negative memcpy
manish kumar
deliver2manish at gmail.com
Wed Aug 10 00:32:24 UTC 2011
On Wed, Aug 10, 2011 at 1:54 AM, Rich Felker <dalias at aerifal.cx> wrote:
> On Tue, Aug 09, 2011 at 06:49:58PM +0200, Laurent Bercot wrote:
>> I would guess that the glibc goes out of its way to check that the
>> memcpy() arguments are valid and makes a point to crash when they are
>> not, with is a safe behaviour but requires extra code, whereas the
>> uClibc does not perform such checks, and may crash or may happily
>> copy 4 GB of memory all over the place, or fly demons through your nose.
>
> No, I think glibc is correctly treating the argument as unsigned and
> looping until it crashes, while uClibc is wrongly treating the
> argument as unsigned and copying nothing. This doesn't matter for
> sizes like 0xffffffff which are invalid anyway, but it could matter
> for sizes like 0x80000000 if uClibc'c malloc allows allocations that
> large.
>
I agree with Rich. Our target hardware is still buggy. Sometimes we
get junk data from our memory and some operations like memcpy() are
performed based on that data. Sometimes the data is not initialized
(bug!) and is passed as parameters to these functions. memcpy()
certainly cannot copy data of size 0xffffffff (it should throw
segfault). I could not find this bug in my application until I ran a
memory debugger which crashed with segfault.
I am attaching the source and disassembly of both gcc and mipsel (also
inline). I think it can be helpful.
> (I'm using 32-bit examples because you can never have allocations
> nearly as large as SIZE_MAX on current 64-bit machines.)
>
> Rich
> _______________________________________________
> uClibc mailing list
> uClibc at uclibc.org
> http://lists.busybox.net/mailman/listinfo/uclibc
>
neg_memcpy.c
------------------------
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main()
{
size_t size = -1;
char src[10] = {0, }, dest[10] = {0, };
memcpy(dest, src, size);
return 1;
}
Disassembly:
1. mipsel:
------------------
neg_memcpy_mipsel: file format elf32-tradlittlemips
Disassembly of section .init:
004004f0 <_init>:
4004f0: 3c1c0002 lui gp,0x2
4004f4: 279c8340 addiu gp,gp,-31936
4004f8: 0399e021 addu gp,gp,t9
4004fc: 27bdffe0 addiu sp,sp,-32
400500: afbc0010 sw gp,16(sp)
400504: afbf001c sw ra,28(sp)
400508: afbc0018 sw gp,24(sp)
40050c: 04110001 bal 400514 <_init+0x24>
400510: 00000000 nop
400514: 0c1001a7 jal 40069c <frame_dummy>
400518: 00000000 nop
40051c: 04110001 bal 400524 <_init+0x34>
400520: 00000000 nop
400524: 0c1001dc jal 400770 <__do_global_ctors_aux>
400528: 00000000 nop
40052c: 8fbf001c lw ra,28(sp)
400530: 03e00008 jr ra
400534: 27bd0020 addiu sp,sp,32
Disassembly of section .plt:
00400540 <_PROCEDURE_LINKAGE_TABLE_>:
400540: 3c1c0041 lui gp,0x41
400544: 8f990824 lw t9,2084(gp)
400548: 279c0824 addiu gp,gp,2084
40054c: 031cc023 subu t8,t8,gp
400550: 03e07821 move t7,ra
400554: 0018c082 srl t8,t8,0x2
400558: 0320f809 jalr t9
40055c: 2718fffe addiu t8,t8,-2
00400560 <__deregister_frame_info at plt>:
400560: 3c0f0041 lui t7,0x41
400564: 8df9082c lw t9,2092(t7)
400568: 03200008 jr t9
40056c: 25f8082c addiu t8,t7,2092
00400570 <memcpy at plt>:
400570: 3c0f0041 lui t7,0x41
400574: 8df90830 lw t9,2096(t7)
400578: 03200008 jr t9
40057c: 25f80830 addiu t8,t7,2096
00400580 <__register_frame_info at plt>:
400580: 3c0f0041 lui t7,0x41
400584: 8df90834 lw t9,2100(t7)
400588: 03200008 jr t9
40058c: 25f80834 addiu t8,t7,2100
00400590 <__uClibc_main at plt>:
400590: 3c0f0041 lui t7,0x41
400594: 8df90838 lw t9,2104(t7)
400598: 03200008 jr t9
40059c: 25f80838 addiu t8,t7,2104
Disassembly of section .text:
004005a0 <__start>:
4005a0: 3c1c0042 lui gp,0x42
4005a4: 279c8830 addiu gp,gp,-30672
4005a8: 0000f821 move ra,zero
4005ac: 3c040040 lui a0,0x40
4005b0: 24840700 addiu a0,a0,1792
4005b4: 8fa50000 lw a1,0(sp)
4005b8: 27a60004 addiu a2,sp,4
4005bc: 2401fff8 li at,-8
4005c0: 03a1e824 and sp,sp,at
4005c4: 27bdffe0 addiu sp,sp,-32
4005c8: 3c070040 lui a3,0x40
4005cc: 24e704f0 addiu a3,a3,1264
4005d0: 3c080040 lui t0,0x40
4005d4: 250807c0 addiu t0,t0,1984
4005d8: afa80010 sw t0,16(sp)
4005dc: afa20014 sw v0,20(sp)
4005e0: 0c100164 jal 400590 <__uClibc_main at plt>
4005e4: afbd0018 sw sp,24(sp)
004005e8 <hlt>:
4005e8: 1000ffff b 4005e8 <hlt>
4005ec: 00000000 nop
004005f0 <__do_global_dtors_aux>:
4005f0: 3c020041 lui v0,0x41
4005f4: 90420850 lbu v0,2128(v0)
4005f8: 27bdffd8 addiu sp,sp,-40
4005fc: afbf0024 sw ra,36(sp)
400600: afb20020 sw s2,32(sp)
400604: afb1001c sw s1,28(sp)
400608: 1440001e bnez v0,400684 <__do_global_dtors_aux+0x94>
40060c: afb00018 sw s0,24(sp)
400610: 3c110041 lui s1,0x41
400614: 3c120041 lui s2,0x41
400618: 26310804 addiu s1,s1,2052
40061c: 26520808 addiu s2,s2,2056
400620: 02519023 subu s2,s2,s1
400624: 00129083 sra s2,s2,0x2
400628: 2652ffff addiu s2,s2,-1
40062c: 08100193 j 40064c <__do_global_dtors_aux+0x5c>
400630: 3c100041 lui s0,0x41
400634: ae020854 sw v0,2132(s0)
400638: 00021080 sll v0,v0,0x2
40063c: 00511021 addu v0,v0,s1
400640: 8c590000 lw t9,0(v0)
400644: 0320f809 jalr t9
400648: 00000000 nop
40064c: 8e020854 lw v0,2132(s0)
400650: 0052182b sltu v1,v0,s2
400654: 1460fff7 bnez v1,400634 <__do_global_dtors_aux+0x44>
400658: 24420001 addiu v0,v0,1
40065c: 3c020040 lui v0,0x40
400660: 24420560 addiu v0,v0,1376
400664: 10400005 beqz v0,40067c <__do_global_dtors_aux+0x8c>
400668: 24030001 li v1,1
40066c: 3c040040 lui a0,0x40
400670: 0c100158 jal 400560 <__deregister_frame_info at plt>
400674: 248407f8 addiu a0,a0,2040
400678: 24030001 li v1,1
40067c: 3c020041 lui v0,0x41
400680: a0430850 sb v1,2128(v0)
400684: 8fbf0024 lw ra,36(sp)
400688: 8fb20020 lw s2,32(sp)
40068c: 8fb1001c lw s1,28(sp)
400690: 8fb00018 lw s0,24(sp)
400694: 03e00008 jr ra
400698: 27bd0028 addiu sp,sp,40
0040069c <frame_dummy>:
40069c: 3c020040 lui v0,0x40
4006a0: 27bdffe0 addiu sp,sp,-32
4006a4: 24420580 addiu v0,v0,1408
4006a8: 10400006 beqz v0,4006c4 <frame_dummy+0x28>
4006ac: afbf001c sw ra,28(sp)
4006b0: 3c040040 lui a0,0x40
4006b4: 3c050041 lui a1,0x41
4006b8: 248407f8 addiu a0,a0,2040
4006bc: 0c100160 jal 400580 <__register_frame_info at plt>
4006c0: 24a50858 addiu a1,a1,2136
4006c4: 3c040041 lui a0,0x41
4006c8: 8c82080c lw v0,2060(a0)
4006cc: 10400007 beqz v0,4006ec <frame_dummy+0x50>
4006d0: 3c190000 lui t9,0x0
4006d4: 27390000 addiu t9,t9,0
4006d8: 13200004 beqz t9,4006ec <frame_dummy+0x50>
4006dc: 8fbf001c lw ra,28(sp)
4006e0: 2484080c addiu a0,a0,2060
4006e4: 03200008 jr t9
4006e8: 27bd0020 addiu sp,sp,32
4006ec: 8fbf001c lw ra,28(sp)
4006f0: 03e00008 jr ra
4006f4: 27bd0020 addiu sp,sp,32
...
