uninitialized memory access in memmem()

mailing list of musl libc
 help / color / mirror / code / Atom feed

* uninitialized memory access in memmem()
@ 2014-06-18 18:20 Clément Vasseur
  2014-06-19  1:06 ` Rich Felker
  0 siblings, 1 reply; 6+ messages in thread
From: Clément Vasseur @ 2014-06-18 18:20 UTC (permalink / raw)
  To: musl

Hello,

I found a case where memmem() returns 0 where it should not:

$ cat test-memmem.c
#define _GNU_SOURCE
#include <string.h>
#include <assert.h>

#define DATA 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10

int main(void)
{
    const unsigned char haystack[] = { DATA };
    const unsigned char needle[] = { DATA };
    assert(memmem(haystack, sizeof haystack, needle, sizeof needle));
}

$ musl-gcc test-memmem.c && ./a.out
Assertion failed: memmem(haystack, sizeof haystack, needle, sizeof needle) (test-memmem.c: main: 11)
Aborted

Valgrind says a conditional jump or move depends on uninitalized value
in twoway_memmem(). The code is quite complicated so I have not tried to
track it down any further.



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: uninitialized memory access in memmem()
  2014-06-18 18:20 uninitialized memory access in memmem() Clément Vasseur
@ 2014-06-19  1:06 ` Rich Felker
  2014-06-19  1:43   ` Clément Vasseur
  0 siblings, 1 reply; 6+ messages in thread
From: Rich Felker @ 2014-06-19  1:06 UTC (permalink / raw)
  To: musl

On Wed, Jun 18, 2014 at 06:20:33PM +0000, Clément Vasseur wrote:
> Hello,
> 
> I found a case where memmem() returns 0 where it should not:
> 
> $ cat test-memmem.c
> #define _GNU_SOURCE
> #include <string.h>
> #include <assert.h>
> 
> #define DATA 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
> 
> int main(void)
> {
>     const unsigned char haystack[] = { DATA };
>     const unsigned char needle[] = { DATA };
>     assert(memmem(haystack, sizeof haystack, needle, sizeof needle));
> }
> 
> $ musl-gcc test-memmem.c && ./a.out
> Assertion failed: memmem(haystack, sizeof haystack, needle, sizeof needle) (test-memmem.c: main: 11)
> Aborted
> 
> Valgrind says a conditional jump or move depends on uninitalized value
> in twoway_memmem(). The code is quite complicated so I have not tried to
> track it down any further.

Can you provide more details? musl version? gcc version? arch? I can't
reproduce this error in master with gcc 4.7.3/i386.

Rich


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: uninitialized memory access in memmem()
  2014-06-19  1:06 ` Rich Felker
@ 2014-06-19  1:43   ` Clément Vasseur
  2014-06-19  3:18     ` Rich Felker
  2014-06-19  3:56     ` Rich Felker
  0 siblings, 2 replies; 6+ messages in thread
From: Clément Vasseur @ 2014-06-19  1:43 UTC (permalink / raw)
  To: musl

On 2014-06-19, Rich Felker <dalias@libc.org> wrote:
> On Wed, Jun 18, 2014 at 06:20:33PM +0000, Clément Vasseur wrote:
>> Hello,
>> 
>> I found a case where memmem() returns 0 where it should not:
>> 
>> $ cat test-memmem.c
>> #define _GNU_SOURCE
>> #include <string.h>
>> #include <assert.h>
>> 
>> #define DATA 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
>> 
>> int main(void)
>> {
>>     const unsigned char haystack[] = { DATA };
>>     const unsigned char needle[] = { DATA };
>>     assert(memmem(haystack, sizeof haystack, needle, sizeof needle));
>> }
>> 
>> $ musl-gcc test-memmem.c && ./a.out
>> Assertion failed: memmem(haystack, sizeof haystack, needle, sizeof needle) (test-memmem.c: main: 11)
>> Aborted
>> 
>> Valgrind says a conditional jump or move depends on uninitalized value
>> in twoway_memmem(). The code is quite complicated so I have not tried to
>> track it down any further.
>
> Can you provide more details? musl version? gcc version? arch? I can't
> reproduce this error in master with gcc 4.7.3/i386.

