On Wed, Aug 10, 2011 at 1:54 AM, Rich Felker <dal...@aerifal.cx> wrote: > On Tue, Aug 09, 2011 at 06:49:58PM +0200, Laurent Bercot wrote: >> I would guess that the glibc goes out of its way to check that the >> memcpy() arguments are valid and makes a point to crash when they are >> not, with is a safe behaviour but requires extra code, whereas the >> uClibc does not perform such checks, and may crash or may happily >> copy 4 GB of memory all over the place, or fly demons through your nose. > > No, I think glibc is correctly treating the argument as unsigned and > looping until it crashes, while uClibc is wrongly treating the > argument as unsigned and copying nothing. This doesn't matter for > sizes like 0xffffffff which are invalid anyway, but it could matter > for sizes like 0x80000000 if uClibc'c malloc allows allocations that > large. >
I agree with Rich. Our target hardware is still buggy. Sometimes we get junk data from our memory and some operations like memcpy() are performed based on that data. Sometimes the data is not initialized (bug!) and is passed as parameters to these functions. memcpy() certainly cannot copy data of size 0xffffffff (it should throw segfault). I could not find this bug in my application until I ran a memory debugger which crashed with segfault. I am attaching the source and disassembly of both gcc and mipsel (also inline). I think it can be helpful. > (I'm using 32-bit examples because you can never have allocations > nearly as large as SIZE_MAX on current 64-bit machines.) > > Rich > _______________________________________________ > uClibc mailing list > uClibc@uclibc.org > http://lists.busybox.net/mailman/listinfo/uclibc > neg_memcpy.c ------------------------ #include <stdio.h> #include <stdlib.h> #include <string.h> int main() { size_t size = -1; char src[10] = {0, }, dest[10] = {0, }; memcpy(dest, src, size); return 1; } Disassembly: 1. mipsel: ------------------ neg_memcpy_mipsel: file format elf32-tradlittlemips Disassembly of section .init: 004004f0 <_init>: 4004f0: 3c1c0002 lui gp,0x2 4004f4: 279c8340 addiu gp,gp,-31936 4004f8: 0399e021 addu gp,gp,t9 4004fc: 27bdffe0 addiu sp,sp,-32 400500: afbc0010 sw gp,16(sp) 400504: afbf001c sw ra,28(sp) 400508: afbc0018 sw gp,24(sp) 40050c: 04110001 bal 400514 <_init+0x24> 400510: 00000000 nop 400514: 0c1001a7 jal 40069c <frame_dummy> 400518: 00000000 nop 40051c: 04110001 bal 400524 <_init+0x34> 400520: 00000000 nop 400524: 0c1001dc jal 400770 <__do_global_ctors_aux> 400528: 00000000 nop 40052c: 8fbf001c lw ra,28(sp) 400530: 03e00008 jr ra 400534: 27bd0020 addiu sp,sp,32 Disassembly of section .plt: 00400540 <_PROCEDURE_LINKAGE_TABLE_>: 