From: Michael Matz Date: Thu, 5 Apr 2012 08:48:14 +0000 (+0200) Subject: Fix size parameter comparisions. X-Git-Tag: glibc-2.16-tps~654 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e80d6f94e19d17b91e3cd3ada7193cc88f621feb;p=thirdparty%2Fglibc.git Fix size parameter comparisions. [BZ #13592] There are several signed compares of the size argument, whereas it really is unsigned. Depending on situations e.g. a "memset(ptr, 0, -1)" segfault (but for the wrong reasons, because jumping into nirvana) or succeeds even. In normal use this is harmless, as a size with signbit set indicates more than half the address space which on x86_64 is impossible to allocate, but as the size is used to index some jump tables this potentially could have other unwanted side effects. --- diff --git a/ChangeLog b/ChangeLog index 946c714a22d..f934b34003d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2012-04-05 Michael Matz + + [BZ #13592] + * sysdeps/x86_64/memset.S: Fix size paramater comparisions. + 2012-04-05 Andreas Jaeger [BZ #13908] diff --git a/NEWS b/NEWS index 2f0e7648941..e20b5ec46cb 100644 --- a/NEWS +++ b/NEWS @@ -15,11 +15,11 @@ Version 2.16 10110, 10135, 10140, 10210, 10346, 10545, 10716, 11174, 11322, 11365, 11451, 11494, 12047, 12340, 13058, 13525, 13526, 13527, 13528, 13529, 13530, 13531, 13532, 13533, 13547, 13551, 13552, 13553, 13555, 13559, - 13566, 13583, 13618, 13637, 13656, 13658, 13673, 13691, 13695, 13704, - 13706, 13726, 13738, 13760, 13761, 13786, 13792, 13806, 13824, 13840, - 13841, 13844, 13846, 13851, 13852, 13854, 13871, 13879, 13883, 13892, - 13908, 13910, 13911, 13912, 13913, 13915, 13916, 13917, 13918, 13919, - 13920, 13921, 13926, 13928, 13938 + 13566, 13583, 13592, 13618, 13637, 13656, 13658, 13673, 13691, 13695, + 13704, 13706, 13726, 13738, 13760, 13761, 13786, 13792, 13806, 13824, + 13840, 13841, 13844, 13846, 13851, 13852, 13854, 13871, 13879, 13883, + 13892, 13908, 13910, 13911, 13912, 13913, 13915, 13916, 13917, 13918, + 13919, 13920, 13921, 13926, 13928, 13938 * ISO C11 support: diff --git a/sysdeps/x86_64/memset.S b/sysdeps/x86_64/memset.S index 7be907192c7..9511745a41b 100644 --- a/sysdeps/x86_64/memset.S +++ b/sysdeps/x86_64/memset.S @@ -1,6 +1,6 @@ /* memset/bzero -- set memory area to CH/0 Optimized version for x86-64. - Copyright (C) 2002-2005, 2007, 2008, 2011 Free Software Foundation, Inc. + Copyright (C) 2002-2012 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or @@ -52,7 +52,7 @@ L(ck2): imul %r9,%rdx L(now_dw_aligned): cmp $0x90,%r8 - jg L(ck_mem_ops_method) + ja L(ck_mem_ops_method) L(now_dw_aligned_small): add %r8,%rdi #ifndef PIC @@ -604,7 +604,7 @@ L(aligned_now): punpcklqdq %xmm0,%xmm0 cmp $0xb0,%r8 # 176 - jge L(byte32sse2_pre) + jae L(byte32sse2_pre) add %r8,%rdi # ifndef PIC @@ -864,7 +864,7 @@ L(byte32sse2_pre): mov __x86_64_shared_cache_size(%rip),%r9d # The largest cache size cmp %r9,%r8 - jg L(sse2_nt_move_pre) + ja L(sse2_nt_move_pre) #jmp L(byte32sse2) .balign 16 L(byte32sse2): @@ -880,7 +880,7 @@ L(byte32sse2): movdqa %xmm0,0x70(%rdi) lea 0x80(%rdi),%rdi - jge L(byte32sse2) + jae L(byte32sse2) add %r8,%rdi # ifndef PIC lea L(SSExDx)(%rip),%r11 @@ -914,7 +914,7 @@ L(sse2_nt_move): movntdq %xmm0,0x70(%rdi) lea 0x80(%rdi),%rdi - jge L(sse2_nt_move) + jae L(sse2_nt_move) sfence add %r8,%rdi # ifndef PIC