[Valgrind-users] Invalid read raised with stpncpy

[Francis Giraldeau]

Hi,

Valgrind reports an invalid read, while I think the program is valid.
The program uses stpncpy() instead of strcpy():

#include <string.h>
#include <stdlib.h>
#include <stdio.h>

int main(int argc, char **argv) {
    char *dst = (char *) calloc(4, 1);
    char *src = (char *) calloc(4, 1);
    src[0] = 'a';
    src[1] = 'b';
    src[2] = 'c';
    src[3] = '\0';
    dst = stpncpy(dst, src, 3);
    printf("%s %s\n", src, dst);
}

The error is the following:

$ valgrind ./a.out
==21946== Memcheck, a memory error detector
==21946== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==21946== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==21946== Command: ./a.out
==21946==
==21946== Invalid read of size 8
==21946==    at 0x4ECA554: __stpncpy_sse2_unaligned
(strcpy-sse2-unaligned.S:297)
==21946==    by 0x400608: main (in /data/francis/workspace/augeas/a.out)
==21946==  Address 0x51ef090 is 0 bytes inside a block of size 4 alloc'd
==21946==    at 0x4C29DB4: calloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21946==    by 0x4005C4: main (in /data/francis/workspace/augeas/a.out)
==21946==
==21946== Invalid read of size 8
==21946==    at 0x4ECA558: __stpncpy_sse2_unaligned
(strcpy-sse2-unaligned.S:298)
==21946==    by 0x400608: main (in /data/francis/workspace/augeas/a.out)
==21946==  Address 0x51ef0a0 is 12 bytes after a block of size 4 alloc'd
==21946==    at 0x4C29DB4: calloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21946==    by 0x4005C4: main (in /data/francis/workspace/augeas/a.out)
==21946==
abc

In the stpncpy routine, there are two key instructions that are executed:

<__stpncpy_sse2_unaligned+45>    pcmpeqb (%rsi), xmm1
<__stpncpy_sse2_unaligned+49>    pmovmskb %xmm1,%edx


The result in %edx is: 0xfff8, that shows that all bytes are zero,
except the last 3. The whole point here is: this instruction reads 8
bytes, no matter the size of the string (here 4). Could it mislead
valgrind? Does stpncpy assumes the memory is word aligned, that mean
even with a string of 4 bytes, 8 are actually allocated, and that it's
safe to read those 8 bytes?

Thanks!

Francis Giraldeau

smime.p7s
Description: Signature cryptographique S/MIME

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Valgrind-users mailing list
Valgrind-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/valgrind-users