400540: 3c1c0041 lui gp,0x41 400544: 8f990824 lw t9,2084(gp) 400548: 279c0824 addiu gp,gp,2084 40054c: 031cc023 subu t8,t8,gp 400550: 03e07821 move t7,ra 400554: 0018c082 srl t8,t8,0x2 400558: 0320f809 jalr t9 40055c: 2718fffe addiu t8,t8,-2 00400560 <__deregister_frame_info@plt>: 400560: 3c0f0041 lui t7,0x41 400564: 8df9082c lw t9,2092(t7) 400568: 03200008 jr t9 40056c: 25f8082c addiu t8,t7,2092 00400570 <memcpy@plt>: 400570: 3c0f0041 lui t7,0x41 400574: 8df90830 lw t9,2096(t7) 400578: 03200008 jr t9 40057c: 25f80830 addiu t8,t7,2096 00400580 <__register_frame_info@plt>: 400580: 3c0f0041 lui t7,0x41 400584: 8df90834 lw t9,2100(t7) 400588: 03200008 jr t9 40058c: 25f80834 addiu t8,t7,2100 00400590 <__uClibc_main@plt>: 400590: 3c0f0041 lui t7,0x41 400594: 8df90838 lw t9,2104(t7) 400598: 03200008 jr t9 40059c: 25f80838 addiu t8,t7,2104 Disassembly of section .text: 004005a0 <__start>: 4005a0: 3c1c0042 lui gp,0x42 4005a4: 279c8830 addiu gp,gp,-30672 4005a8: 0000f821 move ra,zero 4005ac: 3c040040 lui a0,0x40 4005b0: 24840700 addiu a0,a0,1792 4005b4: 8fa50000 lw a1,0(sp) 4005b8: 27a60004 addiu a2,sp,4 4005bc: 2401fff8 li at,-8 4005c0: 03a1e824 and sp,sp,at 4005c4: 27bdffe0 addiu sp,sp,-32 4005c8: 3c070040 lui a3,0x40 4005cc: 24e704f0 addiu a3,a3,1264 4005d0: 3c080040 lui t0,0x40 4005d4: 250807c0 addiu t0,t0,1984 4005d8: afa80010 sw t0,16(sp) 4005dc: afa20014 sw v0,20(sp) 4005e0: 0c100164 jal 400590 <__uClibc_main@plt> 4005e4: afbd0018 sw sp,24(sp) 004005e8 <hlt>: 4005e8: 1000ffff b 4005e8 <hlt> 4005ec: 00000000 nop 004005f0 <__do_global_dtors_aux>: 4005f0: 3c020041 lui v0,0x41 4005f4: 90420850 lbu v0,2128(v0) 4005f8: 27bdffd8 addiu sp,sp,-40 4005fc: afbf0024 sw ra,36(sp) 400600: afb20020 sw s2,32(sp) 400604: afb1001c sw s1,28(sp) 400608: 1440001e bnez v0,400684 <__do_global_dtors_aux+0x94> 40060c: afb00018 sw s0,24(sp) 400610: 3c110041 lui s1,0x41 400614: 3c120041 lui s2,0x41 400618: 26310804 addiu s1,s1,2052 40061c: 26520808 addiu s2,s2,2056 400620: 02519023 subu s2,s2,s1 400624: 00129083 sra s2,s2,0x2 400628: 2652ffff addiu s2,s2,-1 40062c: 08100193 j 40064c <__do_global_dtors_aux+0x5c> 400630: 3c100041 lui s0,0x41 400634: ae020854 sw v0,2132(s0) 400638: 00021080 sll v0,v0,0x2 40063c: 00511021 addu v0,v0,s1 400640: 8c590000 lw t9,0(v0) 400644: 0320f809 jalr t9 400648: 00000000 nop 40064c: 8e020854 lw v0,2132(s0) 400650: 0052182b sltu v1,v0,s2 400654: 1460fff7 bnez v1,400634 <__do_global_dtors_aux+0x44> 400658: 24420001 addiu v0,v0,1 40065c: 3c020040 lui v0,0x40 400660: 24420560 addiu v0,v0,1376 400664: 10400005 beqz v0,40067c <__do_global_dtors_aux+0x8c> 400668: 24030001 li v1,1 40066c: 3c040040 lui a0,0x40 400670: 