__strncmp_ssse3 can segfault when it over-reads its buffer

Bug #702190 reported by John Sherman on 2011-01-13
This bug affects 1 person
Affects Status Importance Assigned to Milestone
eglibc (Ubuntu)

Bug Description

Ubuntu 10.04
Package version: 2.11.1-0ubuntu7.5

We have hit a strncmp segfault that seems to have been fixed in glibc-2.11.3 and has been picked up in the eglibc-2.11 branch
but does not seem to be in the source tree here unless I am missing it. The bug seems to be __strncmp_ssse3 over-reading the
input buffers and in this case the string(arg1 in the backtrace) is at a page boundary and the next page is not valid.

The eglibc revision is: 11983 to strcmp.S. http://www.eglibc.org/cgi-bin/viewcvs.cgi?rev=11983&view=rev

The glibc bug report is at: http://sourceware.org/bugzilla/show_bug.cgi?id=12077
The glibc fix is: http://sourceware.org/git/?p=glibc.git;a=commit;h=38e894eec8a26e302859840cd1f2de4387e24357

#0 __strncmp_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:1108
#1 0x00000000007b523c in varstr_cmp (arg1=0x4bf6ff4 "030007680000" <Address 0x4bf7000 out of bounds>, len1=12,
    arg2=0x427475c "030005300000X\275\260\002", len2=12) at varlena.c:1282
#2 0x00000000007b5526 in text_cmp (arg1=0x4bf6ff0, arg2=0x4274758) at varlena.c:1433
#3 0x00000000007b5b92 in bttextcmp (fcinfo=0x7fff293602b0) at varlena.c:1557
#4 0x000000000083998c in myFunctionCall2 (flinfo=0x7fff293609f0, arg1=79654896, arg2=69683032) at tuplesort.c:2506

CPU Info:
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 23
model name : Intel(R) Xeon(R) CPU E5405 @ 2.00GHz
stepping : 10
cpu MHz : 1995.402
cache size : 6144 KB
physical id : 0
siblings : 4
core id : 0
cpu cores : 4
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 13
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good aperfmperf pni dtes64 monitor ds_cpl vmx tm2 ssse3 cx16 xtpr pdcm dca sse4_1 xsave lahf_lm tpr_shadow vnmi flexpriority
bogomips : 3990.80
clflush size : 64
cache_alignment : 64
address sizes : 38 bits physical, 48 bits virtual
power management:

Matthias Klose (doko) on 2011-01-19
Changed in eglibc (Ubuntu Lucid):
milestone: none → lucid-updates
status: New → In Progress
Changed in eglibc (Ubuntu):
status: New → Fix Released
Matthias Klose (doko) wrote :

Accepted eglibc into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in eglibc (Ubuntu Lucid):
status: In Progress → Fix Committed
tags: added: verification-needed
Jean-Baptiste Lallement (jibel) wrote :

Verification for Lucid.

I've verified that the package upgrades correctly from a default Lucid installation and that after the installation the system reboots, that X and the network are working, and that the system can be shutdown without failure . If there are specific verifications to do, let me known.

Marking as verification-done.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package eglibc - 2.11.1-0ubuntu7.8

eglibc (2.11.1-0ubuntu7.8) lucid-proposed; urgency=low

  [ Matthias Klose ]
  * Fix issue #12077, __strncmp_ssse3 can segfault when it over-reads
    its buffer. LP: #702190.

  [ Clint Byrum ]
  * do not run 'telinit u' on upgrade, as this will break upstart.
    touch /var/run/init.upgraded instead, which will force a re-exec just
    before remounting root read-only. LP: #672177, LP: #694772.
 -- Matthias Klose <email address hidden> Wed, 19 Jan 2011 03:06:52 +0100

Changed in eglibc (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers