i386 implementation of memmove broken since glibc 2.21

Bug #1756209 reported by Thomas Middeldorp on 2018-03-16
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
glibc (Ubuntu)
High
Unassigned
Xenial
Undecided
Unassigned
Bionic
High
Unassigned

Bug Description

[Impact]
* i386 memmove breaks when crossing the 2GB threshold.

[Test Case]

* Compile and run the reproducer as described at https://github.com/fingolfin/memmove-bug or observe string/test-memmove test passing during the build/autopkgtest on i386.

[Regression Potential]

* Can break memmove, but this is unlikely since memmove is the very function fixed by fixing signedness handling.

[Original Bug Text]

In glibc 2.21 they optimized i386 memcpy:

https://sourceware.org/ml/libc-alpha/2015-02/msg00119.html

The implementation contained a bug which causes memmove to break when crossing the 2GB threshold.

This has been filed with glibc here (filed by someone else, but I have requested an update from them as well):

https://sourceware.org/bugzilla/show_bug.cgi?id=22644

Unfortunately they have not yet taken action on this bug, however I want to bring it to your attention in the hope that it can be patched into all current Ubuntu releases as soon as possible. I hope this is not improper procedure. Both myself and another (see comment 1 in the glibc bug report) have tested the patch provided in the above glibc bug report and it does appear to fix the problem, however I don't know what the procedure is for getting it properly confirmed/tested and merged into Ubuntu.

As requested in the guidelines:

1) We are using:
Description: Ubuntu 16.04.4 LTS
Release: 16.04

2)
libc6:i386:
  Installed: 2.23-0ubuntu10

However as stated above this has been present since libc6:i386 2.21 and affects Ubuntu 15.04 onward. (I have actually tested this as well. 15.04 conveniently used both glibc 2.19 and 2.21 so it was a good test platform when I was initially attempting to track down the problem.)

3) What we expected to happen:
memmove should move data within the entire valid address space without segfaulting or corrupting memory.

4) What happened instead:
When memmove attempts to move data crossing the 2GB threshold it either segfaults or causes memory corruption.

Thomas Middeldorp (thomasggg) wrote :

Just to keep this up to date, they have now committed a patch to fix this.

Matthias Klose (doko) on 2018-03-27
Changed in glibc (Ubuntu Bionic):
milestone: none → ubuntu-18.04
importance: Undecided → High
status: New → Confirmed
tags: added: id-5ac41c8a07e3bbcc42edc5cb
Adam Conrad (adconrad) on 2018-12-08
Changed in glibc (Ubuntu):
status: Confirmed → Fix Released
Balint Reczey (rbalint) on 2020-09-09
description: updated

Hello Thomas, or anyone else affected,

Accepted glibc into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/glibc/2.27-3ubuntu1.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in glibc (Ubuntu Bionic):
status: Confirmed → Fix Committed
tags: added: verification-needed verification-needed-bionic
Download full text (6.9 KiB)

All autopkgtests for the newly accepted glibc (2.27-3ubuntu1.3) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

