libc6-i386 (2.11.1-0ubuntu7.1) provides broken implementation of memset()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
eglibc (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: libc6-i386
libc6-i386 2.11.1-0ubuntu7.1 (I guess also regular libc6 for amd64, and libc6 for i386 ubuntu), provides broken implementation of the memset() function.
Here is the fix: http://
It is a little bit security issue as well, as it's might to possible to exploit it (the code jumps on the content of one of the x86 registers, which is indirectly controllable by user, but didn't investigate deeper). It can be triggered remotely. I have an adobe flash .swf file which triggers this bug.
Testcase below (please compile with -m32)
$ cat test.c
#include <sys/mman.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
int main(void)
{
void *p = 0x70000000UL;
size_t l = 0x80001000UL;
if (mmap(p, l, PROT_READ|
MAP_PRIVATE, -1, 0) == MAP_FAILED) {
}
memset(p, '\0', l);
return 0;
}
$ gcc -m32 test.c -o test
$ ./test
Segmentation fault (core dumped)
Related branches
Changed in eglibc (Ubuntu): | |
status: | New → Confirmed |
Btw, libc6-i386_ 2.12~20100519- 0ubuntu1_ amd64.deb from maverick is free from this bug:
$ LD_PRELOAD= /tmp/libc6- i386/lib32/ libc.so. 6 ./test
$ echo $?
0