[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#389084: marked as done (libc6: nasty bug in xdrmem_setpos(): signed comparison op is used for the pointers)

Your message dated Fri, 16 Feb 2007 10:02:07 +0000
with message-id <E1HHzup-00030T-8Y@ries.debian.org>
and subject line Bug#389084: fixed in glibc 2.3.6.ds1-12
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: libc6
Version: 2.3.6.ds1-4
Severity: normal
Tags: patch


We've found a nasty bug in xdrmem_setpos() function.
Issue is caused by casts (char*) -> (long) and signed comparison
afterwards.  Which causes xdrmem_setpos() to fail completely unexpectedly
if mem buffer starts little bit below 2Gb point and ends little bit above
(that's when the sign of 32bit int is flipping).

Proposed patch is somewhat trivial:


--- xdr_mem.c.orig	2002-12-16 05:25:27.000000000 -0500
+++ xdr_mem.c	2006-09-23 13:39:01.000000000 -0400
@@ -171,19 +171,21 @@
  * xdrs modified
  */
 static bool_t
-xdrmem_setpos (xdrs, pos)
-     XDR *xdrs;
-     u_int pos;
+xdrmem_setpos (XDR *xdrs, u_int pos)
 {
   caddr_t newaddr = xdrs->x_base + pos;
   caddr_t lastaddr = xdrs->x_private + xdrs->x_handy;
+  size_t dist = 0;
 
-  if ((long) newaddr > (long) lastaddr
-      || (UINT_MAX < LONG_MAX
-	  && (long) UINT_MAX < (long) lastaddr - (long) newaddr))
+  if ( newaddr > lastaddr )
     return FALSE;
+
+  dist = lastaddr - newaddr;
+  if ( (u_int)dist != dist )
+    return FALSE;
+
   xdrs->x_private = newaddr;
-  xdrs->x_handy = (long) lastaddr - (long) newaddr;
+  xdrs->x_handy = (u_int)dist;
   return TRUE;
 }
 
___

I have not recompiled the whole libc locally, but just this file and
I've compared disasm dumps of original and patched version of the
function:


--- disass.orig	2006-09-23 13:54:10.000000000 -0400
+++ disass.patched	2006-09-23 13:53:20.000000000 -0400
@@ -12,7 +12,7 @@
 0x00000075 <xdrmem_setpos+21>:  add    %esi,%eax
 0x00000077 <xdrmem_setpos+23>:  xor    %esi,%esi
 0x00000079 <xdrmem_setpos+25>:  cmp    %eax,%edx
-0x0000007b <xdrmem_setpos+27>:  jg     0x8a <xdrmem_setpos+42>
+0x0000007b <xdrmem_setpos+27>:  ja     0x8a <xdrmem_setpos+42>
 0x0000007d <xdrmem_setpos+29>:  sub    %edx,%eax
 0x0000007f <xdrmem_setpos+31>:  mov    $0x1,%esi
 0x00000084 <xdrmem_setpos+36>:  mov    %edx,0xc(%ecx)

As you can see the only result of the changes is the type of cmp op:
signed (jg) -> unsigned (ja)

We believe that all the distros are affected by this (file has not been
touched for a three years or so), so probably patch have to be pushed
upstream asap. In particular this hurts our production (various versions
of RHEL) and hurts a lot...

100% of the credit for finding this goes to Konstantine Smaguine.
I've just prepared the patch and sent report to (hopefully) right people.

Thank you,
	Nick Orlov.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-rc6-mm1-8.swp
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)

Versions of packages libc6 depends on:
ii  tzdata                        2006l-1    Time Zone and Daylight Saving Time

libc6 recommends no packages.

