[Bug libc/17279] New: strncat(..., ..., SIZE_MAX) behaves incorrectly

[Bug libc/17279] New: strncat(..., ..., SIZE_MAX) behaves incorrectly

[roche at httrack dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17279

            Bug ID: 17279
           Summary: strncat(..., ..., SIZE_MAX) behaves incorrectly
           Product: glibc
           Version: 2.19
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: roche at httrack dot com
                CC: drepper.fsp at gmail dot com

Created attachment 7749
  --> https://sourceware.org/bugzilla/attachment.cgi?id=7749&action=edit
Test case

Using SIZE_MAX as third argument to strncat() should behave as if strcat() was
used.

According to POSIX
(http://pubs.opengroup.org/onlinepubs/009695399/functions/strncat.html),

"The strncat() function shall append not more than n bytes (a null byte and
bytes that follow it are not appended) from the array pointed to by s2 to the
end of the string pointed to by s1."

The wording imply that the third "n" argument is an additional boundary limit,
not the destination buffer capacity (ie. the destination buffer is not
implicitly SIZE_MAX), and both source and destination do not overlap
(overlapping depends on the source and destination layout, not on the "n"
value)

However, it seems that the optimized strncat version of the GLIBC behaves
incorrectly, when using this value.

The culprit might be in the sysdeps/x86_64/multiarch/strcat-sse2-unaligned.S
source file (see
https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/x86_64/multiarch/strcat-sse2-unaligned.S;h=dc782f2c2370915f74673ff8184e5f2eaf2795db;hb=HEAD)

See also the comp.unix.programmer related discussion, with a possible location
of the bug in the assembly source:
https://groups.google.com/forum/#!topic/comp.unix.programmer/qKMC4A_itLs

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug string/17279] strncat(..., ..., SIZE_MAX) behaves incorrectly

[jsm28 at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=17279

Joseph Myers <jsm28 at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|libc                        |string

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug string/17279] strncat(..., ..., SIZE_MAX) behaves incorrectly

[ucelsanicin at yahoo dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17279

Ucel Sani <ucelsanicin at yahoo dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ucelsanicin at yahoo dot com

--- Comment #2 from Ucel Sani <ucelsanicin at yahoo dot com> ---
https://komiya-dental.com/
http://steemfilter.space/
http://michielleunens.tech/
http://sleepypoetstuff.website/
http://biciclubvalencia.website/
http://reputation-management.site/
http://pitesti.online/
http://tobuweb.space/
http://ancientmariners.online/
http://betwsycoednet.online
http://kuzin.website
http://kundaliniyoga.tech
http://localpay.tech
http://my-iframe.online
http://getimov.xyz/
http://ooviv.xyz/
http://mirei.xyz
http://toblek.xyz/
http://sevenwonders.store
http://peralga.xyz/
https://texastourgear.live
http://freixenet.site/influencerprogramme/
http://timvanorden.store/
http://rhee.tech/
http://f3group.online/
https://www.hlungomare.store/
https://www.lungomarebikehotel.store
http://www.lvmaimai.xyz/
https://sozdanie.site/
http://agens128.site/
http://troubadourtunes.online/
http://ruirui.store/
http://www.foamhands.store/
http://www.i-obchody.info/
http://naughtyrobot.digital/
https://www.webb-dev.co.uk/
https://waytowhatsnext.com/
https://www.bilanmagazine.com/
https://www.web-mediaplacing.com/
https://fitnessblog.fr/
https://cbd-huile-blog.fr/
https://www.laptopkerja.com/
https://www.espresso-international.eu/
https://www.espresso-international.be
https://www.espresso-international.gr
https://besthotels.wiki
https://www.cherada.net/opus/verified-gmail-accounts
https://www.cherada.net/opus/10000-visitas-a-tu-video-en-youtube
https://www.cherada.net/opus/100-backlinks-en-comentarios-de-blog-a-la-medida
https://redwinecasino.com/
https://sharkcasinogames.com/
https://redbettips.com/
https://windows11iso.com/

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug string/17279] strncat(..., ..., SIZE_MAX) behaves incorrectly

[mehmetgelisin at aol dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17279

Mehmet gelisin <mehmetgelisin at aol dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mehmetgelisin at aol dot com

--- Comment #3 from Mehmet gelisin <mehmetgelisin at aol dot com> ---
In collect_register() function of arc-linux-tdep.c, the "eret"
(exception return) register value is not being reported correctly.

