[Bug string/22603] New: ia64 memchr overflows internal pointer check

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug string/22603] New: ia64 memchr overflows internal pointer check

tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=22603

            Bug ID: 22603
           Summary: ia64 memchr overflows internal pointer check
           Product: glibc
           Version: 2.25
            Status: NEW
          Severity: normal
          Priority: P2
         Component: string
          Assignee: unassigned at sourceware dot org
          Reporter: adhemerval.zanella at linaro dot org
  Target Milestone: ---

Similar to BZ#20791 and BZ#21014 IA64 memchr pointer manipulation overflows
when a large size is used. It is shown in rawmemchr tests (now that rawmemchr
is implemented by calling memchr/strlen):

stratcliff:

rawmemchr flunked for outer = 16376, middle = 16376
rawmemchr flunked for outer = 16376, middle = 16377
rawmemchr flunked for outer = 16376, middle = 16378
[...]

test-rawmemchr:

/home/azanella/glibc/glibc-git-build/string/test-rawmemchr: Iteration 668 -
wrong result in function rawmemchr (14, 130, 498, 491) (nil) !=
0x20000000002ebff9, p 0x20000000002ebe00
/home/azanella/glibc/glibc-git-build/string/test-rawmemchr: Iteration 968 -
wrong result in function rawmemchr (12, 201, 494, 485) (nil) !=
0x20000000002ebff1, p 0x20000000002ebe00
/home/azanella/glibc/glibc-git-build/string/test-rawmemchr: Iteration 1112 -
wrong result in function rawmemchr (7, 42, 504, 503) (nil) !=
0x20000000002ebffe, p 0x20000000002ebe00
/home/azanella/glibc/glibc-git-build/string/test-rawmemchr: Iteration 2412 -
wrong result in function rawmemchr (0, 21, 510, 509) (nil) !=
0x20000000002ebffd, p 0x20000000002ebe00
/home/azanella/glibc/glibc-git-build/string/test-rawmemchr: Iteration 2647 -
wrong result in function rawmemchr (15, 129, 486, 483) (nil) !=
0x20000000002ebff2, p 0x20000000002ebe00
/home/azanella/glibc/glibc-git-build/string/test-rawmemchr: Iteration 3135 -
wrong result in function rawmemchr (6, 171, 504, 496) (nil) !=
0x20000000002ebff6, p 0x20000000002ebe00
[...]

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug string/22603] ia64 memchr overflows internal pointer check

tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=22603

Adhemerval Zanella <adhemerval.zanella at linaro dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
           Assignee|unassigned at sourceware dot org   |adhemerval.zanella at linaro dot o
                   |                            |rg
   Target Milestone|---                         |2.27

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug string/22603] ia64 memchr overflows internal pointer check

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=22603

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security-

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
I'm flagging this as security- because I think it needs passing of an invalid
object size to memchr.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug string/22603] ia64 memchr overflows internal pointer check

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=22603

--- Comment #2 from joseph at codesourcery dot com <joseph at codesourcery dot com> ---
It's not invalid to pass such a size if you know the character is there -
C11 says "The implementation shall behave as if it reads the characters
sequentially and stops as soon as a matching character is found." - but
it's certainly unusual for code to use such sizes.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug string/22603] ia64 memchr overflows internal pointer check

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=22603

--- Comment #3 from Adhemerval Zanella <adhemerval.zanella at linaro dot org> ---
Unfortunately with current generic rawmemchr implementation it is not that
unusual code to use such sizes (although rawmemchr is still not used
widespread).

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug string/22603] ia64 memchr overflows internal pointer check

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=22603

--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  3bb1ef58b989012f8199b82af6ec136da2f9fda3 (commit)
       via  554e3d51efdd7d15c15876b80a7cba3ad9b6a738 (commit)
      from  cba595c350e52194e10c0006732e1991e3d0803b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3bb1ef58b989012f8199b82af6ec136da2f9fda3

commit 3bb1ef58b989012f8199b82af6ec136da2f9fda3
Author: Adhemerval Zanella <[hidden email]>
Date:   Thu Dec 14 09:05:46 2017 -0200

    ia64: Fix memchr for large input sizes (BZ #22603)

    Current optimized ia64 memchr uses a strategy to check for last address
    by adding the input one with expected size.  However it does not take
    care for possible overflow.

