diff options
author | Noah Goldstein <goldstein.w.n@gmail.com> | 2022-02-15 20:27:21 -0600 |
---|---|---|
committer | Noah Goldstein <goldstein.w.n@gmail.com> | 2022-02-16 02:11:16 -0600 |
commit | e108c02a5e23c8c88ce66d8705d4a24bb6b9a8bf (patch) | |
tree | aa7b3178016dfb0f5a270d900385d889016be1ee /string | |
parent | 0281c7a7ec8f3f46d8e6f5f3d7fca548946dbfce (diff) | |
download | glibc-e108c02a5e23c8c88ce66d8705d4a24bb6b9a8bf.zip glibc-e108c02a5e23c8c88ce66d8705d4a24bb6b9a8bf.tar.gz glibc-e108c02a5e23c8c88ce66d8705d4a24bb6b9a8bf.tar.bz2 |
x86: Fix bug in strncmp-evex and strncmp-avx2 [BZ #28895]
Logic can read before the start of `s1` / `s2` if both `s1` and `s2`
are near the start of a page. To avoid having the result contimated by
these comparisons the `strcmp` variants would mask off these
comparisons. This was missing in the `strncmp` variants causing
the bug. This commit adds the masking to `strncmp` so that out of
range comparisons don't affect the result.
test-strcmp, test-strncmp, test-wcscmp, and test-wcsncmp all pass as
well a full xcheck on x86_64 linux.
Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
Diffstat (limited to 'string')
-rw-r--r-- | string/test-strncmp.c | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/string/test-strncmp.c b/string/test-strncmp.c index 831cb77..df7cea4 100644 --- a/string/test-strncmp.c +++ b/string/test-strncmp.c @@ -424,6 +424,28 @@ check3 (void) } static void +check4 (void) +{ + /* To trigger bug 28895; We need 1) both s1 and s2 to be within 32 bytes of + the end of the page. 2) For there to be no mismatch/null byte before the + first page cross. 3) For length (`n`) to be large enough for one string to + cross the page. And 4) for there to be either mismatch/null bytes before + the start of the strings. */ + + size_t size = 10; + size_t addr_mask = (getpagesize () - 1) ^ (sizeof (CHAR) - 1); + CHAR *s1 = (CHAR *)(buf1 + (addr_mask & 0xffa)); + CHAR *s2 = (CHAR *)(buf2 + (addr_mask & 0xfed)); + int exp_result; + + STRCPY (s1, L ("tst-tlsmod%")); + STRCPY (s2, L ("tst-tls-manydynamic73mod")); + exp_result = SIMPLE_STRNCMP (s1, s2, size); + FOR_EACH_IMPL (impl, 0) + check_result (impl, s1, s2, size, exp_result); +} + +static void check_overflow (void) { size_t i, j, of_mask, of_idx; @@ -546,6 +568,7 @@ test_main (void) check1 (); check2 (); check3 (); + check4 (); printf ("%23s", ""); FOR_EACH_IMPL (impl, 0) |