[Bug 1841403] [NEW] Uninitialized use with glibc version <= 2.28

Bowen Wang 1841403 at bugs.launchpad.net
Mon Aug 26 06:19:08 UTC 2019 

Public bug reported:

This bug is found in Ubuntu 18.10 and 18.04.

I am not sure if it has been fixed or not, so I think I should report it
first.

In 18.10 or 18.04, if you updated all the software to newest version, then execute:
valgrind objdump -d test-input.

The output of valgrind on Ubuntu 18.10:
==30071== Memcheck, a memory error detector
==30071== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==30071== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==30071== Command: objdump -d input.12602
==30071== Parent PID: 21664
==30071== 
==30071== Conditional jump or move depends on uninitialised value(s)
==30071==    at 0x524DF47: __wmemchr_avx2 (memchr-avx2.S:260)
==30071==    by 0x51AD4C2: internal_fnwmatch (fnmatch_loop.c:168)
==30071==    by 0x51B0868: fnmatch@@GLIBC_2.2.5 (fnmatch.c:434)
==30071==    by 0x4E3B646: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.31.1-multiarch.so)
==30071==    by 0x4E3B738: bfd_set_default_target (in /usr/lib/x86_64-linux-gnu/libbfd-2.31.1-multiarch.so)
==30071==    by 0x14017C: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==30071==    by 0x10F97A: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
==30071==    by 0x50ED09A: (below main) (libc-start.c:308)
==30071== 
==30071== 
==30071== HEAP SUMMARY:
==30071==     in use at exit: 0 bytes in 0 blocks
==30071==   total heap usage: 768 allocs, 768 frees, 342,516 bytes allocated
==30071== 
==30071== All heap blocks were freed -- no leaks are possible
==30071== 
==30071== For counts of detected and suppressed errors, rerun with: -v
==30071== Use --track-origins=yes to see where uninitialised values come from
==30071== ERROR SUMMARY: 6 errors from 1 contexts (suppressed: 0 from 0)

The test input is attached.

** Affects: glibc (Ubuntu)
     Importance: Undecided
         Status: New

** Attachment added: "PoC input to trigger this bug."
   https://bugs.launchpad.net/bugs/1841403/+attachment/5284637/+files/input.12602

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1841403

Title:
  Uninitialized use with glibc version <= 2.28

Status in glibc package in Ubuntu:
  New

Bug description:
  This bug is found in Ubuntu 18.10 and 18.04.

  I am not sure if it has been fixed or not, so I think I should report
  it first.

  In 18.10 or 18.04, if you updated all the software to newest version, then execute:
  valgrind objdump -d test-input.

  The output of valgrind on Ubuntu 18.10:
  ==30071== Memcheck, a memory error detector
  ==30071== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
  ==30071== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
  ==30071== Command: objdump -d input.12602
  ==30071== Parent PID: 21664
  ==30071== 
  ==30071== Conditional jump or move depends on uninitialised value(s)
  ==30071==    at 0x524DF47: __wmemchr_avx2 (memchr-avx2.S:260)
  ==30071==    by 0x51AD4C2: internal_fnwmatch (fnmatch_loop.c:168)
  ==30071==    by 0x51B0868: fnmatch@@GLIBC_2.2.5 (fnmatch.c:434)
  ==30071==    by 0x4E3B646: ??? (in /usr/lib/x86_64-linux-gnu/libbfd-2.31.1-multiarch.so)
  ==30071==    by 0x4E3B738: bfd_set_default_target (in /usr/lib/x86_64-linux-gnu/libbfd-2.31.1-multiarch.so)
  ==30071==    by 0x14017C: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
  ==30071==    by 0x10F97A: ??? (in /usr/bin/x86_64-linux-gnu-objdump)
  ==30071==    by 0x50ED09A: (below main) (libc-start.c:308)
  ==30071== 
  ==30071== 
  ==30071== HEAP SUMMARY:
  ==30071==     in use at exit: 0 bytes in 0 blocks
  ==30071==   total heap usage: 768 allocs, 768 frees, 342,516 bytes allocated
  ==30071== 
  ==30071== All heap blocks were freed -- no leaks are possible
  ==30071== 
  ==30071== For counts of detected and suppressed errors, rerun with: -v
  ==30071== Use --track-origins=yes to see where uninitialised values come from
  ==30071== ERROR SUMMARY: 6 errors from 1 contexts (suppressed: 0 from 0)

  The test input is attached.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1841403/+subscriptions

More information about the foundations-bugs mailing list