[Bug 1978130] Re: Ubuntu22.04: glibc: __strncpy_power9() uses uninitialised register vs18 value for filling after \0

Frank Heimes 1978130 at bugs.launchpad.net
Tue Jul 5 08:32:29 UTC 2022 

** Description changed:

+ SRU Justification:
+ ==================
+ 
+ [Impact]
+ 
+  * glibc '__strncpy_power9()' uses uninitialized register vs18 value
+    for filling after \0.
+ 
+  * This can result in a crash / core dump.
+ 
+  * This is fixed in the little endian Power 9 implementation
+    of strncpy.S by using the proper VSX number for VR 18
+    in stxv and stxvl.
+ 
+ [Test Plan]
+ 
+  * Have an Ubuntu Server 22.04 LTS running on Power 9
+    (or compatible) hardware.
+ 
+  * Take the C test program and reproducer from gere:
+    https://sourceware.org/bugzilla/show_bug.cgi?id=29197
+    compile it for power9 (ppc64le).
+ 
+  * Execute it on ppc64el hardware and it will core dump
+    on an unpatched libc6, e.g. using qemu, like:
+    "qemu: uncaught target signal 6 (Aborted) - core dumped
+     Aborted"
+ 
+  * gdb will report the following value of c[]:
+    (gdb) p c
+    $1 = "\000\015\015"
+ 
+ [Where problems could occur]
+ 
+  * Severe problems can occur if wrong registers are used
+    or the (zero-)padding is done in a wrong way
+    or if the fix for stxv and stxvl were mixed up.
+ 
+  * Relatively foreseen effects can happen and highly
+    likely even more crashes.
+ 
+  * But the code was thoroughly analysed, first as gcc bug
+    then a glibc bug.
+ 
+  * The changes are limited to:
+    sysdeps/powerpc/powerpc64/le/power9
+    and with that Power 9 specific,
+    well explained, documented traceable and tested
+    (not only on ppc64le - which is mostly relevant for Ubuntu - but
+     also on ppc and ppc64.)
+ 
+ [Other Info]
+  
+  * The fix is needed for Power 9 targets (22.04 is compiled for P9),
+    has already been applied upstream for glibc 2.36
+    and has been backported to glibc >= 2.33.
+ 
+ __________
+ 
  == Comment: #0 - Tulio Magno Quites Machado Filho <tulioqm at br.ibm.com> - 2022-06-08 08:35:44 ==
  ---Problem Description---
  __strncpy_power9() uses uninitialised register vs18 value for filling after \0
  
  The fix has already been applied upstream for glibc 2.36 and has been
  backported to glibc >= 2.33.
  
  Commit for glibc 2.36:
  https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=0218463dd8265ed937622f88ac68c7d984fe0cfc
  
  Commit for glibc 2.35:
  https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=0a1572b8bb880a63d50a63b2afe4bb67704ac23e
-  
- Contact Information = Tulio Magno Quites Machado Filho/tulioqm at br.ibm.com 
-  
+ 
+ Contact Information = Tulio Magno Quites Machado
+ Filho/tulioqm at br.ibm.com
+ 
  ---Additional Hardware Info---
- Requires Power9 or Power10 to reproduce 
+ Requires Power9 or Power10 to reproduce
  
-  
  ---uname output---
  N/A
-  
- Machine Type = N/A 
-  
+ 
+ Machine Type = N/A
+ 
  ---Debugger---
  A debugger is not configured
-  
+ 
  ---Steps to Reproduce---
-  See the description from the bug reported upstream at: https://sourceware.org/bugzilla/show_bug.cgi?id=29197
-  
- Userspace tool common name: glibc 
-  
- The userspace tool has the following bit modes: glibc 
+  See the description from the bug reported upstream at: https://sourceware.org/bugzilla/show_bug.cgi?id=29197
+ 
+ Userspace tool common name: glibc
+ 
+ The userspace tool has the following bit modes: glibc
  
  Userspace rpm: libc6
  
- Userspace tool obtained from project website:  na 
-  
+ Userspace tool obtained from project website:  na
+ 
  *Additional Instructions for Tulio Magno Quites Machado Filho/tulioqm at br.ibm.com:
  -Attach ltrace and strace of userspace application.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1978130

Title:
  Ubuntu22.04: glibc: __strncpy_power9() uses uninitialised register
  vs18 value for filling after \0

Status in The Ubuntu-power-systems project:
  In Progress
Status in glibc package in Ubuntu:
  New
Status in glibc source package in Jammy:
  In Progress

Bug description:
  SRU Justification:
  ==================

  [Impact]

   * glibc '__strncpy_power9()' uses uninitialized register vs18 value
     for filling after \0.

   * This can result in a crash / core dump.

   * This is fixed in the little endian Power 9 implementation
     of strncpy.S by using the proper VSX number for VR 18
     in stxv and stxvl.

  [Test Plan]

   * Have an Ubuntu Server 22.04 LTS running on Power 9
     (or compatible) hardware.

   * Take the C test program and reproducer from gere:
     https://sourceware.org/bugzilla/show_bug.cgi?id=29197
     compile it for power9 (ppc64le).

   * Execute it on ppc64el hardware and it will core dump
     on an unpatched libc6, e.g. using qemu, like:
     "qemu: uncaught target signal 6 (Aborted) - core dumped
      Aborted"

   * gdb will report the following value of c[]:
     (gdb) p c
     $1 = "\000\015\015"

  [Where problems could occur]

   * Severe problems can occur if wrong registers are used
     or the (zero-)padding is done in a wrong way
     or if the fix for stxv and stxvl were mixed up.

   * Relatively foreseen effects can happen and highly
     likely even more crashes.

   * But the code was thoroughly analysed, first as gcc bug
     then a glibc bug.

   * The changes are limited to:
     sysdeps/powerpc/powerpc64/le/power9
     and with that Power 9 specific,
     well explained, documented traceable and tested
     (not only on ppc64le - which is mostly relevant for Ubuntu - but
      also on ppc and ppc64.)

  [Other Info]
   
   * The fix is needed for Power 9 targets (22.04 is compiled for P9),
     has already been applied upstream for glibc 2.36
     and has been backported to glibc >= 2.33.

  __________

  == Comment: #0 - Tulio Magno Quites Machado Filho <tulioqm at br.ibm.com> - 2022-06-08 08:35:44 ==
  ---Problem Description---
  __strncpy_power9() uses uninitialised register vs18 value for filling after \0

  The fix has already been applied upstream for glibc 2.36 and has been
  backported to glibc >= 2.33.

  Commit for glibc 2.36:
  https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=0218463dd8265ed937622f88ac68c7d984fe0cfc

  Commit for glibc 2.35:
  https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=0a1572b8bb880a63d50a63b2afe4bb67704ac23e

  Contact Information = Tulio Magno Quites Machado
  Filho/tulioqm at br.ibm.com

  ---Additional Hardware Info---
  Requires Power9 or Power10 to reproduce

  ---uname output---
  N/A

  Machine Type = N/A

  ---Debugger---
  A debugger is not configured

  ---Steps to Reproduce---
   See the description from the bug reported upstream at: https://sourceware.org/bugzilla/show_bug.cgi?id=29197

  Userspace tool common name: glibc

  The userspace tool has the following bit modes: glibc

  Userspace rpm: libc6

  Userspace tool obtained from project website:  na

  *Additional Instructions for Tulio Magno Quites Machado Filho/tulioqm at br.ibm.com:
  -Attach ltrace and strace of userspace application.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1978130/+subscriptions

More information about the foundations-bugs mailing list