Bug#590640: libc6: ssse3 implementation of strncmp results in invalid reads

To: submit@bugs.debian.org
Subject: Bug#590640: libc6: ssse3 implementation of strncmp results in invalid reads
From: Petri Latvala <adrinael@adrinael.net>
Date: Wed, 28 Jul 2010 03:48:24 +0300
Message-id: <[🔎] 20100728004824.GG30289@adrinael.net>
Reply-to: Petri Latvala <adrinael@adrinael.net>, 590640@bugs.debian.org

Package: libc6
Version: 2.11.2-2
Severity: normal


--- BEGIN TESTCASE PROGRAM ---
#include <string.h>
#include <stdlib.h>

int main()
{
  char* x = malloc(5);
  char* y = malloc(5);
  int foo;

  strcpy(x, "helo");
  strcpy(y, "ehlo");

  foo = strcmp(x, y);
  foo = strncmp(x, y, 4);

  free(x);
  free(y);
  
  return 0;
}
--- END TESTCASE PROGRAM ---

Running the program in valgrind results in the following log:


--- BEGIN LOG ---
==5447== Memcheck, a memory error detector
==5447== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==5447== Using Valgrind-3.5.0-Debian and LibVEX; rerun with -h for copyright info
==5447== Command: ./strcmp
==5447== Parent PID: 5379
==5447== 
==5447== Conditional jump or move depends on uninitialised value(s)
==5447==    at 0x4016236: index (strchr.S:56)
==5447==    by 0x4007164: expand_dynamic_string_token (dl-load.c:324)
==5447==    by 0x4007567: _dl_map_object (dl-load.c:2173)
==5447==    by 0x400186A: map_doit (rtld.c:634)
==5447==    by 0x400D5C5: _dl_catch_error (dl-error.c:178)
==5447==    by 0x400176E: do_preload (rtld.c:818)
==5447==    by 0x40043F1: dl_main (rtld.c:1678)
==5447==    by 0x4014776: _dl_sysdep_start (dl-sysdep.c:243)
==5447==    by 0x4001422: _dl_start (rtld.c:338)
==5447==    by 0x4000AF7: ??? (in /lib/ld-2.11.2.so)
==5447== 
==5447== Conditional jump or move depends on uninitialised value(s)
==5447==    at 0x401623B: index (strchr.S:59)
==5447==    by 0x4007164: expand_dynamic_string_token (dl-load.c:324)
==5447==    by 0x4007567: _dl_map_object (dl-load.c:2173)
==5447==    by 0x400186A: map_doit (rtld.c:634)
==5447==    by 0x400D5C5: _dl_catch_error (dl-error.c:178)
==5447==    by 0x400176E: do_preload (rtld.c:818)
==5447==    by 0x40043F1: dl_main (rtld.c:1678)
==5447==    by 0x4014776: _dl_sysdep_start (dl-sysdep.c:243)
==5447==    by 0x4001422: _dl_start (rtld.c:338)
==5447==    by 0x4000AF7: ??? (in /lib/ld-2.11.2.so)
==5447== 
==5447== Conditional jump or move depends on uninitialised value(s)
==5447==    at 0x400AC3E: _dl_relocate_object (do-rel.h:65)
==5447==    by 0x400383A: dl_main (rtld.c:2297)
==5447==    by 0x4014776: _dl_sysdep_start (dl-sysdep.c:243)
==5447==    by 0x4001422: _dl_start (rtld.c:338)
==5447==    by 0x4000AF7: ??? (in /lib/ld-2.11.2.so)
==5447== 
==5447== Conditional jump or move depends on uninitialised value(s)
==5447==    at 0x400AC47: _dl_relocate_object (do-rel.h:68)
==5447==    by 0x400383A: dl_main (rtld.c:2297)
==5447==    by 0x4014776: _dl_sysdep_start (dl-sysdep.c:243)
==5447==    by 0x4001422: _dl_start (rtld.c:338)
==5447==    by 0x4000AF7: ??? (in /lib/ld-2.11.2.so)
==5447== 
==5447== Invalid read of size 8
==5447==    at 0x4F35356: __strcmp_ssse3 (strcmp.S:99)
==5447==    by 0x40068C: main (strcmp.c:13)
==5447==  Address 0x5189040 is 0 bytes inside a block of size 5 alloc'd
==5447==    at 0x4C241A7: malloc (vg_replace_malloc.c:195)
==5447==    by 0x400635: main (strcmp.c:6)
==5447== 
==5447== Invalid read of size 8
==5447==    at 0x4F3535A: __strcmp_ssse3 (strcmp.S:100)
==5447==    by 0x40068C: main (strcmp.c:13)
==5447==  Address 0x5189090 is 0 bytes inside a block of size 5 alloc'd
==5447==    at 0x4C241A7: malloc (vg_replace_malloc.c:195)
==5447==    by 0x400643: main (strcmp.c:7)
==5447== 
==5447== Invalid read of size 8
==5447==    at 0x4F3535E: __strcmp_ssse3 (strcmp.S:101)
==5447==    by 0x40068C: main (strcmp.c:13)
==5447==  Address 0x5189048 is 3 bytes after a block of size 5 alloc'd
==5447==    at 0x4C241A7: malloc (vg_replace_malloc.c:195)
==5447==    by 0x400635: main (strcmp.c:6)
==5447== 
==5447== Invalid read of size 8
==5447==    at 0x4F35363: __strcmp_ssse3 (strcmp.S:102)
==5447==    by 0x40068C: main (strcmp.c:13)
==5447==  Address 0x5189098 is 3 bytes after a block of size 5 alloc'd
==5447==    at 0x4C241A7: malloc (vg_replace_malloc.c:195)
==5447==    by 0x400643: main (strcmp.c:7)
==5447== 
==5447== Invalid read of size 8
==5447==    at 0x4F365CC: __strncmp_ssse3 (strcmp.S:99)
==5447==    by 0x4006A7: main (strcmp.c:14)
==5447==  Address 0x5189040 is 0 bytes inside a block of size 5 alloc'd
==5447==    at 0x4C241A7: malloc (vg_replace_malloc.c:195)
==5447==    by 0x400635: main (strcmp.c:6)
==5447== 
==5447== Invalid read of size 8
==5447==    at 0x4F365D0: __strncmp_ssse3 (strcmp.S:100)
==5447==    by 0x4006A7: main (strcmp.c:14)
==5447==  Address 0x5189090 is 0 bytes inside a block of size 5 alloc'd
==5447==    at 0x4C241A7: malloc (vg_replace_malloc.c:195)
==5447==    by 0x400643: main (strcmp.c:7)
==5447== 
==5447== Invalid read of size 8
==5447==    at 0x4F365D4: __strncmp_ssse3 (strcmp.S:101)
==5447==    by 0x4006A7: main (strcmp.c:14)
==5447==  Address 0x5189048 is 3 bytes after a block of size 5 alloc'd
==5447==    at 0x4C241A7: malloc (vg_replace_malloc.c:195)
==5447==    by 0x400635: main (strcmp.c:6)
==5447== 
==5447== Invalid read of size 8
==5447==    at 0x4F365D9: __strncmp_ssse3 (strcmp.S:102)
==5447==    by 0x4006A7: main (strcmp.c:14)
==5447==  Address 0x5189098 is 3 bytes after a block of size 5 alloc'd
==5447==    at 0x4C241A7: malloc (vg_replace_malloc.c:195)
==5447==    by 0x400643: main (strcmp.c:7)
==5447== 
==5447== 
==5447== HEAP SUMMARY:
==5447==     in use at exit: 0 bytes in 0 blocks
==5447==   total heap usage: 2 allocs, 2 frees, 10 bytes allocated
==5447== 
==5447== All heap blocks were freed -- no leaks are possible
==5447== 
==5447== For counts of detected and suppressed errors, rerun with: -v
==5447== Use --track-origins=yes to see where uninitialised values come from
==5447== ERROR SUMMARY: 12 errors from 12 contexts (suppressed: 0 from 0)
--- END LOG ---


