From patchwork Tue Feb 21 19:06:12 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Adhemerval Zanella Netto
 <adhemerval.zanella@linaro.org>
X-Patchwork-Id: 65423
Return-Path: <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 59A4E384E416
	for <patchwork@sourceware.org>; Tue, 21 Feb 2023 19:06:42 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 59A4E384E416
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1677006402;
	bh=+V+ZOtiQNNoPEH+GuTYShyKnrlR2YXI/sJOItaiCuew=;
	h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post:
	 List-Help:List-Subscribe:From:Reply-To:From;
	b=UXn9x5dJOXeDcWeUjNT+FCP8yDI2R19ZwcfGrrIoHcqB1vEW9VRTEhGDtWSaaEhSl
	 RnBgGWuV5e6DTWNPCbwQltHbHobB+Lo4nft5+ALpqQfz5/HztZg1dlE218KQEyd+nt
	 ae2KOaaJU8HeRD9j4qhmrLrPT5pn6IdBYbVeGu1Q=
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com
 [IPv6:2607:f8b0:4864:20::32a])
 by sourceware.org (Postfix) with ESMTPS id 5E7823850408
 for <libc-alpha@sourceware.org>; Tue, 21 Feb 2023 19:06:19 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 5E7823850408
Received: by mail-ot1-x32a.google.com with SMTP id
 e18-20020a0568301e5200b00690e6abbf3fso1240580otj.13
 for <libc-alpha@sourceware.org>; Tue, 21 Feb 2023 11:06:19 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112; t=1677006377;
 h=content-transfer-encoding:mime-version:message-id:date:subject:to
 :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=+V+ZOtiQNNoPEH+GuTYShyKnrlR2YXI/sJOItaiCuew=;
 b=e0mv1y1wL2dFerHzlSClYFUMkQ0S6Bj1yxaZnmgIWQKh1uQeWj9UhfABGdgfpeuVil
 H/ZfgSwpGOm0IJtW8HENm/ny7OnM3w1PVwIjsYvd8EUeTD7NLM05izEWDW7o3mfYFAlu
 JOYa4cWcSiiXdA80n88i0pRNh6GVTAbPYRqE1H7kh9x4QzfZfHXe9AC9vzC0S02EJNBX
 4eDhntcfKcvd2R/z+na0hdk0yBNebQSjwTgYeeKr9LcR5Gk5F0NVsRRD6oabuDUVzQgo
 wuk9LCUXF6ru7pjAAhwMsZaUUSUpZ2MwMCA1iQiOcoM5mZAva2EwQHASIMnG9CHvsMI9
 OKCw==
X-Gm-Message-State: AO0yUKXJO1w37YTifftgzkak2nh6eHOT/n3uqXbQtyfQGu9gJuOAGuVE
 g0dF6v9jkX3Qe6/v509LojrNdAX2j8p32bgURJI=
X-Google-Smtp-Source: 
 AK7set8HZLyYFlpG8OjRjXLk/MdQALxipTM6g5Vte4M62+4y1Do37THqat+vJ6PYLgfmayuxx/U09A==
X-Received: by 2002:a9d:10b:0:b0:670:9115:946c with SMTP id
 11-20020a9d010b000000b006709115946cmr7718502otu.0.1677006377647;
 Tue, 21 Feb 2023 11:06:17 -0800 (PST)
Received: from mandiga.. ([2804:1b3:a7c3:3a5:3769:ff3e:331a:7f95])
 by smtp.gmail.com with ESMTPSA id
 m18-20020a9d7ad2000000b0068d59d15a93sm165434otn.40.2023.02.21.11.06.16
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 21 Feb 2023 11:06:16 -0800 (PST)
To: libc-alpha@sourceware.org,
	Szabolcs Nagy <szabolcs.nagy@arm.com>
Subject: [PATCH] string: Fix OOB read on generic strncmp
Date: Tue, 21 Feb 2023 16:06:12 -0300
Message-Id: <20230221190612.2034413-1-adhemerval.zanella@linaro.org>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
X-Spam-Status: No, score=-12.9 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE,
 SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-Patchwork-Original-From: Adhemerval Zanella via Libc-alpha
 <libc-alpha@sourceware.org>
From: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>
Reply-To: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org
Sender: "Libc-alpha"
 <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org>

For unaligned case, reading ahead can only be done if parting reads
matches the aligned input.

Also extend the stratcliff tests to check such cases.

Checked on x86_64-linux-gnu, i686-linux-gnu, powerpc64-linux-gnu,
and powerpc-linux-gnu by removing the arch-specific assembly
implementation and disabling multi-arch (it covers both LE and BE
for 64 and 32 bits).
---
 string/stratcliff.c | 17 +++++++++++++++++
 string/strncmp.c    | 13 ++++++++++++-
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/string/stratcliff.c b/string/stratcliff.c
index 74d64cc03d..864d856921 100644
--- a/string/stratcliff.c
+++ b/string/stratcliff.c
@@ -409,6 +409,23 @@ do_test (void)
 	      }
 	  }
 
+      for (outer = 1; outer < 32; ++outer)
+	for (middle = 0; middle < 16; ++middle)
+	  {
+	    MEMSET (adr + middle, L('T'), 256);
+	    adr[256] = L('\0');
+	    MEMSET (dest + nchars - outer, L('T'), outer - 1);
+	    dest[nchars - outer] = L('U');
+
+	    if (STRNCMP (adr + middle, &dest[nchars - middle - 1], outer) > 0)
+	      {
+		printf ("%s 1 flunked for outer = %zu, middle = %zu, "
+			"inner = %zu\n",
+			STRINGIFY (STRNCMP), outer, middle, inner);
+		result = 1;
+	      }
+	  }
+
       /* strncpy/wcsncpy tests */
       adr[nchars - 1] = L('T');
       for (outer = nchars; outer >= max128; --outer)
diff --git a/string/strncmp.c b/string/strncmp.c
index 4c8bf36bb9..751bf53d55 100644
--- a/string/strncmp.c
+++ b/string/strncmp.c
@@ -73,7 +73,11 @@ strncmp_unaligned_loop (const op_t *x1, const op_t *x2, op_t w1, uintptr_t ofs,
   uintptr_t sh_2 = sizeof(op_t) * CHAR_BIT - sh_1;
 
   op_t w2 = MERGE (w2a, sh_1, (op_t)-1, sh_2);
-  if (!has_zero (w2) && n > (sizeof (op_t) - ofs))
+
+  /* Reading ahead is wrong if w1 and w2 already differs.  */
+  op_t w1a = MERGE (w1, 0, (op_t)-1, sh_2);
+
+  if (!has_zero (w2) && w2 == w1a && n >= (sizeof (op_t) - ofs))
     {
       op_t w2b;
 
@@ -90,6 +94,13 @@ strncmp_unaligned_loop (const op_t *x1, const op_t *x2, op_t w1, uintptr_t ofs,
 	  if (has_zero (w2b) || n <= (sizeof (op_t) - ofs))
 	    break;
 	  w1 = *x1++;
+
+	  /* Reading ahead is wrong if w1 and w2 already differs.  */
+	  w2 = MERGE (w2b, sh_1, (op_t)-1, sh_2);
+	  w1a = MERGE (w1, 0, (op_t)-1, sh_2);
+	  if (w2 != w1a)
+	    return final_cmp (w1a, w2, n);
+
 	  w2a = w2b;
 	}