public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug string/27974] New: Overflow bug in some implementation of of wcsnlen, wmemchr, and wcsncat.
@ 2021-06-09 22:25 goldstein.w.n at gmail dot com
2021-06-09 22:25 ` [Bug string/27974] " goldstein.w.n at gmail dot com
` (9 more replies)
0 siblings, 10 replies; 11+ messages in thread
From: goldstein.w.n at gmail dot com @ 2021-06-09 22:25 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27974
Bug ID: 27974
Summary: Overflow bug in some implementation of of wcsnlen,
wmemchr, and wcsncat.
Product: glibc
Version: 2.34
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: string
Assignee: unassigned at sourceware dot org
Reporter: goldstein.w.n at gmail dot com
Target Milestone: ---
The bug is that some implementations assume that maxlen or n from wcsnlen and
wmemchr/wcsncat times sizeof(wchar_t) will not overflow.
It appears, however that there is no defined limit on maxlen * sizeof(wchar_t)
https://marc.info/?l=glibc-alpha&m=162323134028410&w=2
This bug would found in the following x86_64 implementations of wcsnlen and
wmemchr.
wcsnlen-sse4_1 ->
https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/x86_64/strlen.S;h=d223ea1700a7d0cb0dcf9c8f251f09d5b9eea91e;hb=HEAD#l68
wcsnlen-avx2 ->
https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/x86_64/multiarch/strlen-avx2.S;h=bd2e6ee44a8ae113dfdb0de8bc6fc1b405d7ef28;hb=HEAD#l57
wmemchr-sse2 ->
https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/x86_64/memchr.S;h=beff2708de6a1e40de4141f94ff6fe763f041164;hb=HEAD#l39
wmemchr-avx2 ->
https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/x86_64/multiarch/memchr-avx2.S;h=0d8758e3e7190fbe54243312b7ecc2952e85465a;hb=HEAD#l66
This bug will also be present in wcsncat which uses wcsnlen:
https://sourceware.org/git/?p=glibc.git;a=blob;f=wcsmbs/wcsncat.c;h=27de72af6c7733fe0e27661874b64d57659b5ed9;hb=HEAD#l34
For example with a string of length 1000 the following cases would highlight
the bug:
wmemchr(string_length_1000, 0, (2^62) + 1) // would return NULL rather than s +
1000
wcsnlen(string_length_1000, (2^62) + 1) // would return 1 rather than 1000
wcsncat(s2, string_length_1000, (2^62) + 1) // would only copy 1 wide char
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug string/27974] Overflow bug in some implementation of of wcsnlen, wmemchr, and wcsncat.
2021-06-09 22:25 [Bug string/27974] New: Overflow bug in some implementation of of wcsnlen, wmemchr, and wcsncat goldstein.w.n at gmail dot com
@ 2021-06-09 22:25 ` goldstein.w.n at gmail dot com
2021-06-23 18:29 ` goldstein.w.n at gmail dot com
` (8 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: goldstein.w.n at gmail dot com @ 2021-06-09 22:25 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27974
Noah Goldstein <goldstein.w.n at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target| |x86_64
CC| |goldstein.w.n at gmail dot com
Host| |Linux
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug string/27974] Overflow bug in some implementation of of wcsnlen, wmemchr, and wcsncat.