It seems the ssse3 implementation operates on multiples of 8
bytes. This makes valgrind debugging difficult due to spurious
messages, which are hard to determine whether they can be suppressed
as false positives, or are real problems.



-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libc6 depends on:
ii  libc-bin                      2.11.2-2   Embedded GNU C Library: Binaries
ii  libgcc1                       1:4.4.4-6  GCC support library

libc6 recommends no packages.

Versions of packages libc6 suggests:
ii  debconf [debconf-2.0]         1.5.32     Debian configuration management sy
ii  glibc-doc                     2.11.2-2   Embedded GNU C Library: Documentat
ii  locales                       2.11.2-2   Embedded GNU C Library: National L

-- debconf information:
* glibc/upgrade: true
  glibc/disable-screensaver:
  glibc/restart-failed:
* glibc/restart-services: gdm exim4 cups cron atd

Reply to:

Prev by Date: Bug#590577: libc6: argp looks strings from libc gettext text domain in default text domain
Next by Date: Processed: Re: Bug#590640: libc6: ssse3 implementation of strncmp results in invalid reads
Previous by thread: Bug#590577: libc6: argp looks strings from libc gettext text domain in default text domain
Next by thread: Processed: Re: Bug#590640: libc6: ssse3 implementation of strncmp results in invalid reads
Index(es):
- Date
- Thread