I use master (7c73cac) with gcc 4.6.1/x86_64.

I have another pattern which fails with gcc 4.8.3/arm. Looks like you
might reproduce this one on your 32-bit arch:

#define DATA 0x50, 0x17, 0x8a, 0xf3, 0x55, 0x67, 0x58, 0xdf



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Re: uninitialized memory access in memmem()
  2014-06-19  1:43   ` Clément Vasseur
@ 2014-06-19  3:18     ` Rich Felker
  2014-06-19  3:56     ` Rich Felker
  1 sibling, 0 replies; 6+ messages in thread
From: Rich Felker @ 2014-06-19  3:18 UTC (permalink / raw)
  To: musl

On Thu, Jun 19, 2014 at 01:43:50AM +0000, Clément Vasseur wrote:
> On 2014-06-19, Rich Felker <dalias@libc.org> wrote:
> > On Wed, Jun 18, 2014 at 06:20:33PM +0000, Clément Vasseur wrote:
> >> Hello,
> >> 
> >> I found a case where memmem() returns 0 where it should not:
> >> 
> >> $ cat test-memmem.c
> >> #define _GNU_SOURCE
> >> #include <string.h>
> >> #include <assert.h>
> >> 
> >> #define DATA 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
> >> 
> >> int main(void)
> >> {
> >>     const unsigned char haystack[] = { DATA };
> >>     const unsigned char needle[] = { DATA };
> >>     assert(memmem(haystack, sizeof haystack, needle, sizeof needle));
> >> }
> >> 
> >> $ musl-gcc test-memmem.c && ./a.out
> >> Assertion failed: memmem(haystack, sizeof haystack, needle, sizeof needle) (test-memmem.c: main: 11)
> >> Aborted
> >> 
> >> Valgrind says a conditional jump or move depends on uninitalized value
> >> in twoway_memmem(). The code is quite complicated so I have not tried to
> >> track it down any further.
> >
> > Can you provide more details? musl version? gcc version? arch? I can't
> > reproduce this error in master with gcc 4.7.3/i386.
> 
> I use master (7c73cac) with gcc 4.6.1/x86_64.
> 
> I have another pattern which fails with gcc 4.8.3/arm. Looks like you
> might reproduce this one on your 32-bit arch:
> 
> #define DATA 0x50, 0x17, 0x8a, 0xf3, 0x55, 0x67, 0x58, 0xdf

Still can't reproduce it.

Rich


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Re: uninitialized memory access in memmem()
  2014-06-19  1:43   ` Clément Vasseur
  2014-06-19  3:18     ` Rich Felker
@ 2014-06-19  3:56     ` Rich Felker
  2014-06-19  4:48       ` Rich Felker
  1 sibling, 1 reply; 6+ messages in thread
From: Rich Felker @ 2014-06-19  3:56 UTC (permalink / raw)
  To: musl

On Thu, Jun 19, 2014 at 01:43:50AM +0000, Clément Vasseur wrote:
> On 2014-06-19, Rich Felker <dalias@libc.org> wrote:
> > On Wed, Jun 18, 2014 at 06:20:33PM +0000, Clément Vasseur wrote:
> >> Hello,
> >> 
> >> I found a case where memmem() returns 0 where it should not:
> >> 
> >> $ cat test-memmem.c
> >> #define _GNU_SOURCE
> >> #include <string.h>
> >> #include <assert.h>
> >> 
> >> #define DATA 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
> >> 
> >> int main(void)
> >> {
> >>     const unsigned char haystack[] = { DATA };
> >>     const unsigned char needle[] = { DATA };
> >>     assert(memmem(haystack, sizeof haystack, needle, sizeof needle));
> >> }
> >> 
> >> $ musl-gcc test-memmem.c && ./a.out
> >> Assertion failed: memmem(haystack, sizeof haystack, needle, sizeof needle) (test-memmem.c: main: 11)
> >> Aborted
> >> 
> >> Valgrind says a conditional jump or move depends on uninitalized value
> >> in twoway_memmem(). The code is quite complicated so I have not tried to
> >> track it down any further.
> >
> > Can you provide more details? musl version? gcc version? arch? I can't
> > reproduce this error in master with gcc 4.7.3/i386.
> 
> I use master (7c73cac) with gcc 4.6.1/x86_64.
> 
> I have another pattern which fails with gcc 4.8.3/arm. Looks like you
> might reproduce this one on your 32-bit arch:
> 
> #define DATA 0x50, 0x17, 0x8a, 0xf3, 0x55, 0x67, 0x58, 0xdf