00400700 <main>:
400700: 27bdffc0 addiu sp,sp,-64
400704: afbf003c sw ra,60(sp)
400708: afbe0038 sw s8,56(sp)
40070c: 03a0f021 move s8,sp
400710: 2402ffff li v0,-1
400714: afc20018 sw v0,24(s8)
400718: afc0001c sw zero,28(s8)
40071c: afc00020 sw zero,32(s8)
400720: a7c00024 sh zero,36(s8)
400724: afc00028 sw zero,40(s8)
400728: afc0002c sw zero,44(s8)
40072c: a7c00030 sh zero,48(s8)
400730: 27c30028 addiu v1,s8,40
400734: 27c2001c addiu v0,s8,28
400738: 00602021 move a0,v1
40073c: 00402821 move a1,v0
400740: 8fc60018 lw a2,24(s8)
400744: 0c10015c jal 400570 <memcpy at plt>
400748: 00000000 nop
40074c: 24020001 li v0,1
400750: 03c0e821 move sp,s8
400754: 8fbf003c lw ra,60(sp)
400758: 8fbe0038 lw s8,56(sp)
40075c: 27bd0040 addiu sp,sp,64
400760: 03e00008 jr ra
400764: 00000000 nop
...
00400770 <__do_global_ctors_aux>:
400770: 27bdffd8 addiu sp,sp,-40
400774: afb0001c sw s0,28(sp)
400778: 3c100041 lui s0,0x41
40077c: afb10020 sw s1,32(sp)
400780: afbf0024 sw ra,36(sp)
400784: 261007fc addiu s0,s0,2044
400788: 081001e6 j 400798 <__do_global_ctors_aux+0x28>
40078c: 2411ffff li s1,-1
400790: 0320f809 jalr t9
400794: 2610fffc addiu s0,s0,-4
400798: 8e190000 lw t9,0(s0)
40079c: 1731fffc bne t9,s1,400790 <__do_global_ctors_aux+0x20>
4007a0: 8fbf0024 lw ra,36(sp)
4007a4: 8fb10020 lw s1,32(sp)
4007a8: 8fb0001c lw s0,28(sp)
4007ac: 03e00008 jr ra
4007b0: 27bd0028 addiu sp,sp,40
...
