From patchwork Wed Feb 22 16:31:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella X-Patchwork-Id: 65459 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id DF4613858D33 for ; Wed, 22 Feb 2023 16:32:26 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org DF4613858D33 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1677083546; bh=7iW0c9tzBhvFXP/jlrAIPOulAhMtGlrns4jM4GR7hEQ=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=cOSly0BBH/YcCpSAjnHMKVS99HdfHfs/dOiRY+As9lZRvmKcH2XWFlwRU1KStac+6 O4JLgOFp8qNLQoo3FUOiaUsQO5Mm1O6InsFBRkC5Y9XahksgWmFOd+Ksg0dxZQXr2/ eu/+F6iN/RzzcYI//LLlXNyToSpFFaFqTJCexf4A= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-ot1-x333.google.com (mail-ot1-x333.google.com [IPv6:2607:f8b0:4864:20::333]) by sourceware.org (Postfix) with ESMTPS id 39E9C3858D33 for ; Wed, 22 Feb 2023 16:32:05 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 39E9C3858D33 Received: by mail-ot1-x333.google.com with SMTP id bh19-20020a056830381300b00690bf2011b2so1551180otb.6 for ; Wed, 22 Feb 2023 08:32:05 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1677083523; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=7iW0c9tzBhvFXP/jlrAIPOulAhMtGlrns4jM4GR7hEQ=; b=XGxd7LMvFHhJBHAsprWY6qsDk6laTCE9fhojViywn6HyTRXYXa3RjEkYHGe9kqQonO lXdVYa56eV3nejpVsljgo4pqKb8zArYgK583HkFusr6g2wTVEmmF9Don1EHma4ElOrci VeUgQyxNOnYR9IwjYUarCnx+AvF8VTHTKrAetJRKAz7fh7+gaU7lxR/idJWsODwMvoM1 51wk8VEVqnPHmSWnZ1Hu6lW4QiqS4jM2f7+qhLW7bX84TaqBwi35ZP4HsTKqhsV7wtNM 7JV0x1Gb5TAHM4cp+rFbYRHHohGZLRYynzasNiaVO2byjh7MKU+REo3vY1YZoJqdga21 BPrg== X-Gm-Message-State: AO0yUKUmjHaI6fLlXETvTvWaYjEQHiQBr1bxxHRzPGHsobJUCuoKXPuG JyPzwHGkLEjbG1AJe9Y1p1v4ZSQZ76cF4GIX X-Google-Smtp-Source: AK7set+XGhHniQD77i5OPYplSgZS8s4XqyZWIVR1PHv/Rt1MBdD/yZpMNt6uacOvygim88IucaltzA== X-Received: by 2002:a9d:19ea:0:b0:693:c3bb:863f with SMTP id k97-20020a9d19ea000000b00693c3bb863fmr2618837otk.36.1677083523486; Wed, 22 Feb 2023 08:32:03 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c3:89be:83dd:45de:6956:e0ee]) by smtp.gmail.com with ESMTPSA id m11-20020a9d608b000000b006863c59f685sm1686947otj.28.2023.02.22.08.32.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Feb 2023 08:32:02 -0800 (PST) To: libc-alpha@sourceware.org, Szabolcs Nagy Subject: [PATCH v2] string: Fix OOB read on generic strncmp Date: Wed, 22 Feb 2023 13:31:59 -0300 Message-Id: <20230222163159.3446687-1-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Spam-Status: No, score=-12.9 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Adhemerval Zanella via Libc-alpha From: Adhemerval Zanella Reply-To: Adhemerval Zanella Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" For unaligned case, reading ahead can only be done if parting reads matches the aligned input. Also extend the stratcliff tests to check such cases. Checked on x86_64-linux-gnu, i686-linux-gnu, powerpc64-linux-gnu, and powerpc-linux-gnu by removing the arch-specific assembly implementation and disabling multi-arch (it covers both LE and BE for 64 and 32 bits). Reviewed-by: Szabolcs Nagy --- string/stratcliff.c | 17 ++++++++++++++++- string/strncmp.c | 13 ++++++++++++- 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/string/stratcliff.c b/string/stratcliff.c index 74d64cc03d..88ac787088 100644 --- a/string/stratcliff.c +++ b/string/stratcliff.c @@ -401,12 +401,27 @@ do_test (void) result = 1; } - if (STRNCMP (dest + nchars - outer, adr + middle, outer) <= 0) + /* Also check for size larger than the string. */ + if (STRNCMP (adr + middle, dest + nchars - outer, outer + 99) >= 0) { printf ("%s 2 flunked for outer = %zu, middle = %zu, full\n", + STRINGIFY (STRNCMP), outer + 99, middle); + result = 1; + } + + if (STRNCMP (dest + nchars - outer, adr + middle, outer) <= 0) + { + printf ("%s 3 flunked for outer = %zu, middle = %zu, full\n", STRINGIFY (STRNCMP), outer, middle); result = 1; } + + if (STRNCMP (dest + nchars - outer, adr + middle, outer + 99) <= 0) + { + printf ("%s 4 flunked for outer = %zu, middle = %zu, full\n", + STRINGIFY (STRNCMP), outer + 99, middle); + result = 1; + } } /* strncpy/wcsncpy tests */ diff --git a/string/strncmp.c b/string/strncmp.c index 4c8bf36bb9..751bf53d55 100644 --- a/string/strncmp.c +++ b/string/strncmp.c @@ -73,7 +73,11 @@ strncmp_unaligned_loop (const op_t *x1, const op_t *x2, op_t w1, uintptr_t ofs, uintptr_t sh_2 = sizeof(op_t) * CHAR_BIT - sh_1; op_t w2 = MERGE (w2a, sh_1, (op_t)-1, sh_2); - if (!has_zero (w2) && n > (sizeof (op_t) - ofs)) + + /* Reading ahead is wrong if w1 and w2 already differs. */ + op_t w1a = MERGE (w1, 0, (op_t)-1, sh_2); + + if (!has_zero (w2) && w2 == w1a && n >= (sizeof (op_t) - ofs)) { op_t w2b; @@ -90,6 +94,13 @@ strncmp_unaligned_loop (const op_t *x1, const op_t *x2, op_t w1, uintptr_t ofs, if (has_zero (w2b) || n <= (sizeof (op_t) - ofs)) break; w1 = *x1++; + + /* Reading ahead is wrong if w1 and w2 already differs. */ + w2 = MERGE (w2b, sh_1, (op_t)-1, sh_2); + w1a = MERGE (w1, 0, (op_t)-1, sh_2); + if (w2 != w1a) + return final_cmp (w1a, w2, n); + w2a = w2b; }