overlapping memcpy in ssl_io_input_read
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Apache2 Web Server |
Fix Released
|
Medium
|
|||
apache2 (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Lucid |
Fix Released
|
High
|
Unassigned | ||
Maverick |
Fix Released
|
High
|
Unassigned |
Bug Description
Hello.
I found a terrible bug in memory copy routine (eglibc-
movl LEN(%esp), %ecx
movl SRC(%esp), %eax
movl DEST(%esp), %edx
......
L(fwd_write_
#ifndef USE_AS_MEMMOVE
cmp %dl, %al -----<<<<< BUG !!!
jb L(bk_write)
Assume, that I have an array of char AR and I want move data from AR[10] to AR[0] with length 47. Data should be copied in forward direction. Problem is when AR[10] overlaps 255 bytes boundary. For example address of AR[0] is 0x000000F8 (EDX) and address of AR[10] is 0x00000102 (EAX) then cmp %dl,%al return AL as smaller then DL and the data are copied in reverse direction that causes data corruption.
In reality it will cause problems on Ubuntu 10.04 mod_ssl in Apache with last updates installed (libc6: Installed: 2.11.1-0ubuntu7.2), which are sometimes unable to process the HTTP header because of malformed data, but may cause other unexpected behavior (bug #595116, bug #595855, bug #589611 and maybe others).
I don't know if only this two files is affected by this bug.
See GDB snapshot in attachment
Regards
Jiri Engelthaler
CVE References
description: | updated |
summary: |
- Critical bug in memcpy-ssse3-rep.S + overlapping memcpy in ssl_io_input_read |
Changed in apache2 (Ubuntu Lucid): | |
importance: | Undecided → High |
milestone: | none → lucid-updates |
status: | New → In Progress |
Changed in apache2 (Ubuntu Maverick): | |
importance: | Undecided → High |
milestone: | none → maverick-alpha-3 |
status: | New → Triaged |
Changed in apache2: | |
importance: | Unknown → Medium |
status: | Unknown → Fix Released |
This test code should return always the same string but it doesn't.