NetBSD Problem Report #50228

From chris@groessler.org  Thu Sep 10 21:11:33 2015
Return-Path: <chris@groessler.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id E7E95A65B7
	for <gnats-bugs@gnats.NetBSD.org>; Thu, 10 Sep 2015 21:11:32 +0000 (UTC)
Message-Id: <20150910200057.4C0032584F@muc-twinppc.groessler.org>
Date: Thu, 10 Sep 2015 22:00:57 +0200 (CEST)
From: chris@groessler.org
Reply-To: chris@groessler.org
To: gnats-bugs@NetBSD.org
Subject: bzero with zero length crashes
X-Send-Pr-Version: 3.95

>Number:         50228
>Category:       port-macppc
>Synopsis:       bzero with zero length crashes
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    port-macppc-maintainer
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Sep 10 21:15:00 +0000 2015
>Closed-Date:    Sat Jan 07 18:04:54 +0000 2017
>Last-Modified:  Sat Jan 07 18:04:54 +0000 2017
>Originator:     Christian Groessler
>Release:        NetBSD 7.99.21
>Organization:
private
>Environment:


System: NetBSD muc-twinppc 7.99.21 NetBSD 7.99.21 (TWINPPC.MP) #0: Thu Sep 10 07:31:03 CEST 2015 chris@muc-twinppc:/local/netbsd-src/obj/sys/arch/macppc/compile/TWINPPC.MP macppc
Architecture: powerpc
Machine: macppc
>Description:
	bzero(buffer, 0) zeroes out everything from <buffer> to 0xffffefff, then it crashes.
>How-To-Repeat:
	Here's a test program:

$ cat test.c 
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>

extern int ret0(void);

int main(void)
{
        char *x;
        int len = ret0();

        x = alloca(0);
        printf("x: %p\n", x);

        bzero(x, len);

        printf("good\n");

        return 0;
}
$ cat test1.c 
int ret0(void) { return 0; }

$ gcc -o t test.c test1.c 
$ ./t 
x: 0xffffdc78
Segmentation fault (core dumped)
$ 


bzero(xxx, 0) is optimized away by the compiler, therefore the length comes from the test1.c file. 

>Fix:


>Release-Note:

>Audit-Trail:
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/50228 CVS commit: src/tests/lib/libc/string
Date: Fri, 11 Sep 2015 09:25:52 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Fri Sep 11 09:25:52 UTC 2015

 Modified Files:
 	src/tests/lib/libc/string: t_memset.c

 Log Message:
 Add two test cases that should cover PR 50228.


 To generate a diff of this commit:
 cvs rdiff -u -r1.3 -r1.4 src/tests/lib/libc/string/t_memset.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: Christian Groessler <chris@groessler.org>
To: gnats-bugs@NetBSD.org
Cc: chris@groessler.org
Subject: Re: port-macppc/50228
Date: Mon, 12 Dec 2016 21:34:57 +0100

 I've added a check for zero size right at the beginning of "bzero" and
 this change fixes the problem for me:

 --------------
 diff -u -p -r1.14 bzero.S
 --- lib/libc/arch/powerpc/string/bzero.S	12 Sep 2013 15:36:15 -0000	1.14
 +++ lib/libc/arch/powerpc/string/bzero.S	12 Dec 2016 19:10:44 -0000
 @@ -53,6 +53,8 @@ __RCSID("$NetBSD: bzero.S,v 1.14 2013/09
  		.text
  		.align 4
  ENTRY(bzero)
 +		cmplwi	%cr1, %r4, 0		/* Zero length? */
 +		beqlr-	%cr1			/* Yes, do nothing */
  		li	r_val, 0		/* Value to stuff in */
  		b	cb_memset
  END(bzero)
 --------------

 regards,
 chris

From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, port-macppc-maintainer@netbsd.org, 
	gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, chris@groessler.org
Cc: 
Subject: Re: port-macppc/50228
Date: Mon, 12 Dec 2016 18:24:38 -0500

