[Bug 1756209] Re: i386 implementation of memmove broken since glibc 2.21
Balint Reczey
1756209 at bugs.launchpad.net
Wed Oct 21 16:21:20 UTC 2020
Bionic has already been fixed.
I could not reproduce the issue even with 2.27-3ubuntu1.2.
gdb
bt
bt
#0 run_test (move=0xf7f1c280 <__memmove_sse2_unaligned>) at memmove-bug.c:55
#1 0x56555643 in main (argc=1, argv=0xffffd4f4) at memmove-bug.c:82
(gdb) cont
Continuing.
move memory...
Breakpoint 2, run_test (move=0xf7f1c280 <__memmove_sse2_unaligned>) at memmove-bug.c:53
53 printf("check memory...\n");
(gdb) cont
Continuing.
check memory...
Breakpoint 2, run_test (move=0xf7f1c280 <__memmove_sse2_unaligned>) at memmove-bug.c:64
64 printf("no problems detected\n");
--
The test passes with the updated glibc, too:
ubuntu at ubuntu-Standard-PC-i440FX-PIIX-1996:~/memmove-bug$ make
./memmove-bug || echo "memmove is BUGGY"
allocating 2147483648 = 0x80000000 bytes...
start = 0x77db7010, end = 0xf7db7010
init memory...
move memory...
check memory...
no problems detected
Details for your system:
GNU C Library (Ubuntu GLIBC 2.27-3ubuntu1.3) stable release version 2.27.
cc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
5.4.0-52-generic #57~18.04.1-Ubuntu SMP Thu Oct 15 14:04:49 UTC 2020
** Tags removed: verification-needed verification-needed-bionic
** Tags added: verification-done verification-done-bionic
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1756209
Title:
i386 implementation of memmove broken since glibc 2.21
Status in glibc package in Ubuntu:
Fix Released
Status in glibc source package in Xenial:
New
Status in glibc source package in Bionic:
Fix Released
Bug description:
[Impact]
* i386 memmove breaks when crossing the 2GB threshold.
[Test Case]
* Compile and run the reproducer as described at
https://github.com/fingolfin/memmove-bug or observe string/test-
memmove test passing during the build/autopkgtest on i386.
[Regression Potential]
* Can break memmove, but this is unlikely since memmove is the very
function fixed by fixing signedness handling.
[Original Bug Text]
In glibc 2.21 they optimized i386 memcpy:
https://sourceware.org/ml/libc-alpha/2015-02/msg00119.html
The implementation contained a bug which causes memmove to break when
crossing the 2GB threshold.
This has been filed with glibc here (filed by someone else, but I have
requested an update from them as well):
https://sourceware.org/bugzilla/show_bug.cgi?id=22644
Unfortunately they have not yet taken action on this bug, however I
want to bring it to your attention in the hope that it can be patched
into all current Ubuntu releases as soon as possible. I hope this is
not improper procedure. Both myself and another (see comment 1 in the
glibc bug report) have tested the patch provided in the above glibc
bug report and it does appear to fix the problem, however I don't know
what the procedure is for getting it properly confirmed/tested and
merged into Ubuntu.
As requested in the guidelines:
1) We are using:
Description: Ubuntu 16.04.4 LTS
Release: 16.04
2)
libc6:i386:
Installed: 2.23-0ubuntu10
However as stated above this has been present since libc6:i386 2.21
and affects Ubuntu 15.04 onward. (I have actually tested this as well.
15.04 conveniently used both glibc 2.19 and 2.21 so it was a good test
platform when I was initially attempting to track down the problem.)
3) What we expected to happen:
memmove should move data within the entire valid address space without segfaulting or corrupting memory.
4) What happened instead:
When memmove attempts to move data crossing the 2GB threshold it either segfaults or causes memory corruption.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1756209/+subscriptions
More information about the foundations-bugs
mailing list