mysql-5.7/5.7.31-0ubuntu0.18.04.1 (armhf)
libsys-utmp-perl/1.8-1 (armhf)
libscope-upper-perl/0.30-1 (armhf)
octave-miscellaneous/1.2.1-4 (armhf, arm64, s390x, amd64, i386, ppc64el)
libsocket-multicast6-perl/unknown (armhf)
octave-strings/1.2.0-3 (armhf, arm64, s390x, amd64, i386, ppc64el)
libgnatcoll/unknown (armhf)
octave-econometrics/1:1.1.1-5 (armhf, arm64, s390x, amd64, i386, ppc64el)
octave-secs2d/0.0.8-9 (armhf, arm64, s390x, amd64, i386, ppc64el)
libb-hooks-parser-perl/unknown (armhf)
octave-general/2.0.0-3 (armhf, arm64, s390x, amd64, i386, ppc64el)
libcompress-raw-bzip2-perl/2.074-1build2 (armhf)
libunicode-casefold-perl/unknown (armhf)
mod-wsgi/4.5.17-1ubuntu1 (ppc64el)
libdata-alias-perl/unknown (armhf)
libdata-clone-perl/unknown (armhf)
libsort-key-perl/unknown (armhf)
linux-raspi-5.4/5.4.0-1018.20~18.04.1 (armhf)
ann/unknown (armhf)
icecast2/unknown (i386)
python-maxminddb/1.3.0-1 (armhf)
lua-torch-sundown/unknown (armhf)
libkf5mailcommon/4:17.12.3-0ubuntu1 (arm64, i386)
apport/2.20.9-0ubuntu7.17 (amd64)
linux-hwe-5.0/5.0.0-61.65 (armhf)
ffmpeg/7:3.4.8-0ubuntu0.2 (armhf, arm64, s390x, amd64, i386, ppc64el)
glibc/2.27-3ubuntu1.3 (armhf)
nut/2.7.4-5.1ubuntu2 (amd64)
mbuffer/unknown (armhf)
linux-aws-edge/5.0.0-1019.21~18.04.1 (amd64, arm64)
octave-ocs/0.1.5-6 (armhf, arm64, s390x, amd64, i386, ppc64el)
libx11-xcb-perl/unknown (armhf)
pgbouncer/1.8.1-1build1 (amd64)
indicator-session/17.3.20+17.10.20171006-0ubuntu1 (armhf)
gcc-6/6.5.0-2ubuntu1~18.04 (armhf)
vmtouch/unknown (armhf)
libhtml-gumbo-perl/0.17-1build1 (ppc64el)
octave-sparsersb/1.0.5-3 (armhf, arm64, s390x, amd64, i386, ppc64el)
octave-mpi/1.2.0-4 (armhf, arm64, s390x, amd64, i386, ppc64el)
libalgorithm-svm-perl/0.13-2build2 (s390x)
libconvert-binary-c-perl/0.78-1build2 (amd64)
kauth/5.44.0-0ubuntu1 (i386)
libkdegames-kde4/unknown (amd64)
openssh/1:7.6p1-4ubuntu0.3 (armhf, arm64, s390x, amd64, i386, ppc64el)
keditbookmarks/17.12.3-0ubuntu1 (ppc64el)
jovie/unknown (armhf)
kdepim-runtime/4:17.12.3-0ubuntu2 (armhf)
libscalar-util-numeric-perl/0.40-1build3 (s390x)
pgpdump/unknown (armhf)
libdevice-cdio-perl/0.4.0-3 (armhf)
octave-sockets/1.2.0-3 (armhf, arm64, s390x, amd64, i386, ppc64el)
octave-gsl/2.1.0-3 (armhf, arm64, s390x, amd64, i386, ppc64el)
libdbd-odbc-perl/1.56-1build1 (armhf)
libnet-dbus-perl/1.1.0-4build2 (armhf)
linux-aws-5.3/unknown (arm64)
libalgorithm-permute-perl/0.16-1 (s390x)
xdg-desktop-portal/1.0.3-0ubuntu0.2 (i386, ppc64el)
octave-ltfat/2.2.0+dfsg-7 (s390x, amd64, i386, ppc64el)
octave-geometry/3.0.0-6 (armhf, arm64, s390x, amd64, i386, ppc64el)
octave-linear-algebra/2.2.2-4 (armhf, arm64, s390x, amd64, i386, ppc64el)
octave-nurbs/1.3.13-4 (armhf, arm64, s390x, amd64, i386, ppc64el)
devscripts/2.17.12ubuntu1.1 (armhf, arm64, s390x, amd64, i386, ppc64el)
meliae/0.4.0+bzr199-3build1 (ppc64el)
libocas/unknown (armhf)
k3d/unknown (armhf)
firefox/80.0.1+build1-0ubuntu0.18.04.1 (armhf)
libb-hooks-op-check-perl/unknown (armhf)
octave-quaternion/2.4.0-4 (armhf, arm64, s390x, amd64, i38...

Read more...

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers