aboutsummaryrefslogtreecommitdiff
path: root/string
diff options
context:
space:
mode:
authorNoah Goldstein <goldstein.w.n@gmail.com>2022-02-15 20:27:21 -0600
committerNoah Goldstein <goldstein.w.n@gmail.com>2022-02-16 02:11:16 -0600
commite108c02a5e23c8c88ce66d8705d4a24bb6b9a8bf (patch)
treeaa7b3178016dfb0f5a270d900385d889016be1ee /string
parent0281c7a7ec8f3f46d8e6f5f3d7fca548946dbfce (diff)
downloadglibc-e108c02a5e23c8c88ce66d8705d4a24bb6b9a8bf.zip
glibc-e108c02a5e23c8c88ce66d8705d4a24bb6b9a8bf.tar.gz
glibc-e108c02a5e23c8c88ce66d8705d4a24bb6b9a8bf.tar.bz2
x86: Fix bug in strncmp-evex and strncmp-avx2 [BZ #28895]
Logic can read before the start of `s1` / `s2` if both `s1` and `s2` are near the start of a page. To avoid having the result contimated by these comparisons the `strcmp` variants would mask off these comparisons. This was missing in the `strncmp` variants causing the bug. This commit adds the masking to `strncmp` so that out of range comparisons don't affect the result. test-strcmp, test-strncmp, test-wcscmp, and test-wcsncmp all pass as well a full xcheck on x86_64 linux. Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
Diffstat (limited to 'string')
-rw-r--r--string/test-strncmp.c23
1 files changed, 23 insertions, 0 deletions
diff --git a/string/test-strncmp.c b/string/test-strncmp.c
index 831cb77..df7cea4 100644
--- a/string/test-strncmp.c
+++ b/string/test-strncmp.c
@@ -424,6 +424,28 @@ check3 (void)
}
static void
+check4 (void)
+{
+ /* To trigger bug 28895; We need 1) both s1 and s2 to be within 32 bytes of
+ the end of the page. 2) For there to be no mismatch/null byte before the
+ first page cross. 3) For length (`n`) to be large enough for one string to
+ cross the page. And 4) for there to be either mismatch/null bytes before
+ the start of the strings. */
+
+ size_t size = 10;
+ size_t addr_mask = (getpagesize () - 1) ^ (sizeof (CHAR) - 1);
+ CHAR *s1 = (CHAR *)(buf1 + (addr_mask & 0xffa));
+ CHAR *s2 = (CHAR *)(buf2 + (addr_mask & 0xfed));
+ int exp_result;
+
+ STRCPY (s1, L ("tst-tlsmod%"));
+ STRCPY (s2, L ("tst-tls-manydynamic73mod"));
+ exp_result = SIMPLE_STRNCMP (s1, s2, size);
+ FOR_EACH_IMPL (impl, 0)
+ check_result (impl, s1, s2, size, exp_result);
+}
+
+static void
check_overflow (void)
{
size_t i, j, of_mask, of_idx;
@@ -546,6 +568,7 @@ test_main (void)
check1 ();
check2 ();
check3 ();
+ check4 ();
printf ("%23s", "");
FOR_EACH_IMPL (impl, 0)