Are you sure you're actually using musl master? The file that matters
is /lib/ld-musl-$ARCH.so.1. If it's a symlink to an old musl you have
lying around somewhere, then that's the version you're really using. I
was able to reproduce this with musl 1.0.0 and it's simply the bug
fixed in commit 476cd1d96560aaf7f210319597556e7fbcd60469.

Rich


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Re: uninitialized memory access in memmem()
  2014-06-19  3:56     ` Rich Felker
@ 2014-06-19  4:48       ` Rich Felker
  0 siblings, 0 replies; 6+ messages in thread
From: Rich Felker @ 2014-06-19  4:48 UTC (permalink / raw)
  To: musl

On Wed, Jun 18, 2014 at 11:56:20PM -0400, Rich Felker wrote:
> On Thu, Jun 19, 2014 at 01:43:50AM +0000, Clément Vasseur wrote:
> > On 2014-06-19, Rich Felker <dalias@libc.org> wrote:
> > > On Wed, Jun 18, 2014 at 06:20:33PM +0000, Clément Vasseur wrote:
> > >> Hello,
> > >> 
> > >> I found a case where memmem() returns 0 where it should not:
> > >> 
> > >> $ cat test-memmem.c
> > >> #define _GNU_SOURCE
> > >> #include <string.h>
> > >> #include <assert.h>
> > >> 
> > >> #define DATA 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
> > >> 
> > >> int main(void)
> > >> {
> > >>     const unsigned char haystack[] = { DATA };
> > >>     const unsigned char needle[] = { DATA };
> > >>     assert(memmem(haystack, sizeof haystack, needle, sizeof needle));
> > >> }
> > >> 
> > >> $ musl-gcc test-memmem.c && ./a.out
> > >> Assertion failed: memmem(haystack, sizeof haystack, needle, sizeof needle) (test-memmem.c: main: 11)
> > >> Aborted
> > >> 
> > >> Valgrind says a conditional jump or move depends on uninitalized value
> > >> in twoway_memmem(). The code is quite complicated so I have not tried to
> > >> track it down any further.
> > >
> > > Can you provide more details? musl version? gcc version? arch? I can't
> > > reproduce this error in master with gcc 4.7.3/i386.
> > 
> > I use master (7c73cac) with gcc 4.6.1/x86_64.
> > 
> > I have another pattern which fails with gcc 4.8.3/arm. Looks like you
> > might reproduce this one on your 32-bit arch:
> > 
> > #define DATA 0x50, 0x17, 0x8a, 0xf3, 0x55, 0x67, 0x58, 0xdf
> 
> Are you sure you're actually using musl master? The file that matters
> is /lib/ld-musl-$ARCH.so.1. If it's a symlink to an old musl you have
> lying around somewhere, then that's the version you're really using. I
> was able to reproduce this with musl 1.0.0 and it's simply the bug
> fixed in commit 476cd1d96560aaf7f210319597556e7fbcd60469.

Sorry, I was wrong. This appeared to be the case at first, but I was
able to reproduce the bug with some more work -- it's hard to
reproduce because, like valgrind reported, it's an invalid read.

Fixed in commit cef0f289f666b6c963bfd11537a6d80916ff889e.

Rich


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2014-06-19  4:48 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-06-18 18:20 uninitialized memory access in memmem() Clément Vasseur
2014-06-19  1:06 ` Rich Felker
2014-06-19  1:43   ` Clément Vasseur
2014-06-19  3:18     ` Rich Felker
2014-06-19  3:56     ` Rich Felker
2014-06-19  4:48       ` Rich Felker

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/musl/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).