Disassembly of section .fini:
004007c0 <_fini>:
4007c0: 3c1c0002 lui gp,0x2
4007c4: 279c8070 addiu gp,gp,-32656
4007c8: 0399e021 addu gp,gp,t9
4007cc: 27bdffe0 addiu sp,sp,-32
4007d0: afbc0010 sw gp,16(sp)
4007d4: afbf001c sw ra,28(sp)
4007d8: afbc0018 sw gp,24(sp)
4007dc: 04110001 bal 4007e4 <_fini+0x24>
4007e0: 00000000 nop
4007e4: 0c10017c jal 4005f0 <__do_global_dtors_aux>
4007e8: 00000000 nop
4007ec: 8fbf001c lw ra,28(sp)
4007f0: 03e00008 jr ra
4007f4: 27bd0020 addiu sp,sp,32
2. gcc:
---------
neg_memcpy_gcc: file format elf64-x86-64
Disassembly of section .init:
0000000000400338 <_init>:
400338: 48 83 ec 08 sub $0x8,%rsp
40033c: e8 5b 00 00 00 callq 40039c <call_gmon_start>
400341: e8 da 00 00 00 callq 400420 <frame_dummy>
400346: e8 e5 01 00 00 callq 400530 <__do_global_ctors_aux>
40034b: 48 83 c4 08 add $0x8,%rsp
40034f: c3 retq
Disassembly of section .plt:
0000000000400350 <__libc_start_main at plt-0x10>:
400350: ff 35 ba 04 20 00 pushq 2098362(%rip) # 600810
<_GLOBAL_OFFSET_TABLE_+0x8>
400356: ff 25 bc 04 20 00 jmpq *2098364(%rip) # 600818
<_GLOBAL_OFFSET_TABLE_+0x10>
40035c: 0f 1f 40 00 nopl 0x0(%rax)
0000000000400360 <__libc_start_main at plt>:
400360: ff 25 ba 04 20 00 jmpq *2098362(%rip) # 600820
<_GLOBAL_OFFSET_TABLE_+0x18>
400366: 68 00 00 00 00 pushq $0x0
40036b: e9 e0 ff ff ff jmpq 400350 <_init+0x18>
Disassembly of section .text:
0000000000400370 <_start>:
400370: 31 ed xor %ebp,%ebp
400372: 49 89 d1 mov %rdx,%r9
400375: 5e pop %rsi
400376: 48 89 e2 mov %rsp,%rdx
400379: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp
40037d: 50 push %rax
40037e: 54 push %rsp
40037f: 49 c7 c0 90 04 40 00 mov $0x400490,%r8
400386: 48 c7 c1 a0 04 40 00 mov $0x4004a0,%rcx
40038d: 48 c7 c7 48 04 40 00 mov $0x400448,%rdi
400394: e8 c7 ff ff ff callq 400360 <__libc_start_main at plt>
400399: f4 hlt
40039a: 90 nop
40039b: 90 nop
000000000040039c <call_gmon_start>:
40039c: 48 83 ec 08 sub $0x8,%rsp
4003a0: 48 8b 05 59 04 20 00 mov 2098265(%rip),%rax #
600800 <_DYNAMIC+0x190>
4003a7: 48 85 c0 test %rax,%rax
4003aa: 74 02 je 4003ae <call_gmon_start+0x12>
4003ac: ff d0 callq *%rax
4003ae: 48 83 c4 08 add $0x8,%rsp
4003b2: c3 retq
4003b3: 90 nop
4003b4: 90 nop
4003b5: 90 nop
4003b6: 90 nop
4003b7: 90 nop
4003b8: 90 nop
4003b9: 90 nop
4003ba: 90 nop
4003bb: 90 nop
4003bc: 90 nop
4003bd: 90 nop
4003be: 90 nop
4003bf: 90 nop
00000000004003c0 <__do_global_dtors_aux>:
4003c0: 55 push %rbp
4003c1: 48 89 e5 mov %rsp,%rbp
4003c4: 53 push %rbx
4003c5: 48 83 ec 08 sub $0x8,%rsp
4003c9: 80 3d 68 04 20 00 00 cmpb $0x0,2098280(%rip) #
600838 <completed.6145>
4003d0: 75 44 jne 400416 <__do_global_dtors_aux+0x56>
4003d2: b8 60 06 60 00 mov $0x600660,%eax
4003d7: 48 2d 58 06 60 00 sub $0x600658,%rax
4003dd: 48 c1 f8 03 sar $0x3,%rax
4003e1: 48 8d 58 ff lea 0xffffffffffffffff(%rax),%rbx
