From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 3ED093858D35; Tue, 19 Mar 2024 11:05:47 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 3ED093858D35 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1710846347; bh=Kma4Az82t3RN0yI0rvvGXuRwYMB+Xy/WZcBMe5CZvhQ=; h=From:To:Subject:Date:From; b=Yxh2gZ6lwt+/JWkjiTQe8Z0EOfXrjkjap8qw4rkKwAcA8VlRZKWAX4EDmLuVQhh2c VK1NOV+xoS4/5Ogj3ZrEWhfoZoFpoqRNdKzbt1QvV5A4iMw98lPbJy62fAOyi0mDSD qynzsn+wqvvVlvxaUdntzBoPJ/DBdh7aXRYrffVM= From: "slomo at coaxion dot net" To: glibc-bugs@sourceware.org Subject: [Bug string/31509] New: Invalid read in __wcpncpy_avx2() via wcsxfrm() Date: Tue, 19 Mar 2024 11:05:46 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: string X-Bugzilla-Version: 2.38 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: slomo at coaxion dot net X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D31509 Bug ID: 31509 Summary: Invalid read in __wcpncpy_avx2() via wcsxfrm() Product: glibc Version: 2.38 Status: UNCONFIRMED Severity: normal Priority: P2 Component: string Assignee: unassigned at sourceware dot org Reporter: slomo at coaxion dot net Target Milestone: --- The following code reliably results in invalid reads when running under valgrind. This is with glibc 2.38 from Fedora 39. Whether an invalid read happens or not seems to depend on the alignment of = the input buffer or something else that I couldn't figure out completely yet. In the code below it always happens on the last call, i.e. with the second malloc'd buffer. It seems like __wcpncpy_avx2() wrongly assumes under certain conditions tha= t at least 32 bytes (i.e. one AVX register) of input data is available. -------- #include #include #include #include int main() { const wchar_t in[] =3D {L'a', L'b', L'c', 0}; wchar_t out[3+1] =3D {0, }; printf("%p %p\n", in, out); size_t res =3D wcsxfrm(out, in, 3); printf("%lu\n", res); wchar_t *in2 =3D malloc(sizeof(wchar_t) * 4); memcpy(in2, in, sizeof(in)); printf("%p %p\n", in2, out); res =3D wcsxfrm(out, in2, 3); printf("%lu\n", res); free(in2); wchar_t *in3 =3D malloc(sizeof(wchar_t) * 4); memcpy(in3, in, sizeof(in)); printf("%p %p\n", in3, out); res =3D wcsxfrm(out, in3, 3); printf("%lu\n", res); free(in3); } -------- =3D=3D139735=3D=3D Memcheck, a memory error detector =3D=3D139735=3D=3D Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward= et al. =3D=3D139735=3D=3D Using Valgrind-3.22.0 and LibVEX; rerun with -h for copy= right info =3D=3D139735=3D=3D Command: ./test =3D=3D139735=3D=3D=20 0x1fff000330 0x1fff000320 3 0x4a5c480 0x1fff000320 3 0x4a5c4d0 0x1fff000320 =3D=3D139735=3D=3D Invalid read of size 32 =3D=3D139735=3D=3D at 0x49DAA2E: __wcpncpy_avx2 (strncpy-avx2.S:85) =3D=3D139735=3D=3D by 0x493C560: wcsxfrm_l (strxfrm_l.c:679) =3D=3D139735=3D=3D by 0x4012A1: main (in /home/slomo/tmp/test/test) =3D=3D139735=3D=3D Address 0x4a5c4d0 is 0 bytes inside a block of size 16 = alloc'd =3D=3D139735=3D=3D at 0x484280F: malloc (vg_replace_malloc.c:442) =3D=3D139735=3D=3D by 0x401258: main (in /home/slomo/tmp/test/test) =3D=3D139735=3D=3D=20 3 =3D=3D139735=3D=3D=20 =3D=3D139735=3D=3D HEAP SUMMARY: =3D=3D139735=3D=3D in use at exit: 0 bytes in 0 blocks =3D=3D139735=3D=3D total heap usage: 3 allocs, 3 frees, 1,056 bytes alloc= ated =3D=3D139735=3D=3D=20 =3D=3D139735=3D=3D All heap blocks were freed -- no leaks are possible =3D=3D139735=3D=3D=20 =3D=3D139735=3D=3D For lists of detected and suppressed errors, rerun with:= -s =3D=3D139735=3D=3D ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 f= rom 0) --=20 You are receiving this mail because: You are on the CC list for the bug.=