[v3,1/7] x86: Fix __wcsncmp_avx2 in strcmp-avx2.S [BZ# 28755]
Checks
Context |
Check |
Description |
dj/TryBot-apply_patch |
success
|
Patch applied to master at the time it was sent
|
Commit Message
Fixes [BZ# 28755] for wcsncmp by redirecting length >= 2^56 to
__wcscmp_avx2. For x86_64 this covers the entire address range so any
length larger could not possibly be used to bound `s1` or `s2`.
test-strcmp, test-strncmp, test-wcscmp, and test-wcsncmp all pass.
Signed-off-by: Noah Goldstein <goldstein.w.n@gmail.com>
---
sysdeps/x86_64/multiarch/strcmp-avx2.S | 10 ++++++++++
1 file changed, 10 insertions(+)
Comments
On Mon, Jan 10, 2022 at 1:36 PM Noah Goldstein via Libc-alpha
<libc-alpha@sourceware.org> wrote:
>
> Fixes [BZ# 28755] for wcsncmp by redirecting length >= 2^56 to
> __wcscmp_avx2. For x86_64 this covers the entire address range so any
> length larger could not possibly be used to bound `s1` or `s2`.
>
> test-strcmp, test-strncmp, test-wcscmp, and test-wcsncmp all pass.
>
> Signed-off-by: Noah Goldstein <goldstein.w.n@gmail.com>
> ---
> sysdeps/x86_64/multiarch/strcmp-avx2.S | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/sysdeps/x86_64/multiarch/strcmp-avx2.S b/sysdeps/x86_64/multiarch/strcmp-avx2.S
> index a45f9d2749..9c73b5899d 100644
> --- a/sysdeps/x86_64/multiarch/strcmp-avx2.S
> +++ b/sysdeps/x86_64/multiarch/strcmp-avx2.S
> @@ -87,6 +87,16 @@ ENTRY (STRCMP)
> je L(char0)
> jb L(zero)
> # ifdef USE_AS_WCSCMP
> +# ifndef __ILP32__
> + movq %rdx, %rcx
> + /* Check if length could overflow when multiplied by
> + sizeof(wchar_t). Checking top 8 bits will cover all potential
> + overflow cases as well as redirect cases where its impossible to
> + length to bound a valid memory region. In these cases just use
> + 'wcscmp'. */
> + shrq $56, %rcx
> + jnz __wcscmp_avx2
> +# endif
> /* Convert units: from wide to byte char. */
> shl $2, %RDX_LP
> # endif
> --
> 2.25.1
>
LGTM.
Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
Thanks.
On Mon, Jan 10, 2022 at 6:15 PM H.J. Lu <hjl.tools@gmail.com> wrote:
>
> On Mon, Jan 10, 2022 at 1:36 PM Noah Goldstein via Libc-alpha
> <libc-alpha@sourceware.org> wrote:
> >
> > Fixes [BZ# 28755] for wcsncmp by redirecting length >= 2^56 to
> > __wcscmp_avx2. For x86_64 this covers the entire address range so any
> > length larger could not possibly be used to bound `s1` or `s2`.
> >
> > test-strcmp, test-strncmp, test-wcscmp, and test-wcsncmp all pass.
> >
> > Signed-off-by: Noah Goldstein <goldstein.w.n@gmail.com>
> > ---
> > sysdeps/x86_64/multiarch/strcmp-avx2.S | 10 ++++++++++
> > 1 file changed, 10 insertions(+)
> >
> > diff --git a/sysdeps/x86_64/multiarch/strcmp-avx2.S b/sysdeps/x86_64/multiarch/strcmp-avx2.S
> > index a45f9d2749..9c73b5899d 100644
> > --- a/sysdeps/x86_64/multiarch/strcmp-avx2.S
> > +++ b/sysdeps/x86_64/multiarch/strcmp-avx2.S
> > @@ -87,6 +87,16 @@ ENTRY (STRCMP)
> > je L(char0)
> > jb L(zero)
> > # ifdef USE_AS_WCSCMP
> > +# ifndef __ILP32__
> > + movq %rdx, %rcx
> > + /* Check if length could overflow when multiplied by
> > + sizeof(wchar_t). Checking top 8 bits will cover all potential
> > + overflow cases as well as redirect cases where its impossible to
> > + length to bound a valid memory region. In these cases just use
> > + 'wcscmp'. */
> > + shrq $56, %rcx
> > + jnz __wcscmp_avx2
> > +# endif
> > /* Convert units: from wide to byte char. */
> > shl $2, %RDX_LP
> > # endif
> > --
> > 2.25.1
> >
>
> LGTM.
>
> Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
>
> Thanks.
>
> --
> H.J.
I am backporting this to 2.34 branch.
