From patchwork Tue Jan 31 23:46:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Noah Goldstein X-Patchwork-Id: 64057 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 708643858024 for ; Tue, 31 Jan 2023 23:47:26 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 708643858024 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1675208846; bh=fRZryynkZGNSOOD1gdcLoEsMYmSN/T3zCoup7F3wP24=; h=To:Cc:Subject:Date:In-Reply-To:References:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=Lp8d+1wLoyf/Deyv8XbALOhjELXPb3k1adFoJfziZssIoES8QrDjVepcmaxQJgJFj QwVs6EivYlrdP9SFymJUeVLQIwx9hbPBhS7Hc886lBgZuRrws2qycEou9oBaxuq4Bo Sy8EJsT/wxgUKIIdm9c5ubXFvXPi5JsJmHlVW4tU= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) by sourceware.org (Postfix) with ESMTPS id 1EC2B3858D33 for ; Tue, 31 Jan 2023 23:47:03 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 1EC2B3858D33 Received: by mail-ed1-x532.google.com with SMTP id z11so16059403ede.1 for ; Tue, 31 Jan 2023 15:47:03 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=fRZryynkZGNSOOD1gdcLoEsMYmSN/T3zCoup7F3wP24=; b=YgNzyl+wgUh8hmQ99818E+MN414JA0iC8CZNCJU1arv9Qzhn7m9NFQm00KXTH+LIj3 gTovA3vNaSbnARr36pg3DgM8TFq2MDXk5Icjy8CknFu0J7adr0TRS0tPBGV7zcpKONsC YUsO1DKT6VvnkiKw4BGTKYBK4RgDTzZev14xmHbeV9v6a6iQvQ9XnVkrAvj92MiVV9wA OLMA3c6o5euUF73mVAkTdHaB8Kx3gWIbQD6xZu47buMbhWND2KemGW/+4ZN527EnH1/D SFROhsxMTO74m0zoUUgtFm4cSiWnxw4AWLFE1DStct+22RsZziTpsE3sRYzKeGzyWLsb uolw== X-Gm-Message-State: AO0yUKVdeyFg/h6opVgEIEOGLX29OvTij2Z+nv9qdVziYMCukLhb6H0z ZqUbma31RKDZsdL6QG1RS2NJnGHF9Vo= X-Google-Smtp-Source: AK7set/yPspGr2C1Q/MiOjkGtVube68idTr/Q1cAWG9w9l9tiCc8AqDjxOWEGAelb8WCRA6TcaCN0w== X-Received: by 2002:a05:6402:3507:b0:49b:98be:c38 with SMTP id b7-20020a056402350700b0049b98be0c38mr938272edd.11.1675208821367; Tue, 31 Jan 2023 15:47:01 -0800 (PST) Received: from noahgold-desk.lan (2603-8080-1301-76c6-2080-7b0a-0a99-f439.res6.spectrum.com. [2603:8080:1301:76c6:2080:7b0a:a99:f439]) by smtp.gmail.com with ESMTPSA id t17-20020aa7d711000000b0049dc0123f29sm8910803edq.61.2023.01.31.15.46.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Jan 2023 15:47:01 -0800 (PST) To: libc-alpha@sourceware.org Cc: goldstein.w.n@gmail.com, hjl.tools@gmail.com, carlos@systemhalted.org Subject: [PATCH v2] x86: Fix strncat-avx2.S reading past length [BZ #30065] Date: Tue, 31 Jan 2023 17:46:56 -0600 Message-Id: <20230131234656.2175991-1-goldstein.w.n@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230131213655.4033602-1-goldstein.w.n@gmail.com> References: <20230131213655.4033602-1-goldstein.w.n@gmail.com> MIME-Version: 1.0 X-Spam-Status: No, score=-12.1 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Noah Goldstein via Libc-alpha From: Noah Goldstein Reply-To: Noah Goldstein Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" Occurs when `src` has no null-term. Two cases: 1) Zero-length check is doing: ``` test %rdx, %rdx jl L(zero_len) ``` which doesn't actually check zero (was at some point `decq` and the flag never got updated). The fix is just make the flag `jle` i.e: ``` test %rdx, %rdx jle L(zero_len) ``` 2) Length check in page-cross case checking if we should continue is doing: ``` cmpq %r8, %rdx jb L(page_cross_small) ``` which means we will continue searching for null-term if length ends at the end of a page and there was no null-term in `src`. The fix is to make the flag: ``` cmpq %r8, %rdx jbe L(page_cross_small) ``` --- string/test-strncat.c | 25 ++++++++++++++++++++++++- sysdeps/x86_64/multiarch/strncat-avx2.S | 4 ++-- 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/string/test-strncat.c b/string/test-strncat.c index e03d329e1c..c0cde206ee 100644 --- a/string/test-strncat.c +++ b/string/test-strncat.c @@ -28,6 +28,7 @@ # define CHAR char # define UCHAR unsigned char # define SIMPLE_STRNCAT simple_strncat +# define STRNLEN strnlen # define STRLEN strlen # define MEMSET memset # define MEMCPY memcpy @@ -40,6 +41,7 @@ # define CHAR wchar_t # define UCHAR wchar_t # define SIMPLE_STRNCAT simple_wcsncat +# define STRNLEN wcsnlen # define STRLEN wcslen # define MEMSET wmemset # define MEMCPY wmemcpy @@ -78,7 +80,7 @@ do_one_test (impl_t *impl, CHAR *dst, const CHAR *src, size_t n) return; } - size_t len = STRLEN (src); + size_t len = STRNLEN (src, n); if (MEMCMP (dst + k, src, len + 1 > n ? n : len + 1) != 0) { error (0, 0, "Incorrect concatenation in function %s", @@ -95,6 +97,26 @@ do_one_test (impl_t *impl, CHAR *dst, const CHAR *src, size_t n) } } +static void +do_test_src_no_nullterm_bz30065 (void) +{ + /* NB: "src does not need to be null-terminated if it contains n or more + * bytes." */ + CHAR *s1, *s2; + size_t bound = page_size / sizeof (CHAR); + s1 = (CHAR *) (buf1 + BUF1PAGES * page_size); + s2 = (CHAR *) buf2; + MEMSET (s1 - bound, -1, bound); + for (size_t n = 0; n < bound; ++n) + { + FOR_EACH_IMPL (impl, 0) + { + s2[0] = '\0'; + do_one_test (impl, s2, s1 - n, n); + } + } +} + static void do_test (size_t align1, size_t align2, size_t len1, size_t len2, size_t n, int max_char) @@ -372,6 +394,7 @@ test_main (void) do_random_tests (); do_overflow_tests (); + do_test_src_no_nullterm_bz30065 (); return ret; } diff --git a/sysdeps/x86_64/multiarch/strncat-avx2.S b/sysdeps/x86_64/multiarch/strncat-avx2.S index b380e8e11c..c2ff202238 100644 --- a/sysdeps/x86_64/multiarch/strncat-avx2.S +++ b/sysdeps/x86_64/multiarch/strncat-avx2.S @@ -66,7 +66,7 @@ ENTRY(STRNCAT) salq $2, %rdx # else test %rdx, %rdx - jl L(zero_len) + jle L(zero_len) # endif vpxor %VZERO_128, %VZERO_128, %VZERO_128 @@ -387,7 +387,7 @@ L(page_cross): subl %esi, %r8d andl $(VEC_SIZE - 1), %r8d cmpq %r8, %rdx - jb L(page_cross_small) + jbe L(page_cross_small) /* Optimizing more aggressively for space as this is very cold code. This saves 2x cache lines. */