[Bug libc/17746] New: tilegx32: strstr can miss the end of the string

[Bug libc/17746] New: tilegx32: strstr can miss the end of the string

[cmetcalf at ezchip dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17746

            Bug ID: 17746
           Summary: tilegx32: strstr can miss the end of the string
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: cmetcalf at ezchip dot com
                CC: drepper.fsp at gmail dot com

The code uses a __builtin_expect() test on a raw uint64_t value to see if it is
zero.  Unfortunately __builtin_expect() takes a long, so we lose the high 32
bits in ILP32 mode.  This can mean we don't see the final NUL on the string.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17746] tilegx32: strstr can miss the end of the string

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=17746

--- Comment #1 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  0dacd7a3b9401f7eb7160cf79231a4573773c5da (commit)
      from  929011700ce09f2bb4f6f650ae95b6eb68145deb (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0dacd7a3b9401f7eb7160cf79231a4573773c5da

commit 0dacd7a3b9401f7eb7160cf79231a4573773c5da
Author: Chris Metcalf <cmetcalf@ezchip.com>
Date:   Mon Dec 22 14:50:26 2014 -0500

    tilegx: remove implicit boolean conversion in strstr.

    [BZ #17746]
    The __builtin_expect() truncated a uint64_t to a 32-bit long
    in ILP32 mode, discarding the high 32 bits, and potentially
    missing the NUL terminator that we were searching for with SIMD
    operations.  Explicitly compare to zero to fix the problem.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                    |    6 ++++++
 NEWS                         |    2 +-
 sysdeps/tile/tilegx/strstr.c |    2 +-
 3 files changed, 8 insertions(+), 2 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17746] tilegx32: strstr can miss the end of the string

[cmetcalf at ezchip dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17746

Chris Metcalf <cmetcalf at ezchip dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Chris Metcalf <cmetcalf at ezchip dot com> ---
Fixed in commit 0dacd7a3b94.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17746] tilegx32: strstr can miss the end of the string

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17746

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security?

--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
Can you clarify the impact of the bug?  Just one results from strstr, or a
crash due to reading past the end of the string, or …?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-27213-listarch-glibc-bugs=sources.redhat.com@sourceware.org Thu Jan 29 13:24:28 2015
Return-Path: <glibc-bugs-return-27213-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 14991 invoked by alias); 29 Jan 2015 13:24:27 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 14898 invoked by uid 48); 29 Jan 2015 13:24:21 -0000
From: "schwab@linux-m68k.org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug libc/17814] Use-After-Free
Date: Thu, 29 Jan 2015 13:24:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: libc
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: schwab@linux-m68k.org
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields:
Message-ID: <bug-17814-131-E3r7gysVUU@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-17814-131@http.sourceware.org/bugzilla/>
References: <bug-17814-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-01/txt/msg00238.txt.bz2
Content-length: 262

https://sourceware.org/bugzilla/show_bug.cgi?id\x17814

--- Comment #3 from Andreas Schwab <schwab@linux-m68k.org> ---
"out of memory" is a special, statically allocated error string.

--
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17746] tilegx32: strstr can miss the end of the string

[cmetcalf at ezchip dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17746

--- Comment #4 from Chris Metcalf <cmetcalf at ezchip dot com> ---
(In reply to Florian Weimer from comment #3)
> Can you clarify the impact of the bug?  Just one results from strstr, or a
> crash due to reading past the end of the string, or …?

If the "haystack" is near the end of allocated memory, the strstr() can miss
the end of the string and cause a SEGV.  Otherwise, strstr() will run on until
it finds either a match to the needle, or a NUL byte with address p, where (p &
4) == 0, i.e. it ignores half of the possible NUL bytes.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-27219-listarch-glibc-bugs=sources.redhat.com@sourceware.org Thu Jan 29 14:37:56 2015
Return-Path: <glibc-bugs-return-27219-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 21534 invoked by alias); 29 Jan 2015 14:37:56 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 21247 invoked by uid 48); 29 Jan 2015 14:37:44 -0000
From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug localedata/17750] wrong collation order of diacritics in most locales
Date: Thu, 29 Jan 2015 14:37:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: localedata
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: fweimer at redhat dot com
X-Bugzilla-Status: ASSIGNED
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: aoliva at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields:
Message-ID: <bug-17750-131-C2RPked9pO@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-17750-131@http.sourceware.org/bugzilla/>
References: <bug-17750-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-01/txt/msg00244.txt.bz2
Content-length: 733

https://sourceware.org/bugzilla/show_bug.cgi?id\x17750

--- Comment #8 from Florian Weimer <fweimer at redhat dot com> ---
(In reply to Carlos O'Donell from comment #7)
> For the long term support of locales it must change. Unless we get more
> maintainers my plan is to conintue to push that we match CLDR, UNICODE and
> thus exactly what libicu does and reduce the "surprise" for developers going
> from java to C/C++ or vice-versa.

It would be possible to rename the locale each time the ordering changes (and
change the environment settings), which might satisfy both needs (fixed locales
for interactive use, predictable ordering for data at rest).

--
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17746] tilegx32: strstr can miss the end of the string

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17746

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|security?                   |security+

--- Comment #5 from Florian Weimer <fweimer at redhat dot com> ---
(In reply to Chris Metcalf from comment #4)
> (In reply to Florian Weimer from comment #3)
> > Can you clarify the impact of the bug?  Just one results from strstr, or a
> > crash due to reading past the end of the string, or …?
> 
> If the "haystack" is near the end of allocated memory, the strstr() can miss
> the end of the string and cause a SEGV.  Otherwise, strstr() will run on
> until it finds either a match to the needle, or a NUL byte with address p,
> where (p & 4) == 0, i.e. it ignores half of the possible NUL bytes.

Thanks, based on this information, I flag this as “security” because it could
leak information (by returning a string outside the original haystack), or
crash.  Feel free to remove the flag if you disagree.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-27221-listarch-glibc-bugs=sources.redhat.com@sourceware.org Thu Jan 29 14:55:42 2015
Return-Path: <glibc-bugs-return-27221-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 14144 invoked by alias); 29 Jan 2015 14:55:41 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 13940 invoked by uid 48); 29 Jan 2015 14:55:32 -0000
From: "max at cxib dot net" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug libc/17897] Multiple 'Dynamic Stack Allocations' in security point of view
Date: Thu, 29 Jan 2015 14:55:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: libc
X-Bugzilla-Version: 2.20
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: max at cxib dot net
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields:
Message-ID: <bug-17897-131-VpqKLaiapr@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-17897-131@http.sourceware.org/bugzilla/>
References: <bug-17897-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-01/txt/msg00246.txt.bz2
Content-length: 818

https://sourceware.org/bugzilla/show_bug.cgi?id\x17897

--- Comment #2 from Max <max at cxib dot net> ---
> Please do not file omnibus bugs like this; file one bug for each separate
> instance where you believe the stack allocation is unbounded, unless two
> instances are extremely closely related (variants of the same code,
> cut-and-pasted twice, for example).

ok. However, I didn't check yet how long buffer may be used in the examples
above. Therefore, everything is in one issue.

> (Unbounded stack allocations are considered bugs whether or not they cross
> privilege boundaries, but are only security issues where a privilege
> boundary is plausibly crossed.)
>

a application crash cannot be considered as a possible DoS?

--
You are receiving this mail because:
You are on the CC list for the bug.