Ubuntu
eglibc package

libc6-i386 (2.11.1-0ubuntu7.1) provides broken implementation of memset()

Bug #587055 reported by Robert Swiecki on 2010-05-28

12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	eglibc (Ubuntu)	Fix Released	Medium	Unassigned	Ubuntu lucid-updates
	Lucid	Fix Released	Undecided	Unassigned

Bug Description

Binary package hint: libc6-i386

libc6-i386 2.11.1-0ubuntu7.1 (I guess also regular libc6 for amd64, and libc6 for i386 ubuntu), provides broken implementation of the memset() function.

Here is the fix: http://repo.or.cz/w/glibc.git/commitdiff/cc50f1a4b458f769ceb72d88bb78c8429361fec1

It is a little bit security issue as well, as it's might to possible to exploit it (the code jumps on the content of one of the x86 registers, which is indirectly controllable by user, but didn't investigate deeper). It can be triggered remotely. I have an adobe flash .swf file which triggers this bug.

Testcase below (please compile with -m32)

$ cat test.c
#include <sys/mman.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
int main(void)
{
       void *p = 0x70000000UL;
       size_t l = 0x80001000UL;
       if (mmap(p, l, PROT_READ|PROT_WRITE, MAP_ANONYMOUS | MAP_FIXED |
MAP_PRIVATE, -1, 0) == MAP_FAILED) {
               perror("mmap");
               exit(1);
       }
       memset(p, '\0', l);
       return 0;
}
$ gcc -m32 test.c -o test
$ ./test
Segmentation fault (core dumped)

Tags:

Related branches

lp:ubuntu/lucid-proposed/eglibc

Revision history for this message

Robert Swiecki (robert+ubuntu) wrote on 2010-05-28:

#1

test.c Edit (338 bytes, text/plain)

Revision history for this message

Robert Swiecki (robert+ubuntu) wrote on 2010-05-29:

#2

Btw, libc6-i386_2.12~20100519-0ubuntu1_amd64.deb from maverick is free from this bug:

$ LD_PRELOAD=/tmp/libc6-i386/lib32/libc.so.6 ./test
$ echo $?
0

David Tomaschik (matir) on 2010-05-30

Changed in eglibc (Ubuntu):
status:	New → Confirmed

Revision history for this message

Matthias Klose (doko) wrote on 2010-06-03:

#3

fixed in maverick

Changed in eglibc (Ubuntu):
importance:	Undecided → Medium
milestone:	none → lucid-updates
status:	Confirmed → In Progress
status:	In Progress → Fix Released

Revision history for this message

Martin Pitt (pitti) wrote on 2010-06-14: Please test proposed package

#4

Accepted eglibc into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in eglibc (Ubuntu Lucid):
status:	New → Fix Committed
tags:	added: verification-needed

Revision history for this message

Matthias Klose (doko) wrote on 2010-06-26:

#5

Testcase works as expected with the update, fails without it.

tags:

added: verification-done
removed: verification-needed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-07-05:

#6

This bug was fixed in the package eglibc - 2.11.1-0ubuntu7.2

---------------
eglibc (2.11.1-0ubuntu7.2) lucid-proposed; urgency=low

* Fix issues in x86 memset-sse2.S/memset-sse2-rep.S. LP: #587055.
* Apply from the 2.11-x86 branch: x86-64 SSE4 optimized memcmp. LP: #589136.
-- Matthias Klose <email address hidden> Thu, 03 Jun 2010 13:38:35 +0200

Changed in eglibc (Ubuntu Lucid):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

test.c Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.