[Bug string/28756] New: wcsnlen segfaults due to missing length check in loop page cross logic.

[Bug string/28756] New: wcsnlen segfaults due to missing length check in loop page cross logic.

[goldstein.w.n at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=28756

            Bug ID: 28756
           Summary: wcsnlen segfaults due to missing length check in loop
                    page cross logic.
           Product: glibc
           Version: 2.31
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: string
          Assignee: unassigned at sourceware dot org
          Reporter: goldstein.w.n at gmail dot com
  Target Milestone: ---

See following test case:

#include <assert.h>
#include <stdint.h>
#include <string.h>
#include <sys/mman.h>
#include <wchar.h>
#define PAGE_SIZE 4096
static void *
make_buf(uint64_t sz) {
    void * p = mmap(NULL, 2 * PAGE_SIZE + sz, PROT_NONE,
                    MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
    assert(p != NULL);
    assert(!mprotect(p + PAGE_SIZE, sz, PROT_READ | PROT_WRITE));
    return p + PAGE_SIZE;
}
int
main(int argc, char ** argv) {
    wchar_t * buf1 = (wchar_t *)make_buf(8 * PAGE_SIZE);
    wchar_t * buf2 = (wchar_t *)make_buf(8 * PAGE_SIZE);

    memset(buf1, -1, 8 * PAGE_SIZE);
    memset(buf2, -1, 8 * PAGE_SIZE);

    static const size_t s2_align = (16260 / 4);

    wchar_t * s1  = buf1;
    wchar_t * s2  = buf2 + s2_align;
    size_t    len = 16508 / 4;

    assert((len + s2_align) * sizeof(wchar_t) <= 8 * PAGE_SIZE);

    // Segfaults
    assert(wcsncmp(s1, s2, len) == 0);
}



The issue check for page cross in `s2` during the loop didn't check for length.
This is present in 2.31 which is what is shipped with ubuntu 20.04 but fixed on
HEAD.

-- 
You are receiving this mail because:
You are on the CC list for the bug.