Background: https://komiya-dental.com/ 
When asked for the "pc" value, we have to update the "eret" register
with GDB's STOP_PC.  The "eret" instructs the kernel code where to
jump back when an instruction has stopped due to a breakpoint.  This
is how collect_register() is doing so:

--------------8<--------------
  if (regnum == gdbarch_pc_regnum (gdbarch))
    regnum = ARC_ERET_REGNUM;
  regcache->raw_collect (regnum, buf + arc_linux_core_reg_offsets[regnum]);
-------------->8--------------

Root cause: http://www.iu-bloomington.com/
Although this is using the correct offset (ERET register's), it is also
changing the REGNUM itself.  Therefore, raw_collect (regnum, ...) is
not reading from "pc" anymore.

Consequence:
This bug affects the "native ARC gdb" badly and causes kernel code to jump
to addresses after the breakpoint and not executing the "breakpoint"ed
instructions at all.  That "native ARC gdb" feature is not upstream yet and
is in review at the time of writing [1]. https://www.webb-dev.co.uk/ 

In collect_register() function of arc-linux-tdep.c, the "eret"
(exception return) register value is not being reported correctly.

Background: https://waytowhatsnext.com/  
When asked for the "pc" value, we have to update the "eret" register
with GDB's STOP_PC.  The "eret" instructs the kernel code where to
jump back when an instruction has stopped due to a breakpoint.  This
is how collect_register() is doing so:

--------------8<--------------
  if (regnum == gdbarch_pc_regnum (gdbarch))
    regnum = ARC_ERET_REGNUM; http://www.acpirateradio.co.uk/ 
  regcache->raw_collect (regnum, buf + arc_linux_core_reg_offsets[regnum]);
-------------->8--------------

Root cause:
Although this is using the correct offset (ERET register's), it is also
changing the REGNUM itself.  Therefore, raw_collect (regnum, ...) is
not reading from "pc" anymore. http://www.logoarts.co.uk/ 

Consequence:
This bug affects the "native ARC gdb" badly and causes kernel code to jump
to addresses after the breakpoint and not executing the "breakpoint"ed
instructions at all.  That "native ARC gdb" feature is not upstream yet and
is in review at the time of writing [1].
In collect_register() function of arc-linux-tdep.c, the "eret"
http://www.slipstone.co.uk/ 
(exception return) register value is not being reported correctly.

Background:
When asked for the "pc" value, http://embermanchester.uk/  we have to update
the "eret" register
with GDB's STOP_PC.  The "eret" instructs the kernel code where to
jump back when an instruction has stopped due to a breakpoint.  This
is how collect_register() is doing so: http://connstr.net/ 

--------------8<--------------
  if (regnum == gdbarch_pc_regnum (gdbarch)) http://joerg.li/
    regnum = ARC_ERET_REGNUM;
  regcache->raw_collect (regnum, buf + arc_linux_core_reg_offsets[regnum]);
-------------->8--------------
http://www.jopspeech.com/
Root cause:
Although this is using the correct offset (ERET register's), it is also
changing the REGNUM itself.  Therefore, raw_collect (regnum, ...) is
not reading from "pc" anymore. http://www.wearelondonmade.com/

Consequence:
This bug affects the "native ARC gdb" badly and causes kernel code to jump
to addresses http://www.compilatori.com/  after the breakpoint and not
executing the "breakpoint"ed
instructions at all.  That "native ARC gdb" feature is not upstream yet and
is in review at the time of writing [1]. http://www-look-4.com/

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug string/17279] strncat(..., ..., SIZE_MAX) behaves incorrectly

[mark at klomp dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=17279

Mark Wielaard <mark at klomp dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mark at klomp dot org

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug string/17279] strncat(..., ..., SIZE_MAX) behaves incorrectly

[mervegunesli at aol dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17279

Merve Gunesli <mervegunesli at aol dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mervegunesli at aol dot com

--- Comment #4 from Merve Gunesli <mervegunesli at aol dot com> ---
http://www.acpirateradio.co.uk/category/computers/
http://www.logoarts.co.uk/category/travel/
http://embermanchester.uk/category/travel/
http://connstr.net/computers/latest-car-deals/
http://www.jopspeech.com/category/travel/
http://www.wearelondonmade.com/category/property/
http://www.compilatori.com/travel/london/