-- debconf-show failed

--- End Message ---
--- Begin Message --- 
Source: glibc
Source-Version: 2.3.6.ds1-12

We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive:

glibc-doc_2.3.6.ds1-12_all.deb
  to pool/main/g/glibc/glibc-doc_2.3.6.ds1-12_all.deb
glibc_2.3.6.ds1-12.diff.gz
  to pool/main/g/glibc/glibc_2.3.6.ds1-12.diff.gz
glibc_2.3.6.ds1-12.dsc
  to pool/main/g/glibc/glibc_2.3.6.ds1-12.dsc
libc6-dbg_2.3.6.ds1-12_amd64.deb
  to pool/main/g/glibc/libc6-dbg_2.3.6.ds1-12_amd64.deb
libc6-dev-i386_2.3.6.ds1-12_amd64.deb
  to pool/main/g/glibc/libc6-dev-i386_2.3.6.ds1-12_amd64.deb
libc6-dev_2.3.6.ds1-12_amd64.deb
  to pool/main/g/glibc/libc6-dev_2.3.6.ds1-12_amd64.deb
libc6-i386_2.3.6.ds1-12_amd64.deb
  to pool/main/g/glibc/libc6-i386_2.3.6.ds1-12_amd64.deb
libc6-pic_2.3.6.ds1-12_amd64.deb
  to pool/main/g/glibc/libc6-pic_2.3.6.ds1-12_amd64.deb
libc6-prof_2.3.6.ds1-12_amd64.deb
  to pool/main/g/glibc/libc6-prof_2.3.6.ds1-12_amd64.deb
libc6-udeb_2.3.6.ds1-12_amd64.udeb
  to pool/main/g/glibc/libc6-udeb_2.3.6.ds1-12_amd64.udeb
libc6_2.3.6.ds1-12_amd64.deb
  to pool/main/g/glibc/libc6_2.3.6.ds1-12_amd64.deb
libnss-dns-udeb_2.3.6.ds1-12_amd64.udeb
  to pool/main/g/glibc/libnss-dns-udeb_2.3.6.ds1-12_amd64.udeb
libnss-files-udeb_2.3.6.ds1-12_amd64.udeb
  to pool/main/g/glibc/libnss-files-udeb_2.3.6.ds1-12_amd64.udeb
locales-all_2.3.6.ds1-12_amd64.deb
  to pool/main/g/glibc/locales-all_2.3.6.ds1-12_amd64.deb
locales_2.3.6.ds1-12_all.deb
  to pool/main/g/glibc/locales_2.3.6.ds1-12_all.deb
nscd_2.3.6.ds1-12_amd64.deb
  to pool/main/g/glibc/nscd_2.3.6.ds1-12_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 389084@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pierre Habouzit <madcoder@debian.org> (supplier of updated glibc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 15 Feb 2007 18:41:06 +0100
Source: glibc
Binary: libc0.1-prof libc6-dev-amd64 locales-all libc6-i686 libc6-dev-ppc64 libc0.3-pic glibc-doc libc0.3 libc0.1-i686 libc0.1-i386 libc6.1-dev libc6-s390x libnss-files-udeb libc0.1-dev-i386 libc6-dev-sparc64 libc6-i386 libc0.3-dev libc6-udeb libc6-dbg libc6.1-pic libc6-dev libc0.3-prof libc6-sparcv9 libc0.1-udeb libc6-dev-i386 libc6.1-prof libc0.1-dev locales libc6-pic libc0.3-udeb libc6-dev-powerpc libc0.1-pic libc6-ppc64 libc0.3-dbg libc0.1-dbg libc6-amd64 libc0.1 libc6-prof libc6-xen libc6-powerpc libc6 libc6-sparcv9b libc6.1-udeb libc6.1-dbg nscd libc6-sparc64 libnss-dns-udeb libc6.1 libc6-dev-s390x
Architecture: source amd64 all
Version: 2.3.6.ds1-12
Distribution: unstable
Urgency: low
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Changed-By: Pierre Habouzit <madcoder@debian.org>
Description: 
 glibc-doc  - GNU C Library: Documentation
 libc6      - GNU C Library: Shared libraries
 libc6-dbg  - GNU C Library: Libraries with debugging symbols
 libc6-dev  - GNU C Library: Development Libraries and Header Files
