Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 76952 - strncpy(d,s,n) fails when s paged out and n > 24
Summary: strncpy(d,s,n) fails when s paged out and n > 24
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: glibc
Version: 2.1
Hardware: ia64
OS: Linux
high
medium
Target Milestone: ---
Assignee: Jakub Jelinek
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-10-30 01:12 UTC by Reese Faucette
Modified: 2016-11-24 15:04 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-01-08 21:09:33 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2003:022 normal SHIPPED_LIVE Moderate: glibc security update 2003-01-22 05:00:00 UTC

Description Reese Faucette 2002-10-30 01:12:50 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461)

Description of problem:
glibc-2.2.4-30 and glibc-2.2.4-29.2, IA64
strncpy(D, S, N) fails if:
1) S is paged out   and
2) N > 24 


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.run the attached program in "Additional Information"

	

Actual Results:  program prints *buf = 0x0

Expected Results:  should print *buf = 0x3b

Additional info:

# bug.s
#
# This program demonstrates a bug in strncpy when the first argument
# is paged out and  n (third argument) is > 24.
#
# This program calls strncpy(buf, string, 25) where string is a
# paged-out string constant.  A subsequent call to print *buf shows
# incorrect data was copied.
#
# If the program is called with one argument (argc == 2), then the
# data at *string is referenced (paged in) before the call to
# strncpy and the copy and print succeed.
#
#
# Makefile:
#bug: bug.s
#       as bug.s -o bug.o
#       cc -o bug bug.o
#
# ./bug
# *buf = 0x0
#
# ./bug X
# *buf = 0x3b
#


#
#       Strings section
#
        .section        .rodata

#       Put them way out there
        .align 8
.fmt1:
        stringz "*buf = 0x%x\n"
        .skip   204800

        .align 8
.string:
        stringz ";"
        .skip   204800

#
# local vars
#
.sdata
        .align 8
.buf:
        .skip 80

#
#       Text
#
.text
        .align 16
        .global main#
        .proc main#
main:
        alloc r35 = ar.pfs, 0, 8, 3, 0

#       save b0, r1
        mov r34 = b0
        mov r33 = r1
        ;;

#       load addresses of strings
        addl r36 = @ltoff(.string), gp
        addl r37 = @ltoff(.fmt1), gp
        addl r38 = @ltoff(.buf), gp
        ;;
        ld8 r36 = [r36]
        ld8 r37 = [r37]
        ld8 r38 = [r38]

# if (argc == 2) dummy = *string;
        cmp.eq p2,p3 = 2,r32
        ;;
        (p2) ld1 r39 = [r36]
        ;;

# strncpy(buf, string, 25);
        mov r40 = r38
        mov r41 = r36
        addl r42 = 25, r0
        ;;

        br.call.sptk.many b0 = strncpy#
        ;;
        mov r1 = r33

# printf("*buf = %x\n", *buf);
        mov r40 = r37
        ld8 r41 = [r38]
        ;;
        br.call.sptk.many b0 = printf#
        ;;

# restore and return
        mov ar.pfs = r35
        mov b0 = r34
        mov r1 = r33
        ;;
        br.ret.sptk.many b0

        .endp main#

Comment 1 Reese Faucette 2002-11-01 01:22:59 UTC
This patch fixes the problem - apply after the patch which is included in
glibc-2.2.4-29.src.rpm:
--- strncpy.S   Thu Oct 31 15:19:46 2002
+++ strncpy.S   Thu Oct 31 17:11:34 2002
@@ -214,11 +214,11 @@
        ld8     r[0] = [tmp]
        br.cond.sptk .back2
 .recovery3:
-       add     tmp = -MEMLAT * 8, src ;;
+       add     tmp = -(MEMLAT+1) * 8, src ;;
        ld8     r[MEMLAT] = [tmp]
        br.cond.sptk .back3
 .recovery4:
-       add     tmp = -(MEMLAT - 1) * 8, src ;;
+       add     tmp = -(MEMLAT) * 8, src ;;
        ld8     r[MEMLAT - 1] = [tmp]
        br.cond.sptk .back4
 END(strncpy)


Comment 2 Jason Merrill 2002-11-07 16:16:49 UTC
Also Issue Tracker #9868

Comment 3 Jakub Jelinek 2002-11-07 16:19:44 UTC
Oops, forgot to update this bug.
http://sources.redhat.com/ml/libc-hacker/2002-11/msg00000.html

Comment 4 Reese Faucette 2003-01-08 20:50:17 UTC
The folks at Intel found more issues, their cumulative patch can be found at:
http://www.myri.com/scs/faq/strncpy.fix.patch
This is from Kenneth Chen <kenneth.w.chen atsign intel.com>



Comment 5 Jakub Jelinek 2003-01-08 20:56:30 UTC
All this is in glibc-2.2.4-31.4 and above (ATM 31.7) for about a month.

Comment 6 Reese Faucette 2003-01-08 21:07:37 UTC
the patch from Intel is more extensive than the one listed in the comment of 
11/7/2002.  is all of it in there?
if so, let's close the bug so i stop looking at it ;-)

Comment 7 Jakub Jelinek 2003-01-08 21:09:33 UTC
Everything posted so far is in there, up to:
2002-12-07  Kenneth W. Chen  <kenneth.w.chen@intel.com>

        * sysdeps/ia64/strncpy.S (strncpy): Clear ar.ec.  Fix .recovery4.

Comment 8 Mark J. Cox 2003-01-30 19:38:53 UTC
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2003-022.html



Note You need to log in before you can comment on or make changes to this bug.