2021-06-09 22:25 [Bug string/27974] New: Overflow bug in some implementation of of wcsnlen, wmemchr, and wcsncat goldstein.w.n at gmail dot com
2021-06-09 22:25 ` [Bug string/27974] " goldstein.w.n at gmail dot com
@ 2021-06-23 18:29 ` goldstein.w.n at gmail dot com
2022-01-27 21:11 ` [Bug string/27974] Overflow bug in some implementation " hjl.tools at gmail dot com
` (7 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: goldstein.w.n at gmail dot com @ 2021-06-23 18:29 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27974
Noah Goldstein <goldstein.w.n at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|UNCONFIRMED |RESOLVED
--- Comment #1 from Noah Goldstein <goldstein.w.n at gmail dot com> ---
Fixed in commits:
String: Add overflow tests for strnlen, memchr, and strncat [BZ #27974]
da5a6fba0febbfc90896ce1b2eb75c6d8a88a72d
x86: Fix overflow bug with wmemchr-sse2 and wmemchr-avx2 [BZ #27974]
645a158978f9520e74074e8c14047503be4db0f0
x86: Fix overflow bug in wcsnlen-sse4_1 and wcsnlen-avx2 [BZ #27974]
a775a7a3eb1e85b54af0b4ee5ff4dcf66772a1fb
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug string/27974] Overflow bug in some implementation of wcsnlen, wmemchr, and wcsncat
2021-06-09 22:25 [Bug string/27974] New: Overflow bug in some implementation of of wcsnlen, wmemchr, and wcsncat goldstein.w.n at gmail dot com
2021-06-09 22:25 ` [Bug string/27974] " goldstein.w.n at gmail dot com
2021-06-23 18:29 ` goldstein.w.n at gmail dot com
@ 2022-01-27 21:11 ` hjl.tools at gmail dot com
2022-01-27 22:40 ` cvs-commit at gcc dot gnu.org
` (6 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: hjl.tools at gmail dot com @ 2022-01-27 21:11 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27974
H.J. Lu <hjl.tools at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Overflow bug in some |Overflow bug in some
|implementation of of |implementation of wcsnlen,
|wcsnlen, wmemchr, and |wmemchr, and wcsncat
|wcsncat. |
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug string/27974] Overflow bug in some implementation of wcsnlen, wmemchr, and wcsncat
2021-06-09 22:25 [Bug string/27974] New: Overflow bug in some implementation of of wcsnlen, wmemchr, and wcsncat goldstein.w.n at gmail dot com
` (2 preceding siblings ...)
2022-01-27 21:11 ` [Bug string/27974] Overflow bug in some implementation " hjl.tools at gmail dot com
@ 2022-01-27 22:40 ` cvs-commit at gcc dot gnu.org
2022-01-27 23:19 ` cvs-commit at gcc dot gnu.org
` (5 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-01-27 22:40 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27974
--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.33/master branch has been updated by H.J. Lu
<hjl@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=25941de34e1ab24b869702f4a8caca330f0498a1
commit 25941de34e1ab24b869702f4a8caca330f0498a1
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Thu Jan 27 13:10:09 2022 -0800
NEWS: Add a bug fix entry for BZ #27974
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug string/27974] Overflow bug in some implementation of wcsnlen, wmemchr, and wcsncat
2021-06-09 22:25 [Bug string/27974] New: Overflow bug in some implementation of of wcsnlen, wmemchr, and wcsncat goldstein.w.n at gmail dot com
` (3 preceding siblings ...)
2022-01-27 22:40 ` cvs-commit at gcc dot gnu.org
@ 2022-01-27 23:19 ` cvs-commit at gcc dot gnu.org
2022-01-28 0:24 ` cvs-commit at gcc dot gnu.org
` (4 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-01-27 23:19 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27974
--- Comment #3 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.32/master branch has been updated by H.J. Lu
<hjl@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bee0b69a58e341b70b2f9db6078ae047827ff209
commit bee0b69a58e341b70b2f9db6078ae047827ff209
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Thu Jan 27 14:46:15 2022 -0800
NEWS: Add a bug fix entry for BZ #27974
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug string/27974] Overflow bug in some implementation of wcsnlen, wmemchr, and wcsncat
2021-06-09 22:25 [Bug string/27974] New: Overflow bug in some implementation of of wcsnlen, wmemchr, and wcsncat goldstein.w.n at gmail dot com
` (4 preceding siblings ...)
2022-01-27 23:19 ` cvs-commit at gcc dot gnu.org
@ 2022-01-28 0:24 ` cvs-commit at gcc dot gnu.org
2022-01-28 0:40 ` cvs-commit at gcc dot gnu.org
` (3 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-01-28 0:24 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27974
--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.31/master branch has been updated by H.J. Lu
<hjl@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=70d293a158680bd40b07de1cd772bd833ff263f4
commit 70d293a158680bd40b07de1cd772bd833ff263f4
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Thu Jan 27 15:50:22 2022 -0800
NEWS: Add a bug fix entry for BZ #27974
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug string/27974] Overflow bug in some implementation of wcsnlen, wmemchr, and wcsncat
2021-06-09 22:25 [Bug string/27974] New: Overflow bug in some implementation of of wcsnlen, wmemchr, and wcsncat goldstein.w.n at gmail dot com
` (5 preceding siblings ...)
2022-01-28 0:24 ` cvs-commit at gcc dot gnu.org
@ 2022-01-28 0:40 ` cvs-commit at gcc dot gnu.org
2022-01-28 2:21 ` cvs-commit at gcc dot gnu.org
` (2 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-01-28 0:40 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27974
--- Comment #5 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.30/master branch has been updated by H.J. Lu
<hjl@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=25ed98a8827c083c8241cf9b5e2d2ec81c9dbe6f
commit 25ed98a8827c083c8241cf9b5e2d2ec81c9dbe6f
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Thu Jan 27 16:02:09 2022 -0800
NEWS: Add a bug fix entry for BZ #27974
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug string/27974] Overflow bug in some implementation of wcsnlen, wmemchr, and wcsncat
2021-06-09 22:25 [Bug string/27974] New: Overflow bug in some implementation of of wcsnlen, wmemchr, and wcsncat goldstein.w.n at gmail dot com
` (6 preceding siblings ...)
2022-01-28 0:40 ` cvs-commit at gcc dot gnu.org
@ 2022-01-28 2:21 ` cvs-commit at gcc dot gnu.org
2022-01-28 2:22 ` cvs-commit at gcc dot gnu.org
2022-01-28 2:23 ` hjl.tools at gmail dot com
9 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-01-28 2:21 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27974
--- Comment #6 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.29/master branch has been updated by H.J. Lu
<hjl@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a0ed5893fcc2e236d9f3e9ad7651efdbdecbcc2b
commit a0ed5893fcc2e236d9f3e9ad7651efdbdecbcc2b
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Thu Jan 27 16:27:20 2022 -0800
NEWS: Add a bug fix entry for BZ #27974
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug string/27974] Overflow bug in some implementation of wcsnlen, wmemchr, and wcsncat
2021-06-09 22:25 [Bug string/27974] New: Overflow bug in some implementation of of wcsnlen, wmemchr, and wcsncat goldstein.w.n at gmail dot com
` (7 preceding siblings ...)
2022-01-28 2:21 ` cvs-commit at gcc dot gnu.org
@ 2022-01-28 2:22 ` cvs-commit at gcc dot gnu.org
2022-01-28 2:23 ` hjl.tools at gmail dot com
9 siblings, 0 replies; 11+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-01-28 2:22 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27974
--- Comment #7 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.28/master branch has been updated by H.J. Lu
<hjl@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b0fcf886725f666e3406069fe33166bedc1efa91
commit b0fcf886725f666e3406069fe33166bedc1efa91
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Thu Jan 27 16:37:50 2022 -0800
NEWS: Add a bug fix entry for BZ #27974
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug string/27974] Overflow bug in some implementation of wcsnlen, wmemchr, and wcsncat
2021-06-09 22:25 [Bug string/27974] New: Overflow bug in some implementation of of wcsnlen, wmemchr, and wcsncat goldstein.w.n at gmail dot com
` (8 preceding siblings ...)
2022-01-28 2:22 ` cvs-commit at gcc dot gnu.org
@ 2022-01-28 2:23 ` hjl.tools at gmail dot com
9 siblings, 0 replies; 11+ messages in thread
From: hjl.tools at gmail dot com @ 2022-01-28 2:23 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27974
H.J. Lu <hjl.tools at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |2.34
--- Comment #8 from H.J. Lu <hjl.tools at gmail dot com> ---
Fixed for 2.34 and all release branches.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2022-01-28 2:23 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-09 22:25 [Bug string/27974] New: Overflow bug in some implementation of of wcsnlen, wmemchr, and wcsncat goldstein.w.n at gmail dot com
2021-06-09 22:25 ` [Bug string/27974] " goldstein.w.n at gmail dot com
2021-06-23 18:29 ` goldstein.w.n at gmail dot com
2022-01-27 21:11 ` [Bug string/27974] Overflow bug in some implementation " hjl.tools at gmail dot com
2022-01-27 22:40 ` cvs-commit at gcc dot gnu.org
2022-01-27 23:19 ` cvs-commit at gcc dot gnu.org
2022-01-28 0:24 ` cvs-commit at gcc dot gnu.org
2022-01-28 0:40 ` cvs-commit at gcc dot gnu.org
2022-01-28 2:21 ` cvs-commit at gcc dot gnu.org
2022-01-28 2:22 ` cvs-commit at gcc dot gnu.org
2022-01-28 2:23 ` hjl.tools at gmail dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).