Ubuntu22.04: glibc: __strncpy_power9() uses uninitialised register vs18 value for filling after \0

Bug #1978130 reported by bugproxy
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
The Ubuntu-power-systems project
Fix Released
Medium
Ubuntu on IBM Power Systems Bug Triage
glibc (Ubuntu)
Fix Released
Medium
Ubuntu on IBM Power Systems Bug Triage
Jammy
Fix Released
Undecided
Unassigned

Bug Description

SRU Justification:
==================

[Impact]

 * glibc '__strncpy_power9()' uses uninitialized register vs18 value
   for filling after \0.

 * This can result in a crash / core dump.

 * This is fixed in the little endian Power 9 implementation
   of strncpy.S by using the proper VSX number for VR 18
   in stxv and stxvl.

[Test Plan]

 * Have an Ubuntu Server 22.04 LTS running on Power 9
   (or compatible) hardware.

 * Take the C test program and reproducer from gere:
   https://sourceware.org/bugzilla/show_bug.cgi?id=29197
   compile it for power9 (ppc64le).

 * Execute it on ppc64el hardware and it will core dump
   on an unpatched libc6, e.g. using qemu, like:
   "qemu: uncaught target signal 6 (Aborted) - core dumped
    Aborted"

 * gdb will report the following value of c[]:
   (gdb) p c
   $1 = "\000\015\015"

[Where problems could occur]

 * Severe problems can occur if wrong registers are used
   or the (zero-)padding is done in a wrong way
   or if the fix for stxv and stxvl were mixed up.

 * Relatively foreseen effects can happen and highly
   likely even more crashes.

 * But the code was thoroughly analysed, first as gcc bug
   then a glibc bug.

 * The changes are limited to:
   sysdeps/powerpc/powerpc64/le/power9
   and with that Power 9 specific,
   well explained, documented traceable and tested
   (not only on ppc64le - which is mostly relevant for Ubuntu - but
    also on ppc and ppc64.)

[Other Info]

 * The fix is needed for Power 9 targets (22.04 is compiled for P9),
   has already been applied upstream for glibc 2.36
   and has been backported to glibc >= 2.33.

__________

== Comment: #0 - Tulio Magno Quites Machado Filho <email address hidden> - 2022-06-08 08:35:44 ==
---Problem Description---
__strncpy_power9() uses uninitialised register vs18 value for filling after \0

The fix has already been applied upstream for glibc 2.36 and has been backported to glibc >= 2.33.

Commit for glibc 2.36:
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=0218463dd8265ed937622f88ac68c7d984fe0cfc

Commit for glibc 2.35:
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=0a1572b8bb880a63d50a63b2afe4bb67704ac23e

Contact Information = Tulio Magno Quites Machado <email address hidden>

---Additional Hardware Info---
Requires Power9 or Power10 to reproduce

---uname output---
N/A

Machine Type = N/A

---Debugger---
A debugger is not configured

---Steps to Reproduce---
 See the description from the bug reported upstream at: https://sourceware.org/bugzilla/show_bug.cgi?id=29197

Userspace tool common name: glibc

The userspace tool has the following bit modes: glibc

Userspace rpm: libc6

Userspace tool obtained from project website: na

*Additional Instructions for Tulio Magno Quites Machado <email address hidden>:
-Attach ltrace and strace of userspace application.

Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2022-06-09 11:25 EDT-------
This bug is targeted for Ubuntu22.04.x series.

tags: added: architecture-ppc64le bugnameltc-198488 severity-medium targetmilestone-inin22041
Changed in ubuntu:
assignee: nobody → Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage)
affects: ubuntu → glibc (Ubuntu)
Frank Heimes (fheimes)
Changed in glibc (Ubuntu):
importance: Undecided → Medium
Changed in ubuntu-power-systems:
importance: Undecided → Medium
assignee: nobody → Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage)
Simon Chopin (schopin)
tags: added: fr-2460
Changed in glibc (Ubuntu Jammy):
status: New → In Progress
Frank Heimes (fheimes)
Changed in ubuntu-power-systems:
status: New → In Progress
Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote :

Could someone update this bug to follow the SRU template? https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template

I think the test case from the bug report should be fine.