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug string/17279] strncat(..., ..., SIZE_MAX) behaves incorrectly

[gulsenenginar at aol dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17279

Gulsen Engin <gulsenenginar at aol dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |gulsenenginar at aol dot com

--- Comment #5 from Gulsen Engin <gulsenenginar at aol dot com> ---
"The strncat() function shall append not more than n bytes (a null byte and
bytes that follow it are not appended) from the array pointed to by s2 to the
end of the string pointed to by s1." http://www-look-4.com/category/technology/

The wording imply that the third "n" argument is an additional boundary limit,
not the destination buffer capacity (ie. the destination buffer is not
implicitly SIZE_MAX), https://komiya-dental.com/health/healthy-foods/ and both
source and destination do not overlap (overlapping depends on the source and
destination layout, not on the "n" value)
http://www.iu-bloomington.com/computers/invisible-with-vpn/

However, it seems that the optimized strncat version of the GLIBC behaves
incorrectly, when using this value. https://waytowhatsnext.com/sports/navona/
"The strncat() function shall append not more than n bytes (a null byte and
bytes that follow it are not appended) from the array pointed to by s2 to the
end of the string pointed to by s1."
https://www.webb-dev.co.uk/sports/sports-and-health/
The wording imply that the third "n" argument is an additional boundary limit,
not the destination buffer capacity (ie. the destination buffer is not
implicitly SIZE_MAX), and both source and destination
http://www.wearelondonmade.com/category/tech/ do not overlap (overlapping
depends on the source and destination layout, not on the "n" value)

However, it seems that the optimized strncat version of the GLIBC behaves
incorrectly, when using this value.
http://www.jopspeech.com/category/technology/
"The strncat() function shall append not more than n bytes (a null byte and
bytes that follow it are not appended) from the array pointed to by s2 to the
end of the string pointed to by s1."
http://joerg.li/category/technology/
The wording imply that the third "n" argument is an additional boundary limit,
not the destination buffer capacity (ie. the destination buffer is not
implicitly SIZE_MAX), and both source and destination do not
http://connstr.net/category/technology/ overlap (overlapping depends on the
source and destination layout, not on the "n" value)

However, it seems that the optimized strncat version of the GLIBC behaves
incorrectly, when using this value.
http://embermanchester.uk/category/technology/
"The strncat() function shall append not more than n bytes (a null byte and
bytes that follow it are not appended) from the array pointed to by s2 to the
end of the string pointed to by s1."
 http://www.slipstone.co.uk/category/technology/
The wording imply that the third "n" argument is an additional boundary limit,
not the destination buffer capacity (ie. the destination buffer is not
implicitly SIZE_MAX), and both source and destination do not overlap
http://www.logoarts.co.uk/category/technology/ (overlapping depends on the
source and destination layout, not on the "n" value)

However, it seems that the optimized strncat version of the GLIBC behaves
incorrectly, when using this value.
http://www.acpirateradio.co.uk/category/technology/
"The strncat() function shall append not more than n bytes (a null byte and
bytes that follow it are not appended) from the array pointed to by s2 to the
end of the string pointed to by s1."
http://www.compilatori.com/category/technology/

The wording imply that the third "n" argument is an additional boundary limit,
not the destination buffer capacity (ie. the destination buffer is not
implicitly SIZE_MAX), and both source and destination do not overlap
(overlapping depends on the source and destination layout, not on the "n"
value) 

However, it seems that the optimized strncat version of the GLIBC behaves
incorrectly, when using this value.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug string/17279] strncat(..., ..., SIZE_MAX) behaves incorrectly

[richardsjenkins70 at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17279

--- Comment #6 from Joey Kim <richardsjenkins70 at gmail dot com> ---
The wording imply that the third "n" argument is an additional boundary limit,
not the destination buffer capacity (ie. the destination buffer is not
implicitly SIZE_MAX), and both source and destination do not overlap
(overlapping depends on the source and destination layout, not on the "n"
value) https://www.worcesterroofingandsiding.com

-- 
You are receiving this mail because:
You are on the CC list for the bug.