.

Let's assume both strings are equal, therefore strcmp should return true after
reading the last byte of str1.
What happens is that the above movdqa instruction reads the next 16B after the
last byte of str1. This could be on a different page and cause a segfault.
If no segfault happens, strcmp returns that the strings are equal and
everything is ok, even though we over-read the data.

I've attached a simple example with malloc (over-reads but no segfault) and
then with mmap (which is set to cause a segfault).

If I missed anything relevant or need to supply any extra information I'd be
happy to supply.

Thank you,

Tomer

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17495] strcmp strncmp over-reads, may cause SIGSEGV

[tstark at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17495

Tomer Stark <tstark at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tstark at gmail dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17495] strcmp strncmp over-reads, may cause SIGSEGV

[schwab@linux-m68k.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=17495

Andreas Schwab <schwab@linux-m68k.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |WAITING

--- Comment #1 from Andreas Schwab <schwab@linux-m68k.org> ---
This is not a bug, both strcmp and strncmp verify that they never read past a
page boundary.  The attached test case does not crash for me.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17495] strcmp strncmp over-reads, may cause SIGSEGV

[tstark at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17495

--- Comment #2 from Tomer Stark <tstark at gmail dot com> ---
(In reply to Andreas Schwab from comment #1)
> This is not a bug, both strcmp and strncmp verify that they never read past
> a page boundary.  The attached test case does not crash for me.

I'm clearly getting a segmentation fault with this test case, and simply by
changing the offset variable to a multiple of 32 prevents the segfault.

Similar claims have been made in bugs 12077 and 12597, possibly more that I
can't find.

Is there any further data I can supply to corroborate my claim?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17495] strcmp strncmp over-reads, may cause SIGSEGV

[tstark at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17495

Tomer Stark <tstark at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|WAITING                     |RESOLVED
         Resolution|---                         |OBSOLETE

--- Comment #3 from Tomer Stark <tstark at gmail dot com> ---
Compiling 2.20 with AVX/AVX2 fixes the overflow.

Closing as obsolete.

-- 
You are receiving this mail because:
You are on the CC list for the bug.