[Bug 839001] Re: Wrong memory access with strlen()

Kees Cook kees at ubuntu.com
Thu Sep 1 21:59:12 UTC 2011


Gcc seems to be generating a 4-byte wide strlen scanner during -O3 which
is tripping up valgrind. I'm not sure if this should be considered a gcc
bug or a valgrind bug:

-O1:
  4005a2:	b8 00 00 00 00       	mov    $0x0,%eax
  4005a7:	48 c7 c1 ff ff ff ff 	mov    $0xffffffffffffffff,%rcx
  4005ae:	f2 ae                	repnz scas %es:(%rdi),%al
  4005b0:	48 f7 d1             	not    %rcx

-O3:
  4004b8:	48 89 c6             	mov    %rax,%rsi
  4004bb:	8b 0e                	mov    (%rsi),%ecx
  4004bd:	48 83 c6 04          	add    $0x4,%rsi
  4004c1:	8d 91 ff fe fe fe    	lea    -0x1010101(%rcx),%edx
  4004c7:	f7 d1                	not    %ecx
  4004c9:	21 ca                	and    %ecx,%edx
  4004cb:	81 e2 80 80 80 80    	and    $0x80808080,%edx
  4004d1:	74 e8                	je     4004bb <main+0x1b>
  4004d3:	89 d1                	mov    %edx,%ecx
  4004d5:	48 89 c7             	mov    %rax,%rdi
  4004d8:	c1 e9 10             	shr    $0x10,%ecx
  4004db:	f7 c2 80 80 00 00    	test   $0x8080,%edx
  4004e1:	0f 44 d1             	cmove  %ecx,%edx
  4004e4:	48 8d 4e 02          	lea    0x2(%rsi),%rcx
  4004e8:	48 0f 44 f1          	cmove  %rcx,%rsi
  4004ec:	00 d2                	add    %dl,%dl
  4004ee:	48 83 de 03          	sbb    $0x3,%rsi
  4004f2:	48 29 c6             	sub    %rax,%rsi

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/839001

Title:
  Wrong memory access with strlen()

Status in “eglibc” package in Ubuntu:
  New

Bug description:
  I'm using Ubuntu 11.10 dev with libc6 2.13-17ubuntu2 and Valgrind
  1:3.6.1-0ubuntu2. strlen() is accessing in some cases the wrong
  memory. I have written example code that shows the problem. The code
  was compiled with "gcc -O3 -Wall -Wextra -o test -pedantic test.c"
  (the error appears on -O2 too but not on -O1). The application was
  executed with "valgrind ./test".

  This is the code:

  #include <stdlib.h>
  #include <string.h>

  int main()
  {
  	char *buffer;

  	buffer = malloc(7);
  	strcpy(buffer, "1234");
  	buffer = realloc(buffer, strlen(buffer) + 1024);
  	free(buffer);
  	return 0;
  }

  
  And this is the output of a run:

  ==203489== Memcheck, a memory error detector
  ==203489== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
  ==203489== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info
  ==203489== Command: ./test
  ==203489== 
  ==203489== Invalid read of size 4
  ==203489==    at 0x4004BB: main (in /home/sworddragon/data/test)
  ==203489==  Address 0x51ce044 is 4 bytes inside a block of size 7 alloc'd
  ==203489==    at 0x4C28F9F: malloc (vg_replace_malloc.c:236)
  ==203489==    by 0x4004AD: main (in /home/sworddragon/data/test)
  ==203489== 
  ==203489== 
  ==203489== HEAP SUMMARY:
  ==203489==     in use at exit: 0 bytes in 0 blocks
  ==203489==   total heap usage: 2 allocs, 2 frees, 1,035 bytes allocated
  ==203489== 
  ==203489== All heap blocks were freed -- no leaks are possible
  ==203489== 
  ==203489== For counts of detected and suppressed errors, rerun with: -v
  ==203489== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 4 from 4)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/839001/+subscriptions




More information about the foundations-bugs mailing list