about summary refs log tree commit diff
diff options
context:
space:
mode:
authorMichael Matz <matz@suse.de>2012-04-05 10:48:14 +0200
committerAndreas Jaeger <aj@suse.de>2012-04-05 10:50:09 +0200
commite80d6f94e19d17b91e3cd3ada7193cc88f621feb (patch)
treef519a13feef74d70dfade10c595b72d3113add5f
parent349fa79f5527f78d60c78eb1fbb2dfb56846018c (diff)
downloadglibc-e80d6f94e19d17b91e3cd3ada7193cc88f621feb.tar.gz
glibc-e80d6f94e19d17b91e3cd3ada7193cc88f621feb.tar.xz
glibc-e80d6f94e19d17b91e3cd3ada7193cc88f621feb.zip
Fix size parameter comparisions.
[BZ #13592]
There are several signed compares of the size argument, whereas
it really is unsigned.  Depending on situations e.g. a "memset(ptr, 0,
-1)" segfault (but for the wrong reasons, because jumping into nirvana)
or succeeds even.

In normal use this is harmless, as a size with signbit set indicates
more than half the address space which on x86_64 is impossible to
allocate, but as the size is used to index some jump tables this
potentially could have other unwanted side effects.
Diffstat
-rw-r--r--ChangeLog5
-rw-r--r--NEWS10
-rw-r--r--sysdeps/x86_64/memset.S12
3 files changed, 16 insertions, 11 deletions
diff --git a/ChangeLog b/ChangeLog
index 946c714a22..f934b34003 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2012-04-05  Michael Matz  <matz@suse.de>
+
+	[BZ #13592]
+	* sysdeps/x86_64/memset.S: Fix size paramater comparisions.
+
 2012-04-05  Andreas Jaeger  <aj@suse.de>
 
 	[BZ #13908]
diff --git a/NEWS b/NEWS
index 2f0e764894..e20b5ec46c 100644
--- a/NEWS
+++ b/NEWS
@@ -15,11 +15,11 @@ Version 2.16
   10110, 10135, 10140, 10210, 10346, 10545, 10716, 11174, 11322, 11365,
   11451, 11494, 12047, 12340, 13058, 13525, 13526, 13527, 13528, 13529,
   13530, 13531, 13532, 13533, 13547, 13551, 13552, 13553, 13555, 13559,
-  13566, 13583, 13618, 13637, 13656, 13658, 13673, 13691, 13695, 13704,
-  13706, 13726, 13738, 13760, 13761, 13786, 13792, 13806, 13824, 13840,
-  13841, 13844, 13846, 13851, 13852, 13854, 13871, 13879, 13883, 13892,
-  13908, 13910, 13911, 13912, 13913, 13915, 13916, 13917, 13918, 13919,
-  13920, 13921, 13926, 13928, 13938
+  13566, 13583, 13592, 13618, 13637, 13656, 13658, 13673, 13691, 13695,
+  13704, 13706, 13726, 13738, 13760, 13761, 13786, 13792, 13806, 13824,
+  13840, 13841, 13844, 13846, 13851, 13852, 13854, 13871, 13879, 13883,
+  13892, 13908, 13910, 13911, 13912, 13913, 13915, 13916, 13917, 13918,
+  13919, 13920, 13921, 13926, 13928, 13938
 
 * ISO C11 support:
 
diff --git a/sysdeps/x86_64/memset.S b/sysdeps/x86_64/memset.S
index 7be907192c..9511745a41 100644
--- a/sysdeps/x86_64/memset.S
+++ b/sysdeps/x86_64/memset.S
@@ -1,6 +1,6 @@
 /* memset/bzero -- set memory area to CH/0
    Optimized version for x86-64.
-   Copyright (C) 2002-2005, 2007, 2008, 2011 Free Software Foundation, Inc.
+   Copyright (C) 2002-2012 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
    The GNU C Library is free software; you can redistribute it and/or
@@ -52,7 +52,7 @@ L(ck2):
 	imul   %r9,%rdx
 L(now_dw_aligned):
 	cmp    $0x90,%r8
-	jg     L(ck_mem_ops_method)
+	ja     L(ck_mem_ops_method)
 L(now_dw_aligned_small):
 	add    %r8,%rdi
 #ifndef PIC
@@ -604,7 +604,7 @@ L(aligned_now):
 	 punpcklqdq %xmm0,%xmm0
 
 	 cmp    $0xb0,%r8 # 176
-	 jge    L(byte32sse2_pre)
+	 jae    L(byte32sse2_pre)
 
 	 add    %r8,%rdi
 # ifndef PIC
@@ -864,7 +864,7 @@ L(byte32sse2_pre):
 
 	mov    __x86_64_shared_cache_size(%rip),%r9d  # The largest cache size
 	cmp    %r9,%r8
-	jg     L(sse2_nt_move_pre)
+	ja     L(sse2_nt_move_pre)
 	#jmp    L(byte32sse2)
 	.balign     16
 L(byte32sse2):
@@ -880,7 +880,7 @@ L(byte32sse2):
 	movdqa %xmm0,0x70(%rdi)
 
 	lea    0x80(%rdi),%rdi
-	jge    L(byte32sse2)
+	jae    L(byte32sse2)
 	add    %r8,%rdi
 # ifndef PIC
 	lea    L(SSExDx)(%rip),%r11
@@ -914,7 +914,7 @@ L(sse2_nt_move):
 	movntdq %xmm0,0x70(%rdi)
 
 	lea    0x80(%rdi),%rdi
-	jge    L(sse2_nt_move)
+	jae    L(sse2_nt_move)
 	sfence
 	add    %r8,%rdi
 # ifndef PIC
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-11-05 16:39:02 +0000