0c100158 jal 400560 <__deregister_frame_info@plt> 400674: 248407f8 addiu a0,a0,2040 400678: 24030001 li v1,1 40067c: 3c020041 lui v0,0x41 400680: a0430850 sb v1,2128(v0) 400684: 8fbf0024 lw ra,36(sp) 400688: 8fb20020 lw s2,32(sp) 40068c: 8fb1001c lw s1,28(sp) 400690: 8fb00018 lw s0,24(sp) 400694: 03e00008 jr ra 400698: 27bd0028 addiu sp,sp,40 0040069c <frame_dummy>: 40069c: 3c020040 lui v0,0x40 4006a0: 27bdffe0 addiu sp,sp,-32 4006a4: 24420580 addiu v0,v0,1408 4006a8: 10400006 beqz v0,4006c4 <frame_dummy+0x28> 4006ac: afbf001c sw ra,28(sp) 4006b0: 3c040040 lui a0,0x40 4006b4: 3c050041 lui a1,0x41 4006b8: 248407f8 addiu a0,a0,2040 4006bc: 0c100160 jal 400580 <__register_frame_info@plt> 4006c0: 24a50858 addiu a1,a1,2136 4006c4: 3c040041 lui a0,0x41 4006c8: 8c82080c lw v0,2060(a0) 4006cc: 10400007 beqz v0,4006ec <frame_dummy+0x50> 4006d0: 3c190000 lui t9,0x0 4006d4: 27390000 addiu t9,t9,0 4006d8: 13200004 beqz t9,4006ec <frame_dummy+0x50> 4006dc: 8fbf001c lw ra,28(sp) 4006e0: 2484080c addiu a0,a0,2060 4006e4: 03200008 jr t9 4006e8: 27bd0020 addiu sp,sp,32 4006ec: 8fbf001c lw ra,28(sp) 4006f0: 03e00008 jr ra 4006f4: 27bd0020 addiu sp,sp,32 ... 00400700 <main>: 400700: 27bdffc0 addiu sp,sp,-64 400704: afbf003c sw ra,60(sp) 400708: afbe0038 sw s8,56(sp) 40070c: 03a0f021 move s8,sp 400710: 2402ffff li v0,-1 400714: afc20018 sw v0,24(s8) 400718: afc0001c sw zero,28(s8) 40071c: afc00020 sw zero,32(s8) 400720: a7c00024 sh zero,36(s8) 400724: afc00028 sw zero,40(s8) 400728: afc0002c sw zero,44(s8) 40072c: a7c00030 sh zero,48(s8) 400730: 27c30028 addiu v1,s8,40 400734: 27c2001c addiu v0,s8,28 400738: 00602021 move a0,v1 40073c: 00402821 move a1,v0 400740: 8fc60018 lw a2,24(s8) 400744: 0c10015c jal 400570 <memcpy@plt> 400748: 00000000 nop 40074c: 24020001 li v0,1 400750: 03c0e821 move sp,s8 400754: 8fbf003c lw ra,60(sp) 400758: 8fbe0038 lw s8,56(sp) 40075c: 27bd0040 addiu sp,sp,64 400760: 03e00008 jr ra 400764: 00000000 nop ... 00400770 <__do_global_ctors_aux>: 400770: 27bdffd8 addiu sp,sp,-40 400774: afb0001c sw s0,28(sp) 400778: 3c100041 lui s0,0x41 40077c: afb10020 sw s1,32(sp) 400780: afbf0024 sw ra,36(sp) 400784: 261007fc addiu s0,s0,2044 400788: 081001e6 j 400798 <__do_global_ctors_aux+0x28> 40078c: 2411ffff li s1,-1 400790: 0320f809 jalr t9 400794: 2610fffc addiu s0,s0,-4 400798: 8e190000 lw t9,0(s0) 40079c: 1731fffc bne t9,s1,400790 <__do_global_ctors_aux+0x20> 4007a0: 8fbf0024 lw ra,36(sp) 4007a4: 8fb10020 lw s1,32(sp) 4007a8: 8fb0001c lw s0,28(sp) 4007ac: 03e00008 jr ra 4007b0: 27bd0028 addiu sp,sp,40 ... Disassembly of section .fini: 004007c0 <_fini>: 4007c0: 3c1c0002 lui gp,0x2 4007c4: 279c8070 addiu gp,gp,-32656 