[Bug string/26332] New: Incorrect cache line size load causes memory corruption in memset

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug string/26332] New: Incorrect cache line size load causes memory corruption in memset

Sourceware - glibc-bugs mailing list
https://sourceware.org/bugzilla/show_bug.cgi?id=26332

            Bug ID: 26332
           Summary: Incorrect cache line size load causes memory
                    corruption in memset
           Product: glibc
           Version: 2.31
            Status: NEW
          Severity: normal
          Priority: P2
         Component: string
          Assignee: unassigned at sourceware dot org
          Reporter: fweimer at redhat dot com
  Target Milestone: ---
            Target: powerpc-linux-gnu

Commit 18363b4f010da9ba459b13310b113ac0647c2fcc ("powerpc: Move cache line size
to rtld_global_ro") introduced the __GLRO macro. It has an incorrect +4 addend
on big-endian PowerPC:

#else
/* Position-dependent code does not require access to the GOT.  */
# define __GLRO(rOUT, rGOT, member, offset)                             \
        lis     rOUT,(member+LOWORD)@ha;                                      
\
        lwz     rOUT,(member+LOWORD)@l(rOUT)
#endif  /* PIC */

This causes sysdeps/powerpc/powerpc32/memset.S to load the wrong variable here:

/* Load rtld_global_ro._dl_cache_line_size.  */
        __GLRO(rCLS, rGOT, _dl_cache_line_size,
               RTLD_GLOBAL_RO_DL_CACHE_LINE_SIZE_OFFSET)

The failure is particularly visible if the variable happens to contain 1
because malloc initialization fails due to a buffer overrun in memset in
tcache_init:

https://sourceware.org/pipermail/libc-alpha/2020-August/116803.html

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug string/26332] Incorrect cache line size load causes memory corruption in memset

Sourceware - glibc-bugs mailing list
https://sourceware.org/bugzilla/show_bug.cgi?id=26332

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
                 CC|                            |fweimer at redhat dot com
           Assignee|unassigned at sourceware dot org   |fweimer at redhat dot com

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug string/26332] Incorrect cache line size load causes memory corruption in memset

Sourceware - glibc-bugs mailing list
In reply to this post by Sourceware - glibc-bugs mailing list
https://sourceware.org/bugzilla/show_bug.cgi?id=26332

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Patch posted:
https://sourceware.org/pipermail/libc-alpha/2020-August/116805.html

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug string/26332] Incorrect cache line size load causes memory corruption in memset

Sourceware - glibc-bugs mailing list
In reply to this post by Sourceware - glibc-bugs mailing list
https://sourceware.org/bugzilla/show_bug.cgi?id=26332

--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Florian Weimer <[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7650321ce037302bfc2f026aa19e0213b8d02fe6

commit 7650321ce037302bfc2f026aa19e0213b8d02fe6
Author: Florian Weimer <[hidden email]>
Date:   Mon Aug 3 18:07:19 2020 +0200

    powerpc: Fix incorrect cache line size load in memset (bug 26332)

    __GLRO loaded the word after the requested variable on big-endian
    PowerPC, where LOWORD is 4.  This can cause the memset implement
    go wrong because the masking with the cache line size produces
    wrong results, particularly if the loaded value happens to be 1.

    The __GLRO macro is not used in any place where loading the lower
    32-bit word of a 64-bit value is desired, so the +4 offset is always
    wrong.

    Fixes commit 18363b4f010da9ba459b13310b113ac0647c2fcc
    ("powerpc: Move cache line size to rtld_global_ro") and bug 26332.

    Reviewed-by: Carlos O'Donell <[hidden email]>

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug string/26332] Incorrect cache line size load causes memory corruption in memset

Sourceware - glibc-bugs mailing list
In reply to this post by Sourceware - glibc-bugs mailing list
https://sourceware.org/bugzilla/show_bug.cgi?id=26332

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security-
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED
   Target Milestone|---                         |2.32

--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
Fixed for glibc 2.32.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug string/26332] Incorrect cache line size load causes memory corruption in memset

Sourceware - glibc-bugs mailing list
In reply to this post by Sourceware - glibc-bugs mailing list
https://sourceware.org/bugzilla/show_bug.cgi?id=26332

--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.31/master branch has been updated by Aurelien Jarno
<[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1c8efe848bf14f62c79f509e756b2d9239b24663

commit 1c8efe848bf14f62c79f509e756b2d9239b24663
Author: Florian Weimer <[hidden email]>
Date:   Mon Aug 3 18:07:19 2020 +0200

    powerpc: Fix incorrect cache line size load in memset (bug 26332)

    __GLRO loaded the word after the requested variable on big-endian
    PowerPC, where LOWORD is 4.  This can cause the memset implement
    go wrong because the masking with the cache line size produces
    wrong results, particularly if the loaded value happens to be 1.

    The __GLRO macro is not used in any place where loading the lower
    32-bit word of a 64-bit value is desired, so the +4 offset is always
    wrong.

    Fixes commit 18363b4f010da9ba459b13310b113ac0647c2fcc
    ("powerpc: Move cache line size to rtld_global_ro") and bug 26332.

    Reviewed-by: Carlos O'Donell <[hidden email]>

    (cherry picked from commit 7650321ce037302bfc2f026aa19e0213b8d02fe6)

--
You are receiving this mail because:
You are on the CC list for the bug.