 On Dec 12,  9:45pm, chris@groessler.org (Christian Groessler) wrote:
 -- Subject: Re: port-macppc/50228

 |  I've added a check for zero size right at the beginning of "bzero" and
 |  this change fixes the problem for me:

 But doesn't memset() need the same?

 christos

From: matthew green <mrg@eterna.com.au>
To: christos@zoulas.com (Christos Zoulas)
Cc: gnats-bugs@NetBSD.org, port-macppc-maintainer@netbsd.org,
    gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, chris@groessler.org
Subject: re: port-macppc/50228
Date: Tue, 13 Dec 2016 12:37:41 +1100

 Christos Zoulas writes:
 > On Dec 12,  9:45pm, chris@groessler.org (Christian Groessler) wrote:
 > -- Subject: Re: port-macppc/50228
 > 
 > |  I've added a check for zero size right at the beginning of "bzero" and
 > |  this change fixes the problem for me:
 > 
 > But doesn't memset() need the same?

 it has them?

 ENTRY(memset)   
                 cmplwi  %cr1, %r5, 0
                 mr.     %r0, %r4
                 mr      %r8, %r3
                 beqlr-  %cr1                    /* Nothing to do */
 [ .. ]


 .mrg.

From: Christian Groessler <chris@groessler.org>
To: gnats-bugs@NetBSD.org
Cc: Christos Zoulas <christos@zoulas.com>, matthew green <mrg@eterna.com.au>,
        chris@groessler.org
Subject: Re: port-macppc/50228
Date: Mon, 19 Dec 2016 14:35:27 +0100

 ping?

 Is there anything wrong with the patch?

 regards,
 chris

From: christos@zoulas.com (Christos Zoulas)
To: Christian Groessler <chris@groessler.org>, gnats-bugs@NetBSD.org
Cc: matthew green <mrg@eterna.com.au>
Subject: Re: port-macppc/50228
Date: Mon, 19 Dec 2016 09:27:39 -0500

 On Dec 19,  2:35pm, chris@groessler.org (Christian Groessler) wrote:
 -- Subject: Re: port-macppc/50228

 | ping?
 | 
 | Is there anything wrong with the patch?

 No, sorry, I was wondering if it is already done in memset, (and bzero
 calls memset) which is it also needed here. But now I noticed that it
 is calling cb_memset, and memset does the same test... I will commit
 it right now.

 christos

From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/50228 CVS commit: src/lib/libc/arch/powerpc/string
Date: Mon, 19 Dec 2016 09:30:23 -0500

 Module Name:	src
 Committed By:	christos
 Date:		Mon Dec 19 14:30:23 UTC 2016

 Modified Files:
 	src/lib/libc/arch/powerpc/string: bzero.S

 Log Message:
 PR/50228: Christian Groessler: fix bzero(ptr, 0) on ppc. Check for 0 length
 before jumping to cb_memset like memset does.


 To generate a diff of this commit:
 cvs rdiff -u -r1.14 -r1.15 src/lib/libc/arch/powerpc/string/bzero.S

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: matthew green <mrg@eterna.com.au>
To: Christian Groessler <chris@groessler.org>
Cc: Christos Zoulas <christos@zoulas.com>, gnats-bugs@NetBSD.org
Subject: re: port-macppc/50228
Date: Tue, 20 Dec 2016 12:24:21 +1100

 Christian Groessler writes:
 > ping?
 > 
 > Is there anything wrong with the patch?

 i meant to run-test it myself first, but hopefully it works ;)

 thanks.


 .mrg.

From: Christian Groessler <chris@groessler.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: port-macppc/50228
Date: Sat, 7 Jan 2017 02:36:17 +0100

 I think this ticket can be closed.

 regards,
 chris

State-Changed-From-To: open->closed
State-Changed-By: maya@NetBSD.org
State-Changed-When: Sat, 07 Jan 2017 18:04:54 +0000
State-Changed-Why:
author asked to close, sounds like it's fixed


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.