From patchwork Wed Nov 27 08:34:55 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Stefan Liebler <stli@linux.ibm.com>
X-Patchwork-Id: 36294
Received: (qmail 1604 invoked by alias); 27 Nov 2019 08:35:05 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 1591 invoked by uid 89); 27 Nov 2019 08:35:05 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-23.4 required=5.0 tests=AWL, BAYES_00,
	GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3,
	RCVD_IN_DNSWL_LOW,
	SPF_PASS autolearn=ham version=3.3.1 spammy=Needle
X-HELO: mx0a-001b2d01.pphosted.com
To: GNU C Library <libc-alpha@sourceware.org>
From: Stefan Liebler <stli@linux.ibm.com>
Subject: [PATCH]: S390: Fix handling of needles crossing a page in strstr z15
	ifunc-variant. [BZ #25226]
Date: Wed, 27 Nov 2019 09:34:55 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
	Thunderbird/68.2.0
MIME-Version: 1.0
x-cbid: 19112708-4275-0000-0000-00000386F359
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 19112708-4276-0000-0000-0000389A80C8
Message-Id: <56bab444-9d67-c9a3-6117-c8a94d024075@linux.ibm.com>

Hi,

if the specified needle crosses a page-boundary, the s390-z15 ifunc 
variant of strstr truncates the needle which results in invalid results.

This is fixed by loading the needle beyond the page boundary to v18 
instead of v16. The bug is sometimes observable in test-strstr.c in 
check1() and check2() as the haystack and needle is stored on stack. 
Thus the needle can be on a page boundary.

check2 is now extended to test haystack / needles located on stack, at 
end of page and on two pages.

As soon as committed I'll backport it to glibc 2.30 release branch.

Bye
Stefan

commit 01bf86402c1bb4686c99b8752e5d2183ff365df6
Author: Stefan Liebler <stli@linux.ibm.com>
Date:   Wed Nov 27 09:00:01 2019 +0100

    S390: Fix handling of needles crossing a page in strstr z15 ifunc-variant. [BZ #25226]
    
    If the specified needle crosses a page-boundary, the s390-z15 ifunc variant of
    strstr truncates the needle which results in invalid results.
    
    This is fixed by loading the needle beyond the page boundary to v18 instead of v16.
    The bug is sometimes observable in test-strstr.c in check1() and check2() as the
    haystack and needle is stored on stack. Thus the needle can be on a page boundary.
    
    check2 is now extended to test haystack / needles located on stack, at end of page
    and on two pages.

diff --git a/string/test-strstr.c b/string/test-strstr.c
index 37fcb68cdf..049f0e10e8 100644
--- a/string/test-strstr.c
+++ b/string/test-strstr.c
@@ -139,16 +139,45 @@ check1 (void)
 static void
 check2 (void)
 {
-  const char s1[] = ", enable_static, \0, enable_shared, ";
+  const char s1_stack[] = ", enable_static, \0, enable_shared, ";
+  const size_t s1_byte_count = 18;
+  const char *s2_stack = &(s1_stack[s1_byte_count]);
+  const size_t s2_byte_count = 18;
   char *exp_result;
-  char *s2 = (void *) buf1 + page_size - 18;
+  const size_t page_size_real = getpagesize ();
 
-  strcpy (s2, s1);
-  exp_result = stupid_strstr (s1, s1 + 18);
+  /* Haystack at end of page.  The following page is protected.  */
+  char *s1_page_end = (void *) buf1 + page_size - s1_byte_count;
+  strcpy (s1_page_end, s1_stack);
+
+  /* Haystack which crosses a page boundary.
+     Note: page_size is at least 2 * getpagesize.  See test_init.  */
+  char *s1_page_cross = (void *) buf1 + page_size_real - 8;
+  strcpy (s1_page_cross, s1_stack);
+
+  /* Needle at end of page.  The following page is protected.  */
+  char *s2_page_end = (void *) buf2 + page_size - s2_byte_count;
+  strcpy (s2_page_end, s2_stack);
+
+  /* Needle which crosses a page boundary.
+     Note: page_size is at least 2 * getpagesize.  See test_init.  */
+  char *s2_page_cross = (void *) buf2 + page_size_real - 8;
+  strcpy (s2_page_cross, s2_stack);
+
+  exp_result = stupid_strstr (s1_stack, s2_stack);
   FOR_EACH_IMPL (impl, 0)
     {
-      check_result (impl, s1, s1 + 18, exp_result);
-      check_result (impl, s2, s1 + 18, exp_result);
+      check_result (impl, s1_stack, s2_stack, exp_result);
+      check_result (impl, s1_stack, s2_page_end, exp_result);
+      check_result (impl, s1_stack, s2_page_cross, exp_result);
+
+      check_result (impl, s1_page_end, s2_stack, exp_result);
+      check_result (impl, s1_page_end, s2_page_end, exp_result);
+      check_result (impl, s1_page_end, s2_page_cross, exp_result);
+
+      check_result (impl, s1_page_cross, s2_stack, exp_result);
+      check_result (impl, s1_page_cross, s2_page_end, exp_result);
+      check_result (impl, s1_page_cross, s2_page_cross, exp_result);
     }
 }
 
diff --git a/sysdeps/s390/strstr-arch13.S b/sysdeps/s390/strstr-arch13.S
index 92cafd3850..aefdb499e4 100644
--- a/sysdeps/s390/strstr-arch13.S
+++ b/sysdeps/s390/strstr-arch13.S
@@ -164,7 +164,7 @@ ENTRY(STRSTR_ARCH13)
 	vfenezb	%v19,%v18,%v18	/* Search zero in loaded needle bytes.  */
 	veclb	%v19,%v21	/* Zero index <= max loaded byte index?  */
 	jle	.Lneedle_loaded	/* -> v18 contains full needle.  */
-	vl	%v16,0(%r3)	/* Load needle beyond page boundary.  */
+	vl	%v18,0(%r3)	/* Load needle beyond page boundary.  */
 	vfenezb	%v19,%v18,%v18
 	j	.Lneedle_loaded
 END(STRSTR_ARCH13)