CVE-2016-6264

An attacker who controls the length parameter passed to the `memset` function can supply a negative value (e.g., `0xffff0000`). Because the ARM assembly uses a signed comparison (`BLT`), a negative length is treated as less than zero, causing the computed PC-relative offset to become very large and leading to a crash [ref_id=1]. The advisory notes that the attack requires the application to allow a user to control a memory chunk larger than 2GB, making code execution "a bit unrealistic," but a denial-of-service proof of concept exists [ref_id=1].

The vulnerable code is in `libc/string/arm/memset.S` in both uClibc and uClibc-ng before version 1.0.16 [ref_id=1]. The ARM assembly implementation of `memset` uses a signed comparison instruction (`BLT`) to check the length parameter, which causes incorrect behavior for negative length values [ref_id=1].

The fix, committed in uClibc-ng version 1.0.16, changes the signed comparison (`BLT`) to an unsigned comparison in the ARM `memset.S` implementation [ref_id=1]. This ensures that a negative length value (interpreted as a very large unsigned value) is not incorrectly treated as a small positive value, preventing the out-of-bounds PC-relative jump that caused the crash [ref_id=1]. No patch is shown for the original uClibc project, but the advisory indicates the same fix is needed there [ref_id=1].