You have been subscribed to a public bug:
Hello.
I found a terrible bug in memory copy routine
(eglibc-2.11.1/sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S and
memcpy-ssse3.S). Here is the code
movl LEN(%esp), %ecx
movl SRC(%esp), %eax
movl DEST(%esp), %edx
......
L(fwd_write_less32bytes):
#ifndef USE_AS_MEMMOVE
cmp %dl, %al -----<<<<< BUG !!!
jb L(bk_write)
Assume, that I have an array of char AR and I want move data from AR[10] to
AR[0] with length 47. Data should be copied in forward direction. Problem is
when AR[10] overlaps 255 bytes boundary. For example address of AR[0] is
0x000000F8 (EDX) and address of AR[10] is 0x00000102 (EAX) then cmp %dl,%al
return AL as smaller then DL and the data are copied in reverse direction that
causes data corruption.
In reality it will cause problems on Ubuntu 10.04 mod_ssl in Apache with last
updates installed (libc6: Installed: 2.11.1-0ubuntu7.2), which are sometimes
unable to process the HTTP header because of malformed data, but may cause
other unexpected behavior (bug #595116, bug #595855, bug #589611 and maybe
others).
I don't know if only this two files is affected by this bug.
See GDB snapshot in attachment
Regards
Jiri Engelthaler
** Affects: apache2 (Ubuntu)
Importance: Undecided
Status: New
--
Critical bug in memcpy-ssse3-rep.S
https://bugs.launchpad.net/bugs/609290
You received this bug notification because you are a member of Ubuntu Server
Team, which is subscribed to apache2 in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