On Wed, Jan 26, 2022 at 2:05 PM H.J. Lu <hjl.tools@gmail.com> wrote:
>
> On Mon, Jan 10, 2022 at 6:15 PM H.J. Lu <hjl.tools@gmail.com> wrote:
> >
> > On Mon, Jan 10, 2022 at 1:36 PM Noah Goldstein via Libc-alpha
> > <libc-alpha@sourceware.org> wrote:
> > >
> > > Fixes [BZ# 28755] for wcsncmp by redirecting length >= 2^56 to
> > > __wcscmp_avx2. For x86_64 this covers the entire address range so any
> > > length larger could not possibly be used to bound `s1` or `s2`.
> > >
> > > test-strcmp, test-strncmp, test-wcscmp, and test-wcsncmp all pass.
> > >
> > > Signed-off-by: Noah Goldstein <goldstein.w.n@gmail.com>
> > > ---
> > > sysdeps/x86_64/multiarch/strcmp-avx2.S | 10 ++++++++++
> > > 1 file changed, 10 insertions(+)
> > >
> > > diff --git a/sysdeps/x86_64/multiarch/strcmp-avx2.S b/sysdeps/x86_64/multiarch/strcmp-avx2.S
> > > index a45f9d2749..9c73b5899d 100644
> > > --- a/sysdeps/x86_64/multiarch/strcmp-avx2.S
> > > +++ b/sysdeps/x86_64/multiarch/strcmp-avx2.S
> > > @@ -87,6 +87,16 @@ ENTRY (STRCMP)
> > > je L(char0)
> > > jb L(zero)
> > > # ifdef USE_AS_WCSCMP
> > > +# ifndef __ILP32__
> > > + movq %rdx, %rcx
> > > + /* Check if length could overflow when multiplied by
> > > + sizeof(wchar_t). Checking top 8 bits will cover all potential
> > > + overflow cases as well as redirect cases where its impossible to
> > > + length to bound a valid memory region. In these cases just use
> > > + 'wcscmp'. */
> > > + shrq $56, %rcx
> > > + jnz __wcscmp_avx2
> > > +# endif
> > > /* Convert units: from wide to byte char. */
> > > shl $2, %RDX_LP
> > > # endif
> > > --
> > > 2.25.1
> > >
> >
> > LGTM.
> >
> > Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
> >
> > Thanks.
> >
> > --
> > H.J.
>
> I am backporting this to 2.34 branch.
>
I am backporting this to 2.33 branch.
On Wed, Jan 26, 2022 at 8:29 PM H.J. Lu <hjl.tools@gmail.com> wrote:
>
> On Wed, Jan 26, 2022 at 2:05 PM H.J. Lu <hjl.tools@gmail.com> wrote:
> >
> > On Mon, Jan 10, 2022 at 6:15 PM H.J. Lu <hjl.tools@gmail.com> wrote:
> > >
> > > On Mon, Jan 10, 2022 at 1:36 PM Noah Goldstein via Libc-alpha
> > > <libc-alpha@sourceware.org> wrote:
> > > >
> > > > Fixes [BZ# 28755] for wcsncmp by redirecting length >= 2^56 to
> > > > __wcscmp_avx2. For x86_64 this covers the entire address range so any
> > > > length larger could not possibly be used to bound `s1` or `s2`.
> > > >
> > > > test-strcmp, test-strncmp, test-wcscmp, and test-wcsncmp all pass.
> > > >
> > > > Signed-off-by: Noah Goldstein <goldstein.w.n@gmail.com>
> > > > ---
> > > > sysdeps/x86_64/multiarch/strcmp-avx2.S | 10 ++++++++++
> > > > 1 file changed, 10 insertions(+)
> > > >
> > > > diff --git a/sysdeps/x86_64/multiarch/strcmp-avx2.S b/sysdeps/x86_64/multiarch/strcmp-avx2.S
> > > > index a45f9d2749..9c73b5899d 100644
> > > > --- a/sysdeps/x86_64/multiarch/strcmp-avx2.S
> > > > +++ b/sysdeps/x86_64/multiarch/strcmp-avx2.S
> > > > @@ -87,6 +87,16 @@ ENTRY (STRCMP)
> > > > je L(char0)
> > > > jb L(zero)
> > > > # ifdef USE_AS_WCSCMP
> > > > +# ifndef __ILP32__
> > > > + movq %rdx, %rcx
> > > > + /* Check if length could overflow when multiplied by
> > > > + sizeof(wchar_t). Checking top 8 bits will cover all potential
> > > > + overflow cases as well as redirect cases where its impossible to
> > > > + length to bound a valid memory region. In these cases just use
> > > > + 'wcscmp'. */
> > > > + shrq $56, %rcx
> > > > + jnz __wcscmp_avx2
> > > > +# endif
> > > > /* Convert units: from wide to byte char. */
> > > > shl $2, %RDX_LP
> > > > # endif
> > > > --
> > > > 2.25.1
> > > >
> > >
> > > LGTM.