4007c8: 0399e021 addu gp,gp,t9 4007cc: 27bdffe0 addiu sp,sp,-32 4007d0: afbc0010 sw gp,16(sp) 4007d4: afbf001c sw ra,28(sp) 4007d8: afbc0018 sw gp,24(sp) 4007dc: 04110001 bal 4007e4 <_fini+0x24> 4007e0: 00000000 nop 4007e4: 0c10017c jal 4005f0 <__do_global_dtors_aux> 4007e8: 00000000 nop 4007ec: 8fbf001c lw ra,28(sp) 4007f0: 03e00008 jr ra 4007f4: 27bd0020 addiu sp,sp,32 2. gcc: --------- neg_memcpy_gcc: file format elf64-x86-64 Disassembly of section .init: 0000000000400338 <_init>: 400338: 48 83 ec 08 sub $0x8,%rsp 40033c: e8 5b 00 00 00 callq 40039c <call_gmon_start> 400341: e8 da 00 00 00 callq 400420 <frame_dummy> 400346: e8 e5 01 00 00 callq 400530 <__do_global_ctors_aux> 40034b: 48 83 c4 08 add $0x8,%rsp 40034f: c3 retq Disassembly of section .plt: 0000000000400350 <__libc_start_main@plt-0x10>: 400350: ff 35 ba 04 20 00 pushq 2098362(%rip) # 600810 <_GLOBAL_OFFSET_TABLE_+0x8> 400356: ff 25 bc 04 20 00 jmpq *2098364(%rip) # 600818 <_GLOBAL_OFFSET_TABLE_+0x10> 40035c: 0f 1f 40 00 nopl 0x0(%rax) 0000000000400360 <__libc_start_main@plt>: 400360: ff 25 ba 04 20 00 jmpq *2098362(%rip) # 600820 <_GLOBAL_OFFSET_TABLE_+0x18> 400366: 68 00 00 00 00 pushq $0x0 40036b: e9 e0 ff ff ff jmpq 400350 <_init+0x18> Disassembly of section .text: 0000000000400370 <_start>: 400370: 31 ed xor %ebp,%ebp 400372: 49 89 d1 mov %rdx,%r9 400375: 5e pop %rsi 400376: 48 89 e2 mov %rsp,%rdx 400379: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp 40037d: 50 push %rax 40037e: 54 push %rsp 40037f: 49 c7 c0 90 04 40 00 mov $0x400490,%r8 400386: 48 c7 c1 a0 04 40 00 mov $0x4004a0,%rcx 40038d: 48 c7 c7 48 04 40 00 mov $0x400448,%rdi 400394: e8 c7 ff ff ff callq 400360 <__libc_start_main@plt> 400399: f4 hlt 40039a: 90 nop 40039b: 90 nop 000000000040039c <call_gmon_start>: 40039c: 48 83 ec 08 sub $0x8,%rsp 4003a0: 48 8b 05 59 04 20 00 mov 2098265(%rip),%rax # 600800 <_DYNAMIC+0x190> 4003a7: 48 85 c0 test %rax,%rax 4003aa: 74 02 je 4003ae <call_gmon_start+0x12> 4003ac: ff d0 callq *%rax 4003ae: 48 83 c4 08 add $0x8,%rsp 4003b2: c3 retq 4003b3: 90 nop 4003b4: 90 nop 4003b5: 90 nop 4003b6: 90 nop 4003b7: 90 nop 4003b8: 90 nop 4003b9: 90 nop 4003ba: 90 nop 4003bb: 90 nop 4003bc: 90 nop 4003bd: 90 nop 4003be: 90 nop 4003bf: 90 nop 00000000004003c0 <__do_global_dtors_aux>: 4003c0: 55 push %rbp 4003c1: 48 89 e5 mov %rsp,%rbp 4003c4: 53 push %rbx 4003c5: 48 83 ec 08 sub $0x8,%rsp 4003c9: 80 3d 68 04 20 00 00 cmpb $0x0,2098280(%rip) # 600838 <completed.6145> 4003d0: 75 44 jne 400416 <__do_global_dtors_aux+0x56> 4003d2: b8 60 06 60 00 mov $0x600660,%eax 4003d7: 48 2d 58 06 60 00 sub $0x600658,%rax 4003dd: 48 c1 f8 03 sar $0x3,%rax 4003e1: 48 8d 58 ff