    It was triggered by 3038145ca23 where default rawmemchr now uses memchr
    (p, c, (size_t)-1).

    This patch fixes it by implement a satured addition where overflows
    sets the maximum pointer size to UINTPTR_MAX.

    Checked on ia64-linux-gnu where it fixes both stratcliff and
    test-rawmemchr failures.

        Adhemerval Zanella  <[hidden email]>
        James Clarke <[hidden email]>

        [BZ #22603]
        * sysdeps/ia64/memchr.S (__memchr): Avoid overflow in pointer
        addition.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=554e3d51efdd7d15c15876b80a7cba3ad9b6a738

commit 554e3d51efdd7d15c15876b80a7cba3ad9b6a738
Author: Adhemerval Zanella <[hidden email]>
Date:   Thu Dec 14 10:07:44 2017 -0200

    sh: Fix clone exit return code (BZ #22605)

    Since 3f823e87cc (Call exit directly in clone (BZ #21512)) SH clone
    implementation fails to set the exit code resulting in the failures:

    FAIL: nptl/tst-align-clone
    FAIL: nptl/tst-getpid1

    This patch fixes the both testcases.

        [BZ #22605]
        * sysdeps/unix/sysv/linux/sh/clone.S (__clone): Fix exit return
        code.

    Signed-off-by: Adhemerval Zanella <[hidden email]>

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                          |   13 +++++++++++++
 sysdeps/ia64/memchr.S              |    4 ++++
 sysdeps/unix/sysv/linux/sh/clone.S |    1 +
 3 files changed, 18 insertions(+), 0 deletions(-)

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug string/22603] ia64 memchr overflows internal pointer check

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=22603

Adhemerval Zanella <adhemerval.zanella at linaro dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #5 from Adhemerval Zanella <adhemerval.zanella at linaro dot org> ---
Fixed by 3bb1ef58b989012f8199b82af6ec136da2f9fda3.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug string/22603] ia64 memchr overflows internal pointer check

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=22603

--- Comment #6 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.26/master has been updated
       via  268bd5f053204b80e771169e55b45704c04d77ad (commit)
      from  989f59db3940ab4b76176af9a62b6980eafb7a22 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=268bd5f053204b80e771169e55b45704c04d77ad

commit 268bd5f053204b80e771169e55b45704c04d77ad
Author: Adhemerval Zanella <[hidden email]>
Date:   Thu Dec 14 09:05:46 2017 -0200

    ia64: Fix memchr for large input sizes (BZ #22603)

    Current optimized ia64 memchr uses a strategy to check for last address
    by adding the input one with expected size.  However it does not take
    care for possible overflow.

    It was triggered by 3038145ca23 where default rawmemchr now uses memchr
    (p, c, (size_t)-1).

    This patch fixes it by implement a satured addition where overflows
    sets the maximum pointer size to UINTPTR_MAX.

    Checked on ia64-linux-gnu where it fixes both stratcliff and
    test-rawmemchr failures.

        Adhemerval Zanella  <[hidden email]>
        James Clarke <[hidden email]>

        [BZ #22603]
        * sysdeps/ia64/memchr.S (__memchr): Avoid overflow in pointer
        addition.

    (cherry picked from commit 3bb1ef58b989012f8199b82af6ec136da2f9fda3)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog             |    7 +++++++
 sysdeps/ia64/memchr.S |    4 ++++
 2 files changed, 11 insertions(+), 0 deletions(-)

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug string/22603] ia64 memchr overflows internal pointer check

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=22603

Jeremi <jeremip11 at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jeremip11 at gmail dot com

--
You are receiving this mail because:
You are on the CC list for the bug.