 libc6-dev-i386 - GNU C Library: 32bit development libraries for AMD64
 libc6-i386 - GNU C Library: 32bit shared libraries for AMD64
 libc6-pic  - GNU C Library: PIC archive library
 libc6-prof - GNU C Library: Profiling Libraries
 libc6-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libnss-dns-udeb - GNU C Library: NSS helper for DNS - udeb (udeb)
 libnss-files-udeb - GNU C Library: NSS helper for files - udeb (udeb)
 locales    - GNU C Library: National Language (locale) data [support]
 locales-all - GNU C Library: Precompiled locale data
 nscd       - GNU C Library: Name Service Cache Daemon
Closes: 347358 389084 410816 410839
Changes: 
 glibc (2.3.6.ds1-12) unstable; urgency=low
 .
   [ Pierre Habouzit ]
   * patches/any/cvs-sunrpc-xdrmem_setpos.diff: fix a pointer-to-cast problem
     in sunrpc, backport from glibc-2.5. Closes: #389084.
   * patches/any/cvs-getent-wrong-struct-size.diff: fix a bad struct size in
     nss/getent.c, backport from glibc-2.5. Closes: #347358.
   * patches/any/local-sysctl.diff: sysctl is back for good it seems, remove
     the link warning from the patch. Closes: #410816.
 .
   [ Aurelien Jarno ]
   * debian/control.in/opt: fix a typo: Ezla -> Ezra.  Closes: #410839.
Files: 
 71838807801a7a025ec43fb5eebb338b 2182 libs required glibc_2.3.6.ds1-12.dsc
 3f71a7adb2c86d62850e6fcbeb44e82f 912883 libs required glibc_2.3.6.ds1-12.diff.gz
 557ae894ee2fba76dd398df0c4ede894 1481414 doc optional glibc-doc_2.3.6.ds1-12_all.deb
 9c4e1b77a90c2bc23a5df232c4511bab 4010360 libs standard locales_2.3.6.ds1-12_all.deb
 c8a89d3e0a9ae605fc03e4b20e3ab4c8 4183520 libs required libc6_2.3.6.ds1-12_amd64.deb
 4e8a3bb290b73206cb1c7ecd8277cacf 2118322 libdevel optional libc6-dev_2.3.6.ds1-12_amd64.deb
 5ace747f6702f5061231c3b31654bafe 1576924 libdevel extra libc6-prof_2.3.6.ds1-12_amd64.deb
 633315decdfa67dec1850bd0dcbf2cdf 1404032 libdevel optional libc6-pic_2.3.6.ds1-12_amd64.deb
 de710ebbeac24dba1f0f2c3a1b154383 6192534 libs extra locales-all_2.3.6.ds1-12_amd64.deb
 9b7aa391e3617f85d8b11ebceb24dca5 3072944 libs optional libc6-i386_2.3.6.ds1-12_amd64.deb
 3a49e6488154c5e1f31ecb330f8965af 1584248 libdevel optional libc6-dev-i386_2.3.6.ds1-12_amd64.deb
 4a0072e06ea2a7f696c6c5144d6c411f 145524 admin optional nscd_2.3.6.ds1-12_amd64.deb
 748d6cbb1fd66d6b60c95370bd3fbde6 2294262 libdevel extra libc6-dbg_2.3.6.ds1-12_amd64.deb
 247c802e48c1a6505a8048ec872f288a 1042668 debian-installer extra libc6-udeb_2.3.6.ds1-12_amd64.udeb
 041ac92c48955ad149de436ef50832fb 9568 debian-installer extra libnss-dns-udeb_2.3.6.ds1-12_amd64.udeb
 27ed9ec70b6d0e4582d1bc5f590e5b66 17196 debian-installer extra libnss-files-udeb_2.3.6.ds1-12_amd64.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF1X6DvGr7W6HudhwRAtUTAJ9RfiHGswUsNN63cySMReDDzAhEKgCfRyeJ
T80wBiA+/0XYrwKqLSHpAwQ=
=0jLB
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: