[Bug string/27960] New: Memset-vec-unaligned-erms.S has a potential overflow bug.

[Bug string/27960] New: Memset-vec-unaligned-erms.S has a potential overflow bug.

[goldstein.w.n at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=27960

            Bug ID: 27960
           Summary: Memset-vec-unaligned-erms.S has a potential overflow
                    bug.
           Product: glibc
           Version: 2.34
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: string
          Assignee: unassigned at sourceware dot org
          Reporter: goldstein.w.n at gmail dot com
  Target Milestone: ---

In Commit:

author  Noah Goldstein <goldstein.w.n@gmail.com>        
Thu, 20 May 2021 17:13:51 +0000 (13:13 -0400)
commit  6abf27980a947f9b6e514d6b33b83059d39566ae

The loop bound calculation was changed to essentially the following pseudo
code:

void * end = dst + length;
while(dst < end) {
   // Copy Bytes
}

This can potentially be an issue as if length + dst overflows end will be less
than dst and the loop will exit on the first iteration.

So for example under certain conditions memset(ptr, c, SIZE_MAX) would not
throw a Segmentation Fault

An example can be found here: https://godbolt.org/z/K1hE5cKvf

Some things worth noting.

1) This bug is also present in nearly all wcsmbs string/memory function
implementations on x86_64 because they almost always execute `salq $2, %rdx` to
adjust length which would cause overflow if the input is above 2 ^
((sizeof(size_t) - 2).

2) This bug only affects CPUs without ERMS as any value that will cause
overflow is also surely greater than __x86_rep_stosb_threshold.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug string/27960] Memset-vec-unaligned-erms.S has a potential overflow bug.

[goldstein.w.n at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=27960

Noah Goldstein <goldstein.w.n at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Target|                            |x86_64
                 CC|                            |goldstein.w.n at gmail dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug string/27960] Memset-vec-unaligned-erms.S has a potential overflow bug.

[goldstein.w.n at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=27960

Noah Goldstein <goldstein.w.n at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |NOTABUG

--- Comment #1 from Noah Goldstein <goldstein.w.n at gmail dot com> ---
This is not a bug. Passing a length that would cause overflow is undefined
behavior.

https://marc.info/?l=glibc-alpha&m=162308797213313&w=2

-- 
You are receiving this mail because:
You are on the CC list for the bug.