[Bug stdio/22703] New: sprintf "%ls": uninitialized memory access because of using SSE 4.1 (__wcsnlen_sse4_1)

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug stdio/22703] New: sprintf "%ls": uninitialized memory access because of using SSE 4.1 (__wcsnlen_sse4_1)

cvs-commit at gcc dot gnu.org
https://sourceware.org/bugzilla/show_bug.cgi?id=22703

            Bug ID: 22703
           Summary: sprintf "%ls": uninitialized memory access because of
                    using SSE 4.1 (__wcsnlen_sse4_1)
           Product: glibc
           Version: 2.26
            Status: UNCONFIRMED
          Severity: critical
          Priority: P2
         Component: stdio
          Assignee: unassigned at sourceware dot org
          Reporter: faragon.github at gmail dot com
  Target Milestone: ---

The uninitialized memory access comes from the internal function
__wcsnlen_sse4_1 (using SSE 4.1 on x86_64), both with and without optimizations
-O0/-O3). I've found it with a Valgrind test that reported an error after
updating the build machine from Ubuntu 16.04 to Ubuntu 17.10 (GCC 7.2.0, ldd
--version shows "Ubuntu GLIBC 2.26-0ubuntu2"). Actual behavior seems "right",
but because of Valgrind reporting conditional behavior based on uninitialized
memory, I've set the severity to critical.

Valgrind output:

$ uname -a
Linux luna 4.13.0-25-generic #29-Ubuntu SMP Mon Jan 8 21:14:41 UTC 2018 x86_64
x86_64 x86_64 GNU/Linux

$ gcc -O0 -ggdb sprintf_bug.c
$ valgrind --tool=memcheck ./a.out
(...)
==22373== Conditional jump or move depends on uninitialised value(s)
==22373==    at 0x4F029D1: __wcsnlen_sse4_1 (strlen.S:161)
==22373==    by 0x4EF0C4A: wcsrtombs (wcsrtombs.c:104)
==22373==    by 0x4E91EE1: vfprintf (vfprintf.c:1643)
==22373==    by 0x4EB513D: vsprintf (iovsprintf.c:42)
==22373==    by 0x4E98FA3: sprintf (sprintf.c:32)
==22373==    by 0x108833: main (sprintf_bug.c:13)
==22373==  Uninitialised value was created by a heap allocation
==22373==    at 0x4C2FB0F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==22373==    by 0x1087ED: main (sprintf_bug.c:9)
(...)

$ gcc -O3 sprintf_bug.c
$ valgrind --tool=memcheck ./a.out
(...)
==22707== Conditional jump or move depends on uninitialised value(s)
==22707==    at 0x4F029D1: __wcsnlen_sse4_1 (strlen.S:161)
==22707==    by 0x4EF0C4A: wcsrtombs (wcsrtombs.c:104)
==22707==    by 0x4E91EE1: vfprintf (vfprintf.c:1643)
==22707==    by 0x4F60A8A: __vsprintf_chk (vsprintf_chk.c:82)
==22707==    by 0x4F609B9: __sprintf_chk (sprintf_chk.c:31)
==22707==    by 0x108757: main (in /r0/done/repos/mlibsrt/a.out)
(...)


Source code for reproducing the bug:

$ cat sprintf_bug.c

#include <stdio.h>
#include <string.h>
#include <malloc.h>
#include <wchar.h>

int main()
{
        char tmp[4096];
        wchar_t *hello_bug = (wchar_t *)malloc(sizeof(wchar_t) * 4096);
        if (!hello_bug)
                return 1;
        wcscpy(hello_bug, L"Hello bug!");
        sprintf(tmp, "%ls", hello_bug);  /* <-- Valgrind blames this */
        printf("%s\n", tmp);
        free(hello_bug);
        return 0;
}

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug stdio/22703] sprintf "%ls": uninitialized memory access because of using SSE 4.1 (__wcsnlen_sse4_1)

cvs-commit at gcc dot gnu.org
https://sourceware.org/bugzilla/show_bug.cgi?id=22703

--- Comment #1 from Andreas Schwab <[hidden email]> ---
This is most likely a false positive, since __wcsnlen_sse4_1 knows it can read
past the bounds of the string as long as it stays on the page.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug stdio/22703] sprintf "%ls": uninitialized memory access because of using SSE 4.1 (__wcsnlen_sse4_1)

cvs-commit at gcc dot gnu.org
In reply to this post by cvs-commit at gcc dot gnu.org
https://sourceware.org/bugzilla/show_bug.cgi?id=22703

--- Comment #2 from faragon.github at gmail dot com ---
So may be then a regression/bug in Valgrind? They had bugs on this years ago
(2009), but were fixed:

https://bugzilla.redhat.com/show_bug.cgi?id=518247

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug stdio/22703] sprintf "%ls": uninitialized memory access because of using SSE 4.1 (__wcsnlen_sse4_1)

cvs-commit at gcc dot gnu.org
In reply to this post by cvs-commit at gcc dot gnu.org
https://sourceware.org/bugzilla/show_bug.cgi?id=22703

--- Comment #3 from faragon.github at gmail dot com ---
I've opened a bug in Valgrind (not confirmed yet if it is a problem of glibc or
Valgrind):

https://bugs.kde.org/show_bug.cgi?id=388862

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug stdio/22703] sprintf "%ls": uninitialized memory access because of using SSE 4.1 (__wcsnlen_sse4_1)

cvs-commit at gcc dot gnu.org
In reply to this post by cvs-commit at gcc dot gnu.org
https://sourceware.org/bugzilla/show_bug.cgi?id=22703

faragon.github at gmail dot com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|critical                    |normal

--
You are receiving this mail because:
You are on the CC list for the bug.