From e108c02a5e23c8c88ce66d8705d4a24bb6b9a8bf Mon Sep 17 00:00:00 2001 From: Noah Goldstein Date: Tue, 15 Feb 2022 20:27:21 -0600 Subject: x86: Fix bug in strncmp-evex and strncmp-avx2 [BZ #28895] Logic can read before the start of `s1` / `s2` if both `s1` and `s2` are near the start of a page. To avoid having the result contimated by these comparisons the `strcmp` variants would mask off these comparisons. This was missing in the `strncmp` variants causing the bug. This commit adds the masking to `strncmp` so that out of range comparisons don't affect the result. test-strcmp, test-strncmp, test-wcscmp, and test-wcsncmp all pass as well a full xcheck on x86_64 linux. Reviewed-by: H.J. Lu --- string/test-strncmp.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) (limited to 'string') diff --git a/string/test-strncmp.c b/string/test-strncmp.c index 831cb77893..df7cea4068 100644 --- a/string/test-strncmp.c +++ b/string/test-strncmp.c @@ -423,6 +423,28 @@ check3 (void) } } +static void +check4 (void) +{ + /* To trigger bug 28895; We need 1) both s1 and s2 to be within 32 bytes of + the end of the page. 2) For there to be no mismatch/null byte before the + first page cross. 3) For length (`n`) to be large enough for one string to + cross the page. And 4) for there to be either mismatch/null bytes before + the start of the strings. */ + + size_t size = 10; + size_t addr_mask = (getpagesize () - 1) ^ (sizeof (CHAR) - 1); + CHAR *s1 = (CHAR *)(buf1 + (addr_mask & 0xffa)); + CHAR *s2 = (CHAR *)(buf2 + (addr_mask & 0xfed)); + int exp_result; + + STRCPY (s1, L ("tst-tlsmod%")); + STRCPY (s2, L ("tst-tls-manydynamic73mod")); + exp_result = SIMPLE_STRNCMP (s1, s2, size); + FOR_EACH_IMPL (impl, 0) + check_result (impl, s1, s2, size, exp_result); +} + static void check_overflow (void) { @@ -546,6 +568,7 @@ test_main (void) check1 (); check2 (); check3 (); + check4 (); printf ("%23s", ""); FOR_EACH_IMPL (impl, 0) -- cgit 1.4.1