2010-07-23 20:17:07 |
Jiří Engelthaler |
bug |
|
|
added bug |
2010-07-23 20:17:07 |
Jiří Engelthaler |
attachment added |
|
GDB snapshot http://launchpadlibrarian.net/52396057/memcpybug.PNG |
|
2010-07-24 06:26:14 |
Jiří Engelthaler |
description |
Hello.
I found a terrible bug in memory copy routine. Here is the code
movl LEN(%esp), %ecx
movl SRC(%esp), %eax
movl DEST(%esp), %edx
......
L(fwd_write_less32bytes):
#ifndef USE_AS_MEMMOVE
cmp %dl, %al -----<<<<< BUG !!!
jb L(bk_write)
Assume, that I have an array of char AR and I want move data from AR[10] to AR[0] with length 47. Data should be copied in forward direction. Problem is when AR[10] overlaps 255 bytes boundary. For example address of AR[0] is 0x000000F8 (EDX) and address of AR[10] is 0x00000102 (EAX) then cmp %dl,%al return AL as smaller then DL and the data are copied in reverse direction that causes data corruption.
In reality it will cause problems on Ubuntu 10.04 mod_ssl in Apache with last updates installed (libc6: Installed: 2.11.1-0ubuntu7.2), which are sometimes unable to process the HTTP header because of malformed data, but may cause other unexpected behavior.
I don't know if only this one file is affected by this bug.
See GDB snapshot in attachment
Regards
Jiri Engelthaler |
Hello.
I found a terrible bug in memory copy routine. Here is the code
movl LEN(%esp), %ecx
movl SRC(%esp), %eax
movl DEST(%esp), %edx
......
L(fwd_write_less32bytes):
#ifndef USE_AS_MEMMOVE
cmp %dl, %al -----<<<<< BUG !!!
jb L(bk_write)
Assume, that I have an array of char AR and I want move data from AR[10] to AR[0] with length 47. Data should be copied in forward direction. Problem is when AR[10] overlaps 255 bytes boundary. For example address of AR[0] is 0x000000F8 (EDX) and address of AR[10] is 0x00000102 (EAX) then cmp %dl,%al return AL as smaller then DL and the data are copied in reverse direction that causes data corruption.
In reality it will cause problems on Ubuntu 10.04 mod_ssl in Apache with last updates installed (libc6: Installed: 2.11.1-0ubuntu7.2), which are sometimes unable to process the HTTP header because of malformed data, but may cause other unexpected behavior (bug #595116, bug #595855, bug #589611 and maybe others).
I don't know if only this one file is affected by this bug.
See GDB snapshot in attachment
Regards
Jiri Engelthaler
|
|
2010-07-24 06:27:35 |
Jiří Engelthaler |
attachment added |
|
memcpy test http://launchpadlibrarian.net/52415329/memcpytest.c |
|
2010-07-24 07:10:27 |
Jiří Engelthaler |
description |
Hello.
I found a terrible bug in memory copy routine. Here is the code
movl LEN(%esp), %ecx
movl SRC(%esp), %eax
movl DEST(%esp), %edx
......
L(fwd_write_less32bytes):
#ifndef USE_AS_MEMMOVE
cmp %dl, %al -----<<<<< BUG !!!
jb L(bk_write)
Assume, that I have an array of char AR and I want move data from AR[10] to AR[0] with length 47. Data should be copied in forward direction. Problem is when AR[10] overlaps 255 bytes boundary. For example address of AR[0] is 0x000000F8 (EDX) and address of AR[10] is 0x00000102 (EAX) then cmp %dl,%al return AL as smaller then DL and the data are copied in reverse direction that causes data corruption.
In reality it will cause problems on Ubuntu 10.04 mod_ssl in Apache with last updates installed (libc6: Installed: 2.11.1-0ubuntu7.2), which are sometimes unable to process the HTTP header because of malformed data, but may cause other unexpected behavior (bug #595116, bug #595855, bug #589611 and maybe others).
I don't know if only this one file is affected by this bug.
See GDB snapshot in attachment
Regards
Jiri Engelthaler
|
Hello.
I found a terrible bug in memory copy routine (eglibc-2.11.1/sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S and memcpy-ssse3.S). Here is the code
movl LEN(%esp), %ecx
movl SRC(%esp), %eax
movl DEST(%esp), %edx
......
L(fwd_write_less32bytes):
#ifndef USE_AS_MEMMOVE
cmp %dl, %al -----<<<<< BUG !!!
jb L(bk_write)
Assume, that I have an array of char AR and I want move data from AR[10] to AR[0] with length 47. Data should be copied in forward direction. Problem is when AR[10] overlaps 255 bytes boundary. For example address of AR[0] is 0x000000F8 (EDX) and address of AR[10] is 0x00000102 (EAX) then cmp %dl,%al return AL as smaller then DL and the data are copied in reverse direction that causes data corruption.
In reality it will cause problems on Ubuntu 10.04 mod_ssl in Apache with last updates installed (libc6: Installed: 2.11.1-0ubuntu7.2), which are sometimes unable to process the HTTP header because of malformed data, but may cause other unexpected behavior (bug #595116, bug #595855, bug #589611 and maybe others).