Frank Heimes (fheimes)
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello bugproxy, or anyone else affected,

Accepted glibc into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/glibc/2.35-0ubuntu3.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in glibc (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (glibc/2.35-0ubuntu3.1)

All autopkgtests for the newly accepted glibc (2.35-0ubuntu3.1) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

macaulay2/1.19.1+ds-6 (armhf)
oss4/4.2-build2010-5ubuntu9 (amd64)
packer/1.6.6+ds1-4 (s390x)
network-manager/1.36.6-0ubuntu2 (arm64)
hilive/2.0a-3build3 (arm64)
openjdk-lts/11.0.15+10-0ubuntu0.22.04.1 (armhf)
ruby-mysql2/0.5.3-3ubuntu4 (s390x, arm64, ppc64el, armhf)
prometheus/2.31.2+ds1-1ubuntu1 (armhf)
umockdev/0.17.7-1 (s390x)
mbedtls/2.28.0-1build1 (s390x)
golang-v2ray-core/4.34.0-5 (armhf)
slixmpp/1.7.1-1build1 (s390x)
nwchem/7.0.2-3 (arm64)
pappl/1.0.3-2 (s390x)
golang-github-bmatsuo-lmdb-go/1.8.0+git20170215.a14b5a3-2 (amd64)
ruby-standalone/3.0~1 (s390x)
seqkit/2.1.0+ds-1 (s390x)
pandas/1.3.5+dfsg-3 (s390x)
netplan.io/0.104-0ubuntu2 (arm64)
pyfai/0.21.1+dfsg1-1build1 (ppc64el)
iptables/1.8.7-1ubuntu5 (i386, s390x)
golang-github-influxdata-tail/1.0.0+git20180327.c434825-4 (s390x, ppc64el)
opensaml/3.2.1-1 (arm64)
node-iconv/3.0.1+~3.0.0-1 (armhf)
ubuntu-image/2.2+22.04ubuntu3 (s390x)
fenix/0.92a.dfsg1-12.1 (i386)
notary/0.7.0+ds1-1 (arm64)
rustc/1.59.0+dfsg1-1~ubuntu2~22.04.1 (arm64)
tmux/3.2a-4build1 (s390x)
genshi/0.7.6-1build1 (s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#glibc

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2022-07-20 15:16 EDT-------
The package libc6:ppc64el 2.35-0ubuntu3.1 fixed the issue, I checked with the test case from the bug report and looked into the assembly.

tags: added: verification-done-jammy
removed: verification-needed-jammy
Revision history for this message
Frank Heimes (fheimes) wrote :

Thx for the verification!

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package glibc - 2.35-0ubuntu3.1

---------------
glibc (2.35-0ubuntu3.1) jammy; urgency=medium

  * debian/maint: add a script to manage backports of patches from upstream
    maintenance branch.
  * Cherry-pick patches from upstream maintenance branch:
    - 0001-S390-Add-new-s390-platform-z16.patch (LP: #1971612)
    - 0002-powerpc-Fix-VSX-register-number-on-__strncpy_power9-.patch (LP: #1978130)

 -- Michael Hudson-Doyle <email address hidden> Thu, 07 Jul 2022 11:23:23 +1200

Changed in glibc (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for glibc has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Frank Heimes (fheimes) wrote :

Meanwhile glibc 2.36-0ubuntu2 has landed in kinetic (release), hence the affects kinetic entry can be marked as 'Fix Released' and with that the entire entry is 'Fix Released'.

Changed in glibc (Ubuntu):
status: New → Fix Released
Changed in ubuntu-power-systems:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.