lea 0xffffffffffffffff(%rax),%rbx 4003e5: 48 8b 05 44 04 20 00 mov 2098244(%rip),%rax # 600830 <dtor_idx.6147> 4003ec: 48 39 c3 cmp %rax,%rbx 4003ef: 76 1e jbe 40040f <__do_global_dtors_aux+0x4f> 4003f1: 48 83 c0 01 add $0x1,%rax 4003f5: 48 89 05 34 04 20 00 mov %rax,2098228(%rip) # 600830 <dtor_idx.6147> 4003fc: ff 14 c5 58 06 60 00 callq *0x600658(,%rax,8) 400403: 48 8b 05 26 04 20 00 mov 2098214(%rip),%rax # 600830 <dtor_idx.6147> 40040a: 48 39 c3 cmp %rax,%rbx 40040d: 77 e2 ja 4003f1 <__do_global_dtors_aux+0x31> 40040f: c6 05 22 04 20 00 01 movb $0x1,2098210(%rip) # 600838 <completed.6145> 400416: 48 83 c4 08 add $0x8,%rsp 40041a: 5b pop %rbx 40041b: c9 leaveq 40041c: c3 retq 40041d: 0f 1f 00 nopl (%rax) 0000000000400420 <frame_dummy>: 400420: 55 push %rbp 400421: 48 83 3d 3f 02 20 00 cmpq $0x0,2097727(%rip) # 600668 <__JCR_END__> 400428: 00 400429: 48 89 e5 mov %rsp,%rbp 40042c: 74 16 je 400444 <frame_dummy+0x24> 40042e: b8 00 00 00 00 mov $0x0,%eax 400433: 48 85 c0 test %rax,%rax 400436: 74 0c je 400444 <frame_dummy+0x24> 400438: bf 68 06 60 00 mov $0x600668,%edi 40043d: 49 89 c3 mov %rax,%r11 400440: c9 leaveq 400441: 41 ff e3 jmpq *%r11 400444: c9 leaveq 400445: c3 retq 400446: 90 nop 400447: 90 nop 0000000000400448 <main>: #include <stdlib.h> #include <string.h> int main() { 400448: 55 push %rbp 400449: 48 89 e5 mov %rsp,%rbp size_t size = -1; 40044c: 48 c7 45 f8 ff ff ff movq $0xffffffffffffffff,0xfffffffffffffff8(%rbp) 400453: ff char src[10] = {0, }, dest[10] = {0, }; 400454: 48 c7 45 e0 00 00 00 movq $0x0,0xffffffffffffffe0(%rbp) 40045b: 00 40045c: 66 c7 45 e8 00 00 movw $0x0,0xffffffffffffffe8(%rbp) 400462: 48 c7 45 d0 00 00 00 movq $0x0,0xffffffffffffffd0(%rbp) 400469: 00 40046a: 66 c7 45 d8 00 00 movw $0x0,0xffffffffffffffd8(%rbp) memcpy(dest, src, size); 400470: 48 8d 45 d0 lea 0xffffffffffffffd0(%rbp),%rax 400474: 48 8d 55 e0 lea 0xffffffffffffffe0(%rbp),%rdx 400478: 48 8b 4d f8 mov 0xfffffffffffffff8(%rbp),%rcx 40047c: 48 89 c7 mov %rax,%rdi 40047f: 48 89 d6 mov %rdx,%rsi 400482: fc cld 400483: f3 a4 rep movsb %ds:(%rsi),%es:(%rdi) return 1; 400485: b8 01 00 00 00 mov $0x1,%eax } 40048a: c9 leaveq 40048b: c3 retq 40048c: 90 nop 40048d: 90 nop 40048e: 90 nop 40048f: 90 nop 0000000000400490 <__libc_csu_fini>: 400490: f3 c3 repz retq 400492: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) 400499: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) 00000000004004a0 <__libc_csu_init>: 4004a0: 4c 89 64 24 e0 mov %r12,0xffffffffffffffe0(%rsp) 4004a5: 4c 89 6c 24 e8 mov %r13,0xffffffffffffffe8(%rsp) 4004aa: 4c 8d 25 93 01 20 00 lea 2097555(%rip),%r12 # 600644 <__fini_array_end> 4004b1: 4c 89 74 