Fix size parameter comparisions.

[BZ #13592]
There are several signed compares of the size argument, whereas
it really is unsigned.  Depending on situations e.g. a "memset(ptr, 0,
-1)" segfault (but for the wrong reasons, because jumping into nirvana)
or succeeds even.

In normal use this is harmless, as a size with signbit set indicates
more than half the address space which on x86_64 is impossible to
allocate, but as the size is used to index some jump tables this
potentially could have other unwanted side effects.

diff --git a/ChangeLog b/ChangeLog
index 946c714a22d1fc7488d59d0c164cbbd1084e0d9e..f934b34003d906fefb54a4e3958f31fd98d8eb15 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2012-04-05  Michael Matz  <matz@suse.de>
+
+       [BZ #13592]
+       * sysdeps/x86_64/memset.S: Fix size paramater comparisions.
+
 2012-04-05  Andreas Jaeger  <aj@suse.de>
 
        [BZ #13908]

diff --git a/NEWS b/NEWS
index 2f0e76489410ad7f807a6b91b8f59991b4907741..e20b5ec46cb065282f40b34f5e71e5c1f784e0a7 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -15,11 +15,11 @@ Version 2.16
   10110, 10135, 10140, 10210, 10346, 10545, 10716, 11174, 11322, 11365,
   11451, 11494, 12047, 12340, 13058, 13525, 13526, 13527, 13528, 13529,
   13530, 13531, 13532, 13533, 13547, 13551, 13552, 13553, 13555, 13559,
-  13566, 13583, 13618, 13637, 13656, 13658, 13673, 13691, 13695, 13704,
-  13706, 13726, 13738, 13760, 13761, 13786, 13792, 13806, 13824, 13840,
-  13841, 13844, 13846, 13851, 13852, 13854, 13871, 13879, 13883, 13892,
-  13908, 13910, 13911, 13912, 13913, 13915, 13916, 13917, 13918, 13919,
-  13920, 13921, 13926, 13928, 13938
+  13566, 13583, 13592, 13618, 13637, 13656, 13658, 13673, 13691, 13695,
+  13704, 13706, 13726, 13738, 13760, 13761, 13786, 13792, 13806, 13824,
+  13840, 13841, 13844, 13846, 13851, 13852, 13854, 13871, 13879, 13883,
+  13892, 13908, 13910, 13911, 13912, 13913, 13915, 13916, 13917, 13918,
+  13919, 13920, 13921, 13926, 13928, 13938
 
 * ISO C11 support:
 

diff --git a/sysdeps/x86_64/memset.S b/sysdeps/x86_64/memset.S
index 7be907192c71670f4e3f86127af148dab6a0f9ab..9511745a41b5294aab33ee4520abbee1c4dae4e8 100644 (file)
--- a/sysdeps/x86_64/memset.S
+++ b/sysdeps/x86_64/memset.S
@@ -1,6 +1,6 @@
 /* memset/bzero -- set memory area to CH/0
    Optimized version for x86-64.
-   Copyright (C) 2002-2005, 2007, 2008, 2011 Free Software Foundation, Inc.
+   Copyright (C) 2002-2012 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
    The GNU C Library is free software; you can redistribute it and/or
@@ -52,7 +52,7 @@ L(ck2):
        imul   %r9,%rdx
 L(now_dw_aligned):
        cmp    $0x90,%r8
-       jg     L(ck_mem_ops_method)
+       ja     L(ck_mem_ops_method)
 L(now_dw_aligned_small):
        add    %r8,%rdi
 #ifndef PIC
@@ -604,7 +604,7 @@ L(aligned_now):
         punpcklqdq %xmm0,%xmm0
 
         cmp    $0xb0,%r8 # 176
-        jge    L(byte32sse2_pre)
+        jae    L(byte32sse2_pre)
 
         add    %r8,%rdi
 # ifndef PIC
@@ -864,7 +864,7 @@ L(byte32sse2_pre):
 
        mov    __x86_64_shared_cache_size(%rip),%r9d  # The largest cache size
        cmp    %r9,%r8
-       jg     L(sse2_nt_move_pre)
+       ja     L(sse2_nt_move_pre)
        #jmp    L(byte32sse2)
        .balign     16
 L(byte32sse2):
@@ -880,7 +880,7 @@ L(byte32sse2):
        movdqa %xmm0,0x70(%rdi)
 
        lea    0x80(%rdi),%rdi
-       jge    L(byte32sse2)
+       jae    L(byte32sse2)
        add    %r8,%rdi
 # ifndef PIC
        lea    L(SSExDx)(%rip),%r11
@@ -914,7 +914,7 @@ L(sse2_nt_move):
        movntdq %xmm0,0x70(%rdi)
 
        lea    0x80(%rdi),%rdi
-       jge    L(sse2_nt_move)
+       jae    L(sse2_nt_move)
        sfence
        add    %r8,%rdi
 # ifndef PIC