4003e5: 48 8b 05 44 04 20 00 mov 2098244(%rip),%rax #
600830 <dtor_idx.6147>
4003ec: 48 39 c3 cmp %rax,%rbx
4003ef: 76 1e jbe 40040f <__do_global_dtors_aux+0x4f>
4003f1: 48 83 c0 01 add $0x1,%rax
4003f5: 48 89 05 34 04 20 00 mov %rax,2098228(%rip) #
600830 <dtor_idx.6147>
4003fc: ff 14 c5 58 06 60 00 callq *0x600658(,%rax,8)
400403: 48 8b 05 26 04 20 00 mov 2098214(%rip),%rax #
600830 <dtor_idx.6147>
40040a: 48 39 c3 cmp %rax,%rbx
40040d: 77 e2 ja 4003f1 <__do_global_dtors_aux+0x31>
40040f: c6 05 22 04 20 00 01 movb $0x1,2098210(%rip) #
600838 <completed.6145>
400416: 48 83 c4 08 add $0x8,%rsp
40041a: 5b pop %rbx
40041b: c9 leaveq
40041c: c3 retq
40041d: 0f 1f 00 nopl (%rax)
0000000000400420 <frame_dummy>:
400420: 55 push %rbp
400421: 48 83 3d 3f 02 20 00 cmpq $0x0,2097727(%rip) #
600668 <__JCR_END__>
400428: 00
400429: 48 89 e5 mov %rsp,%rbp
40042c: 74 16 je 400444 <frame_dummy+0x24>
40042e: b8 00 00 00 00 mov $0x0,%eax
400433: 48 85 c0 test %rax,%rax
400436: 74 0c je 400444 <frame_dummy+0x24>
400438: bf 68 06 60 00 mov $0x600668,%edi
40043d: 49 89 c3 mov %rax,%r11
400440: c9 leaveq
400441: 41 ff e3 jmpq *%r11
400444: c9 leaveq
400445: c3 retq
400446: 90 nop
400447: 90 nop
0000000000400448 <main>:
#include <stdlib.h>
#include <string.h>
int main()
{
400448: 55 push %rbp
400449: 48 89 e5 mov %rsp,%rbp
size_t size = -1;
40044c: 48 c7 45 f8 ff ff ff movq
$0xffffffffffffffff,0xfffffffffffffff8(%rbp)
400453: ff
char src[10] = {0, }, dest[10] = {0, };
400454: 48 c7 45 e0 00 00 00 movq $0x0,0xffffffffffffffe0(%rbp)
40045b: 00
40045c: 66 c7 45 e8 00 00 movw $0x0,0xffffffffffffffe8(%rbp)
400462: 48 c7 45 d0 00 00 00 movq $0x0,0xffffffffffffffd0(%rbp)
400469: 00
40046a: 66 c7 45 d8 00 00 movw $0x0,0xffffffffffffffd8(%rbp)
memcpy(dest, src, size);
400470: 48 8d 45 d0 lea 0xffffffffffffffd0(%rbp),%rax
400474: 48 8d 55 e0 lea 0xffffffffffffffe0(%rbp),%rdx
400478: 48 8b 4d f8 mov 0xfffffffffffffff8(%rbp),%rcx
40047c: 48 89 c7 mov %rax,%rdi
40047f: 48 89 d6 mov %rdx,%rsi
400482: fc cld
400483: f3 a4 rep movsb %ds:(%rsi),%es:(%rdi)
return 1;
400485: b8 01 00 00 00 mov $0x1,%eax
}
40048a: c9 leaveq
40048b: c3 retq
40048c: 90 nop
40048d: 90 nop
40048e: 90 nop
40048f: 90 nop
0000000000400490 <__libc_csu_fini>:
400490: f3 c3 repz retq
400492: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
400499: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
00000000004004a0 <__libc_csu_init>:
4004a0: 4c 89 64 24 e0 mov %r12,0xffffffffffffffe0(%rsp)
4004a5: 4c 89 6c 24 e8 mov %r13,0xffffffffffffffe8(%rsp)
4004aa: 4c 8d 25 93 01 20 00 lea 2097555(%rip),%r12 #
600644 <__fini_array_end>
4004b1: 4c 89 74 24 f0 mov %r14,0xfffffffffffffff0(%rsp)
4004b6: 4c 89 7c 24 f8 mov %r15,0xfffffffffffffff8(%rsp)
4004bb: 49 89 f6 mov %rsi,%r14
4004be: 48 89 5c 24 d0 mov %rbx,0xffffffffffffffd0(%rsp)
