Comment 0 for bug 609290

Revision history for this message
Jiří Engelthaler (engycz) wrote : Critical bug in memcpy-ssse3-rep.S

I found a terrible bug in memory copy routine. Here is the code

    movl LEN(%esp), %ecx
    movl SRC(%esp), %eax
    movl DEST(%esp), %edx
    cmp %dl, %al -----<<<<< BUG !!!
    jb L(bk_write)

Assume, that I have an array of char AR and I want move data from AR[10] to AR[0] with length 47. Data should be copied in forward direction. Problem is when AR[10] overlaps 255 bytes boundary. For example address of AR[0] is 0x000000F8 (EDX) and address of AR[10] is 0x00000102 (EAX) then cmp %dl,%al return AL as smaller then DL and the data are copied in reverse direction that causes data corruption.
In reality it will cause problems on Ubuntu 10.04 mod_ssl in Apache with last updates installed (libc6: Installed: 2.11.1-0ubuntu7.2), which are sometimes unable to process the HTTP header because of malformed data, but may cause other unexpected behavior.

I don't know if only this one file is affected by this bug.

See GDB snapshot in attachment

     Jiri Engelthaler