public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug string/27960] New: Memset-vec-unaligned-erms.S has a potential overflow bug.
@ 2021-06-07 17:17 goldstein.w.n at gmail dot com
2021-06-07 17:21 ` [Bug string/27960] " goldstein.w.n at gmail dot com
2021-06-09 22:08 ` goldstein.w.n at gmail dot com
0 siblings, 2 replies; 3+ messages in thread
From: goldstein.w.n at gmail dot com @ 2021-06-07 17:17 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27960
Bug ID: 27960
Summary: Memset-vec-unaligned-erms.S has a potential overflow
bug.
Product: glibc
Version: 2.34
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: string
Assignee: unassigned at sourceware dot org
Reporter: goldstein.w.n at gmail dot com
Target Milestone: ---
In Commit:
author Noah Goldstein <goldstein.w.n@gmail.com>
Thu, 20 May 2021 17:13:51 +0000 (13:13 -0400)
commit 6abf27980a947f9b6e514d6b33b83059d39566ae
The loop bound calculation was changed to essentially the following pseudo
code:
void * end = dst + length;
while(dst < end) {
// Copy Bytes
}
This can potentially be an issue as if length + dst overflows end will be less
than dst and the loop will exit on the first iteration.
So for example under certain conditions memset(ptr, c, SIZE_MAX) would not
throw a Segmentation Fault
An example can be found here: https://godbolt.org/z/K1hE5cKvf
Some things worth noting.
1) This bug is also present in nearly all wcsmbs string/memory function
implementations on x86_64 because they almost always execute `salq $2, %rdx` to
adjust length which would cause overflow if the input is above 2 ^
((sizeof(size_t) - 2).
2) This bug only affects CPUs without ERMS as any value that will cause
overflow is also surely greater than __x86_rep_stosb_threshold.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug string/27960] Memset-vec-unaligned-erms.S has a potential overflow bug.
2021-06-07 17:17 [Bug string/27960] New: Memset-vec-unaligned-erms.S has a potential overflow bug goldstein.w.n at gmail dot com
@ 2021-06-07 17:21 ` goldstein.w.n at gmail dot com
2021-06-09 22:08 ` goldstein.w.n at gmail dot com
1 sibling, 0 replies; 3+ messages in thread
From: goldstein.w.n at gmail dot com @ 2021-06-07 17:21 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27960
Noah Goldstein <goldstein.w.n at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target| |x86_64
CC| |goldstein.w.n at gmail dot com
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug string/27960] Memset-vec-unaligned-erms.S has a potential overflow bug.
2021-06-07 17:17 [Bug string/27960] New: Memset-vec-unaligned-erms.S has a potential overflow bug goldstein.w.n at gmail dot com
2021-06-07 17:21 ` [Bug string/27960] " goldstein.w.n at gmail dot com
@ 2021-06-09 22:08 ` goldstein.w.n at gmail dot com
1 sibling, 0 replies; 3+ messages in thread
From: goldstein.w.n at gmail dot com @ 2021-06-09 22:08 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27960
Noah Goldstein <goldstein.w.n at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |NOTABUG
--- Comment #1 from Noah Goldstein <goldstein.w.n at gmail dot com> ---
This is not a bug. Passing a length that would cause overflow is undefined
behavior.
https://marc.info/?l=glibc-alpha&m=162308797213313&w=2
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-06-09 22:08 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-07 17:17 [Bug string/27960] New: Memset-vec-unaligned-erms.S has a potential overflow bug goldstein.w.n at gmail dot com
2021-06-07 17:21 ` [Bug string/27960] " goldstein.w.n at gmail dot com
2021-06-09 22:08 ` goldstein.w.n at gmail dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).