I don't know if only this two files is affected by this bug.
See GDB snapshot in attachment
Regards
Jiri Engelthaler
|
|
2010-07-24 09:49:41 |
c_t |
bug |
|
|
added subscriber c_t |
2010-07-24 12:50:59 |
Stefan Fritsch |
bug watch added |
|
http://issues.apache.org/bugzilla/show_bug.cgi?id=45444 |
|
2010-07-24 12:52:32 |
Stefan Fritsch |
affects |
eglibc (Ubuntu) |
apache2 (Ubuntu) |
|
2010-07-24 14:00:17 |
Matthias Klose |
nominated for series |
|
Ubuntu Lucid |
|
2010-07-24 14:00:17 |
Matthias Klose |
bug task added |
|
apache2 (Ubuntu Lucid) |
|
2010-07-24 14:00:17 |
Matthias Klose |
nominated for series |
|
Ubuntu Maverick |
|
2010-07-24 14:00:17 |
Matthias Klose |
bug task added |
|
apache2 (Ubuntu Maverick) |
|
2010-07-24 14:11:37 |
Matthias Klose |
summary |
Critical bug in memcpy-ssse3-rep.S |
overlapping memcpy in ssl_io_input_read |
|
2010-07-24 14:11:56 |
Matthias Klose |
apache2 (Ubuntu Lucid): importance |
Undecided |
High |
|
2010-07-24 14:11:56 |
Matthias Klose |
apache2 (Ubuntu Lucid): status |
New |
In Progress |
|
2010-07-24 14:11:56 |
Matthias Klose |
apache2 (Ubuntu Lucid): milestone |
|
lucid-updates |
|
2010-07-24 14:12:50 |
Matthias Klose |
bug task added |
|
apache2 |
|
2010-07-24 14:13:16 |
Matthias Klose |
apache2 (Ubuntu Maverick): importance |
Undecided |
High |
|
2010-07-24 14:13:16 |
Matthias Klose |
apache2 (Ubuntu Maverick): status |
New |
Triaged |
|
2010-07-24 14:13:16 |
Matthias Klose |
apache2 (Ubuntu Maverick): milestone |
|
maverick-alpha-3 |
|
2010-07-24 14:20:52 |
Matthias Klose |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2010-07-26 09:00:26 |
Andre van der Elst |
bug |
|
|
added subscriber Andre van der Elst |
2010-07-27 15:00:10 |
Launchpad Janitor |
apache2 (Ubuntu Maverick): status |
Triaged |
Fix Released |
|
2010-07-27 15:00:10 |
Launchpad Janitor |
cve linked |
|
2010-1452 |
|
2010-07-30 13:06:43 |
Jeroen Vijfhuizen |
bug |
|
|
added subscriber Jeroen Vijfhuizen |
2010-08-04 13:48:13 |
Jiří Engelthaler |
attachment added |
|
apache.debdiff http://launchpadlibrarian.net/53045267/apache.debdiff |
|
2010-08-04 18:38:45 |
Lars Hvile |
bug |
|
|
added subscriber Lars Hvile |
2010-08-05 14:17:31 |
Lars Hvile |
nominated for series |
|
Ubuntu Karmic |
|
2010-08-17 06:03:20 |
Martin Pitt |
apache2 (Ubuntu Lucid): status |
In Progress |
Fix Committed |
|
2010-08-17 06:03:29 |
Martin Pitt |
bug |
|
|
added subscriber SRU Verification |
2010-08-17 06:03:35 |
Martin Pitt |
tags |
|
verification-needed |
|
2010-08-17 19:01:13 |
Steve Langasek |
apache2 (Ubuntu Lucid): status |
Fix Committed |
Triaged |
|
2010-08-17 19:04:26 |
Steve Langasek |
tags |
verification-needed |
|
|
2010-08-18 17:39:09 |
Bart Vanbrabant |
bug |
|
|
added subscriber Bart Vanbrabant |
2010-08-26 10:33:10 |
Ingo Rohlfs |
bug |
|
|
added subscriber Ingo Rohlfs |
2010-08-27 12:44:05 |
Bart Vanbrabant |
removed subscriber Bart Vanbrabant |
|
|
|
2010-09-28 12:50:30 |
Martin Pitt |
apache2 (Ubuntu Lucid): status |
Triaged |
Fix Committed |
|
2010-09-28 12:50:37 |
Martin Pitt |
tags |
|
verification-needed |
|
2010-10-19 05:43:07 |
Launchpad Janitor |
apache2 (Ubuntu Lucid): status |
Fix Committed |
Fix Released |
|
2011-01-21 21:03:31 |
Launchpad Janitor |
branch linked |
|
lp:debian/sid/apache2 |
|
2011-01-21 21:07:47 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/lucid-proposed/apache2 |
|
2011-02-14 14:42:29 |
Bug Watch Updater |
apache2: status |
Unknown |
Fix Released |
|
2011-02-14 14:42:29 |
Bug Watch Updater |
apache2: importance |
Unknown |
Medium |
|