[Bug 1756209] Re: i386 implementation of memmove broken since glibc 2.21

Wed Oct 21 16:21:20 UTC 2020

Bionic has already been fixed.
I could not reproduce the issue even with 2.27-3ubuntu1.2.

gdb
bt
bt
#0  run_test (move=0xf7f1c280 <__memmove_sse2_unaligned>) at memmove-bug.c:55
#1  0x56555643 in main (argc=1, argv=0xffffd4f4) at memmove-bug.c:82
(gdb) cont
Continuing.
move memory...

Breakpoint 2, run_test (move=0xf7f1c280 <__memmove_sse2_unaligned>) at memmove-bug.c:53
53	    printf("check memory...\n");
(gdb) cont
Continuing.
check memory...

Breakpoint 2, run_test (move=0xf7f1c280 <__memmove_sse2_unaligned>) at memmove-bug.c:64
64	    printf("no problems detected\n");

--
The test passes with the updated glibc, too:
ubuntu at ubuntu-Standard-PC-i440FX-PIIX-1996:~/memmove-bug$ make
./memmove-bug || echo "memmove is BUGGY"
allocating 2147483648 = 0x80000000 bytes...
start = 0x77db7010, end = 0xf7db7010
init memory...
move memory...
check memory...
no problems detected
Details for your system:
GNU C Library (Ubuntu GLIBC 2.27-3ubuntu1.3) stable release version 2.27.
cc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
5.4.0-52-generic #57~18.04.1-Ubuntu SMP Thu Oct 15 14:04:49 UTC 2020

** Tags removed: verification-needed verification-needed-bionic
** Tags added: verification-done verification-done-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1756209

Title:
  i386 implementation of memmove broken since glibc 2.21

Status in glibc package in Ubuntu:
  Fix Released
Status in glibc source package in Xenial:
  New
Status in glibc source package in Bionic:
  Fix Released

Bug description:
  [Impact]
  * i386 memmove breaks when crossing the 2GB threshold.

  [Test Case]

  * Compile and run the reproducer as described at
  https://github.com/fingolfin/memmove-bug or observe string/test-
  memmove test passing during the build/autopkgtest on i386.

  [Regression Potential]

  * Can break memmove, but this is unlikely since memmove is the very
  function fixed by fixing signedness handling.

  [Original Bug Text]

  In glibc 2.21 they optimized i386 memcpy:

  https://sourceware.org/ml/libc-alpha/2015-02/msg00119.html

  The implementation contained a bug which causes memmove to break when
  crossing the 2GB threshold.

  This has been filed with glibc here (filed by someone else, but I have
  requested an update from them as well):

  https://sourceware.org/bugzilla/show_bug.cgi?id=22644

  Unfortunately they have not yet taken action on this bug, however I
  want to bring it to your attention in the hope that it can be patched
  into all current Ubuntu releases as soon as possible. I hope this is
  not improper procedure. Both myself and another (see comment 1 in the
  glibc bug report) have tested the patch provided in the above glibc
  bug report and it does appear to fix the problem, however I don't know
  what the procedure is for getting it properly confirmed/tested and
  merged into Ubuntu.

  As requested in the guidelines:

  1) We are using:
  Description:    Ubuntu 16.04.4 LTS
  Release:        16.04

  2)
  libc6:i386:
    Installed: 2.23-0ubuntu10

  However as stated above this has been present since libc6:i386 2.21
  and affects Ubuntu 15.04 onward. (I have actually tested this as well.
  15.04 conveniently used both glibc 2.19 and 2.21 so it was a good test
  platform when I was initially attempting to track down the problem.)

  3) What we expected to happen:
  memmove should move data within the entire valid address space without segfaulting or corrupting memory.

  4) What happened instead:
  When memmove attempts to move data crossing the 2GB threshold it either segfaults or causes memory corruption.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1756209/+subscriptions