> > >
> > > Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
> > >
> > > Thanks.
> > >
> > > --
> > > H.J.
> >
> > I am backporting this to 2.34 branch.
> >
>
> I am backporting this to 2.33 branch.
>
I am backporting this to all affected release branches.
On Wed, Jan 26, 2022 at 11:11 PM H.J. Lu <hjl.tools@gmail.com> wrote:
>
> On Wed, Jan 26, 2022 at 8:29 PM H.J. Lu <hjl.tools@gmail.com> wrote:
> >
> > On Wed, Jan 26, 2022 at 2:05 PM H.J. Lu <hjl.tools@gmail.com> wrote:
> > >
> > > On Mon, Jan 10, 2022 at 6:15 PM H.J. Lu <hjl.tools@gmail.com> wrote:
> > > >
> > > > On Mon, Jan 10, 2022 at 1:36 PM Noah Goldstein via Libc-alpha
> > > > <libc-alpha@sourceware.org> wrote:
> > > > >
> > > > > Fixes [BZ# 28755] for wcsncmp by redirecting length >= 2^56 to
> > > > > __wcscmp_avx2. For x86_64 this covers the entire address range so any
> > > > > length larger could not possibly be used to bound `s1` or `s2`.
> > > > >
> > > > > test-strcmp, test-strncmp, test-wcscmp, and test-wcsncmp all pass.
> > > > >
> > > > > Signed-off-by: Noah Goldstein <goldstein.w.n@gmail.com>
> > > > > ---
> > > > > sysdeps/x86_64/multiarch/strcmp-avx2.S | 10 ++++++++++
> > > > > 1 file changed, 10 insertions(+)
> > > > >
> > > > > diff --git a/sysdeps/x86_64/multiarch/strcmp-avx2.S b/sysdeps/x86_64/multiarch/strcmp-avx2.S
> > > > > index a45f9d2749..9c73b5899d 100644
> > > > > --- a/sysdeps/x86_64/multiarch/strcmp-avx2.S
> > > > > +++ b/sysdeps/x86_64/multiarch/strcmp-avx2.S
> > > > > @@ -87,6 +87,16 @@ ENTRY (STRCMP)
> > > > > je L(char0)
> > > > > jb L(zero)
> > > > > # ifdef USE_AS_WCSCMP
> > > > > +# ifndef __ILP32__
> > > > > + movq %rdx, %rcx
> > > > > + /* Check if length could overflow when multiplied by
> > > > > + sizeof(wchar_t). Checking top 8 bits will cover all potential
> > > > > + overflow cases as well as redirect cases where its impossible to
> > > > > + length to bound a valid memory region. In these cases just use
> > > > > + 'wcscmp'. */
> > > > > + shrq $56, %rcx
> > > > > + jnz __wcscmp_avx2
> > > > > +# endif
> > > > > /* Convert units: from wide to byte char. */
> > > > > shl $2, %RDX_LP
> > > > > # endif
> > > > > --
> > > > > 2.25.1
> > > > >
> > > >
> > > > LGTM.
> > > >
> > > > Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
> > > >
> > > > Thanks.
> > > >
> > > > --
> > > > H.J.
> > >
> > > I am backporting this to 2.34 branch.
> > >
> >
> > I am backporting this to 2.33 branch.
> >
>
> I am backporting this to all affected release branches.
Should we also backport the stuff for [BZ #27974]?
It was essentially the same bug.
The two commits that fixed the issues where:
commit a775a7a3eb1e85b54af0b4ee5ff4dcf66772a1fb
Author: Noah Goldstein <goldstein.w.n@gmail.com>
Date: Wed Jun 23 01:56:29 2021 -0400
x86: Fix overflow bug in wcsnlen-sse4_1 and wcsnlen-avx2 [BZ #27974]
and
commit 645a158978f9520e74074e8c14047503be4db0f0
Author: Noah Goldstein <goldstein.w.n@gmail.com>
Date: Wed Jun 9 16:25:32 2021 -0400
x86: Fix overflow bug with wmemchr-sse2 and wmemchr-avx2 [BZ #27974]
The only thing is the avx2 fixes are based onsome other changes to the file.
>
> --
> H.J.
@@ -87,6 +87,16 @@ ENTRY (STRCMP)
je L(char0)
jb L(zero)
# ifdef USE_AS_WCSCMP
+# ifndef __ILP32__
+ movq %rdx, %rcx
+ /* Check if length could overflow when multiplied by
+ sizeof(wchar_t). Checking top 8 bits will cover all potential
+ overflow cases as well as redirect cases where its impossible to
+ length to bound a valid memory region. In these cases just use
+ 'wcscmp'. */
+ shrq $56, %rcx
+ jnz __wcscmp_avx2
+# endif
/* Convert units: from wide to byte char. */
shl $2, %RDX_LP
# endif