4004c3: 48 89 6c 24 d8 mov %rbp,0xffffffffffffffd8(%rsp)
4004c8: 48 83 ec 38 sub $0x38,%rsp
4004cc: 41 89 ff mov %edi,%r15d
4004cf: 49 89 d5 mov %rdx,%r13
4004d2: e8 61 fe ff ff callq 400338 <_init>
4004d7: 48 8d 05 66 01 20 00 lea 2097510(%rip),%rax #
600644 <__fini_array_end>
4004de: 49 29 c4 sub %rax,%r12
4004e1: 49 c1 fc 03 sar $0x3,%r12
4004e5: 4d 85 e4 test %r12,%r12
4004e8: 74 1e je 400508 <__libc_csu_init+0x68>
4004ea: 31 ed xor %ebp,%ebp
4004ec: 48 89 c3 mov %rax,%rbx
4004ef: 90 nop
4004f0: 48 83 c5 01 add $0x1,%rbp
4004f4: 4c 89 ea mov %r13,%rdx
4004f7: 4c 89 f6 mov %r14,%rsi
4004fa: 44 89 ff mov %r15d,%edi
4004fd: ff 13 callq *(%rbx)
4004ff: 48 83 c3 08 add $0x8,%rbx
400503: 49 39 ec cmp %rbp,%r12
400506: 75 e8 jne 4004f0 <__libc_csu_init+0x50>
400508: 48 8b 5c 24 08 mov 0x8(%rsp),%rbx
40050d: 48 8b 6c 24 10 mov 0x10(%rsp),%rbp
400512: 4c 8b 64 24 18 mov 0x18(%rsp),%r12
400517: 4c 8b 6c 24 20 mov 0x20(%rsp),%r13
40051c: 4c 8b 74 24 28 mov 0x28(%rsp),%r14
400521: 4c 8b 7c 24 30 mov 0x30(%rsp),%r15
400526: 48 83 c4 38 add $0x38,%rsp
40052a: c3 retq
40052b: 90 nop
40052c: 90 nop
40052d: 90 nop
40052e: 90 nop
40052f: 90 nop
0000000000400530 <__do_global_ctors_aux>:
400530: 55 push %rbp
400531: 48 89 e5 mov %rsp,%rbp
400534: 53 push %rbx
400535: bb 48 06 60 00 mov $0x600648,%ebx
40053a: 48 83 ec 08 sub $0x8,%rsp
40053e: 48 8b 05 03 01 20 00 mov 2097411(%rip),%rax #
600648 <__CTOR_LIST__>
400545: 48 83 f8 ff cmp $0xffffffffffffffff,%rax
400549: 74 14 je 40055f <__do_global_ctors_aux+0x2f>
40054b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
400550: 48 83 eb 08 sub $0x8,%rbx
400554: ff d0 callq *%rax
400556: 48 8b 03 mov (%rbx),%rax
400559: 48 83 f8 ff cmp $0xffffffffffffffff,%rax
40055d: 75 f1 jne 400550 <__do_global_ctors_aux+0x20>
40055f: 48 83 c4 08 add $0x8,%rsp
400563: 5b pop %rbx
400564: c9 leaveq
400565: c3 retq
400566: 90 nop
400567: 90 nop
Disassembly of section .fini:
0000000000400568 <_fini>:
400568: 48 83 ec 08 sub $0x8,%rsp
40056c: e8 4f fe ff ff callq 4003c0 <__do_global_dtors_aux>
400571: 48 83 c4 08 add $0x8,%rsp
400575: c3 retq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: neg_memcpy.c
Type: text/x-csrc
Size: 201 bytes
Desc: not available
URL: <http://lists.busybox.net/pipermail/uclibc/attachments/20110810/1d9a2c4e/attachment-0001.c>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: neg_memcpy_gcc.log
Type: application/octet-stream
Size: 10284 bytes
Desc: not available
URL: <http://lists.busybox.net/pipermail/uclibc/attachments/20110810/1d9a2c4e/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: neg_memcpy_mipsel.log
Type: application/octet-stream
Size: 7004 bytes
Desc: not available
URL: <http://lists.busybox.net/pipermail/uclibc/attachments/20110810/1d9a2c4e/attachment-0003.obj>
More information about the uClibc
mailing list