24 f0 mov %r14,0xfffffffffffffff0(%rsp) 4004b6: 4c 89 7c 24 f8 mov %r15,0xfffffffffffffff8(%rsp) 4004bb: 49 89 f6 mov %rsi,%r14 4004be: 48 89 5c 24 d0 mov %rbx,0xffffffffffffffd0(%rsp) 4004c3: 48 89 6c 24 d8 mov %rbp,0xffffffffffffffd8(%rsp) 4004c8: 48 83 ec 38 sub $0x38,%rsp 4004cc: 41 89 ff mov %edi,%r15d 4004cf: 49 89 d5 mov %rdx,%r13 4004d2: e8 61 fe ff ff callq 400338 <_init> 4004d7: 48 8d 05 66 01 20 00 lea 2097510(%rip),%rax # 600644 <__fini_array_end> 4004de: 49 29 c4 sub %rax,%r12 4004e1: 49 c1 fc 03 sar $0x3,%r12 4004e5: 4d 85 e4 test %r12,%r12 4004e8: 74 1e je 400508 <__libc_csu_init+0x68> 4004ea: 31 ed xor %ebp,%ebp 4004ec: 48 89 c3 mov %rax,%rbx 4004ef: 90 nop 4004f0: 48 83 c5 01 add $0x1,%rbp 4004f4: 4c 89 ea mov %r13,%rdx 4004f7: 4c 89 f6 mov %r14,%rsi 4004fa: 44 89 ff mov %r15d,%edi 4004fd: ff 13 callq *(%rbx) 4004ff: 48 83 c3 08 add $0x8,%rbx 400503: 49 39 ec cmp %rbp,%r12 400506: 75 e8 jne 4004f0 <__libc_csu_init+0x50> 400508: 48 8b 5c 24 08 mov 0x8(%rsp),%rbx 40050d: 48 8b 6c 24 10 mov 0x10(%rsp),%rbp 400512: 4c 8b 64 24 18 mov 0x18(%rsp),%r12 400517: 4c 8b 6c 24 20 mov 0x20(%rsp),%r13 40051c: 4c 8b 74 24 28 mov 0x28(%rsp),%r14 400521: 4c 8b 7c 24 30 mov 0x30(%rsp),%r15 400526: 48 83 c4 38 add $0x38,%rsp 40052a: c3 retq 40052b: 90 nop 40052c: 90 nop 40052d: 90 nop 40052e: 90 nop 40052f: 90 nop 0000000000400530 <__do_global_ctors_aux>: 400530: 55 push %rbp 400531: 48 89 e5 mov %rsp,%rbp 400534: 53 push %rbx 400535: bb 48 06 60 00 mov $0x600648,%ebx 40053a: 48 83 ec 08 sub $0x8,%rsp 40053e: 48 8b 05 03 01 20 00 mov 2097411(%rip),%rax # 600648 <__CTOR_LIST__> 400545: 48 83 f8 ff cmp $0xffffffffffffffff,%rax 400549: 74 14 je 40055f <__do_global_ctors_aux+0x2f> 40054b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 400550: 48 83 eb 08 sub $0x8,%rbx 400554: ff d0 callq *%rax 400556: 48 8b 03 mov (%rbx),%rax 400559: 48 83 f8 ff cmp $0xffffffffffffffff,%rax 40055d: 75 f1 jne 400550 <__do_global_ctors_aux+0x20> 40055f: 48 83 c4 08 add $0x8,%rsp 400563: 5b pop %rbx 400564: c9 leaveq 400565: c3 retq 400566: 90 nop 400567: 90 nop Disassembly of section .fini: 0000000000400568 <_fini>: 400568: 48 83 ec 08 sub $0x8,%rsp 40056c: e8 4f fe ff ff callq 4003c0 <__do_global_dtors_aux> 400571: 48 83 c4 08 add $0x8,%rsp 400575: c3 retq
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main()
{
size_t size = -1;
char src[10] = {0, }, dest[10] = {0, };
memcpy(dest, src, size);
return 1;
}
neg_memcpy_gcc.log
Description: Binary data
neg_memcpy_mipsel.log
Description: Binary data
_______________________________________________ uClibc mailing list uClibc@uclibc.org http://lists.busybox.net/mailman/listinfo/uclibc
