[Bug 1756209] Re: i386 implementation of memmove broken since glibc 2.21

[Balint Reczey]

** Description changed:

+ [Impact]
+ * i386 memmove breaks when crossing the 2GB threshold.
+ 
+ [Test Case]
+ 
+ * Compile and run the reproducer as described at
+ https://github.com/fingolfin/memmove-bug or observe string/test-memmove
+ test passing during the build/autopkgtest on i386.
+ 
+ [Regression Potential]
+ 
+ * Can break memmove, but this is unlikely since memmove is the very
+ function fixed by fixing signedness handling.
+ 
+ [Original Bug Text]
+ 
  In glibc 2.21 they optimized i386 memcpy:
  
  https://sourceware.org/ml/libc-alpha/2015-02/msg00119.html
  
  The implementation contained a bug which causes memmove to break when
  crossing the 2GB threshold.
  
  This has been filed with glibc here (filed by someone else, but I have
  requested an update from them as well):
  
  https://sourceware.org/bugzilla/show_bug.cgi?id=22644
  
  Unfortunately they have not yet taken action on this bug, however I want
  to bring it to your attention in the hope that it can be patched into
  all current Ubuntu releases as soon as possible. I hope this is not
  improper procedure. Both myself and another (see comment 1 in the glibc
  bug report) have tested the patch provided in the above glibc bug report
  and it does appear to fix the problem, however I don't know what the
  procedure is for getting it properly confirmed/tested and merged into
  Ubuntu.
  
  As requested in the guidelines:
  
  1) We are using:
  Description:    Ubuntu 16.04.4 LTS
  Release:        16.04
  
  2)
  libc6:i386:
-   Installed: 2.23-0ubuntu10
+   Installed: 2.23-0ubuntu10
  
  However as stated above this has been present since libc6:i386 2.21 and
  affects Ubuntu 15.04 onward. (I have actually tested this as well. 15.04
  conveniently used both glibc 2.19 and 2.21 so it was a good test
  platform when I was initially attempting to track down the problem.)
  
  3) What we expected to happen:
  memmove should move data within the entire valid address space without segfaulting or corrupting memory.
  
  4) What happened instead:
  When memmove attempts to move data crossing the 2GB threshold it either segfaults or causes memory corruption.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1756209

Title:
  i386 implementation of memmove broken since glibc 2.21

Status in glibc package in Ubuntu:
  Fix Released
Status in glibc source package in Xenial:
  New
Status in glibc source package in Bionic:
  Confirmed

Bug description:
  [Impact]
  * i386 memmove breaks when crossing the 2GB threshold.

  [Test Case]

  * Compile and run the reproducer as described at
  https://github.com/fingolfin/memmove-bug or observe string/test-
  memmove test passing during the build/autopkgtest on i386.

  [Regression Potential]

  * Can break memmove, but this is unlikely since memmove is the very
  function fixed by fixing signedness handling.

  [Original Bug Text]

  In glibc 2.21 they optimized i386 memcpy:

  https://sourceware.org/ml/libc-alpha/2015-02/msg00119.html

  The implementation contained a bug which causes memmove to break when
  crossing the 2GB threshold.

  This has been filed with glibc here (filed by someone else, but I have
  requested an update from them as well):

  https://sourceware.org/bugzilla/show_bug.cgi?id=22644

  Unfortunately they have not yet taken action on this bug, however I
  want to bring it to your attention in the hope that it can be patched
  into all current Ubuntu releases as soon as possible. I hope this is
  not improper procedure. Both myself and another (see comment 1 in the
  glibc bug report) have tested the patch provided in the above glibc
  bug report and it does appear to fix the problem, however I don't know
  what the procedure is for getting it properly confirmed/tested and
  merged into Ubuntu.

  As requested in the guidelines:

  1) We are using:
  Description:    Ubuntu 16.04.4 LTS
  Release:        16.04

  2)
  libc6:i386:
    Installed: 2.23-0ubuntu10

  However as stated above this has been present since libc6:i386 2.21
  and affects Ubuntu 15.04 onward. (I have actually tested this as well.
  15.04 conveniently used both glibc 2.19 and 2.21 so it was a good test
  platform when I was initially attempting to track down the problem.)

  3) What we expected to happen:
  memmove should move data within the entire valid address space without segfaulting or corrupting memory.

  4) What happened instead:
  When memmove attempts to move data crossing the 2GB threshold it either segfaults or causes memory corruption.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1756209/+subscriptions