public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug string/29591] New: wcsnlen length can overflow in page cross case.
@ 2022-09-20 22:55 goldstein.w.n at gmail dot com
2022-09-20 22:58 ` [Bug string/29591] " goldstein.w.n at gmail dot com
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: goldstein.w.n at gmail dot com @ 2022-09-20 22:55 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=29591
Bug ID: 29591
Summary: wcsnlen length can overflow in page cross case.
Product: glibc
Version: 2.36
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: string
Assignee: unassigned at sourceware dot org
Reporter: goldstein.w.n at gmail dot com
Target Milestone: ---
```
#include <assert.h>
#include <stdint.h>
#include <string.h>
#include <sys/mman.h>
#include <wchar.h>
#define PAGE_SIZE 4096
static void *
make_buf(uint64_t sz) {
void * p = mmap(NULL, 2 * PAGE_SIZE + sz, PROT_NONE,
MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
assert(p != NULL);
assert(!mprotect(p + PAGE_SIZE, sz, PROT_READ | PROT_WRITE));
return p + PAGE_SIZE;
}
size_t __wcsnlen_avx2(wchar_t const *, size_t);
size_t __wcsnlen_evex(wchar_t const *, size_t);
int
main(int argc, char ** argv) {
wchar_t * buf = (wchar_t *)make_buf(PAGE_SIZE);
wchar_t * wstr = buf + (PAGE_SIZE / sizeof(wchar_t)) - 2;
/* Expect wstr len == 1. */
memset(wstr, -1, sizeof(wchar_t));
memset(wstr + 1, 0, sizeof(wchar_t));
assert(__wcsnlen_evex(wstr, (1UL << 63)) == 1);
assert(__wcsnlen_avx2(wstr, (1UL << 63)) == 1);
}
```
Build statically so `__wcsnlen_avx2` / `__wcsnlen_evex` are defined.
Output:
```
wcsnlen: wcsnlen.c:31: main: Assertion `__wcsnlen_avx2(wstr, (1UL << 63)) == 1'
failed.
Aborted (core dumped)
```
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug string/29591] wcsnlen length can overflow in page cross case.
2022-09-20 22:55 [Bug string/29591] New: wcsnlen length can overflow in page cross case goldstein.w.n at gmail dot com
@ 2022-09-20 22:58 ` goldstein.w.n at gmail dot com
2023-03-01 16:45 ` carlos at redhat dot com
2023-03-01 16:46 ` carlos at redhat dot com
2 siblings, 0 replies; 4+ messages in thread
From: goldstein.w.n at gmail dot com @ 2022-09-20 22:58 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=29591
--- Comment #1 from Noah Goldstein <goldstein.w.n at gmail dot com> ---
Created attachment 14340
--> https://sourceware.org/bugzilla/attachment.cgi?id=14340&action=edit
Fix and test cases.
Fix, will post once all tests complete.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug string/29591] wcsnlen length can overflow in page cross case.
2022-09-20 22:55 [Bug string/29591] New: wcsnlen length can overflow in page cross case goldstein.w.n at gmail dot com
2022-09-20 22:58 ` [Bug string/29591] " goldstein.w.n at gmail dot com
@ 2023-03-01 16:45 ` carlos at redhat dot com
2023-03-01 16:46 ` carlos at redhat dot com
2 siblings, 0 replies; 4+ messages in thread
From: carlos at redhat dot com @ 2023-03-01 16:45 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=29591
Carlos O'Donell <carlos at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Target Milestone|--- |2.38
Status|UNCONFIRMED |RESOLVED
CC| |carlos at redhat dot com
--- Comment #2 from Carlos O'Donell <carlos at redhat dot com> ---
Fixed in master, 2.37, 2.36, 2.35, 2.34, and 2.33.
commit b0969fa53a28b4ab2159806bf6c99a98999502ee
Author: Noah Goldstein <goldstein.w.n@gmail.com>
Date: Tue Sep 20 17:58:04 2022 -0700
x86: Fix wcsnlen-avx2 page cross length comparison [BZ #29591]
Previous implementation was adjusting length (rsi) to match
bytes (eax), but since there is no bound to length this can cause
overflow.
Fix is to just convert the byte-count (eax) to length by dividing by
sizeof (wchar_t) before the comparison.
Full check passes on x86-64 and build succeeds w/ and w/o multiarch.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug string/29591] wcsnlen length can overflow in page cross case.
2022-09-20 22:55 [Bug string/29591] New: wcsnlen length can overflow in page cross case goldstein.w.n at gmail dot com
2022-09-20 22:58 ` [Bug string/29591] " goldstein.w.n at gmail dot com
2023-03-01 16:45 ` carlos at redhat dot com
@ 2023-03-01 16:46 ` carlos at redhat dot com
2 siblings, 0 replies; 4+ messages in thread
From: carlos at redhat dot com @ 2023-03-01 16:46 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=29591
--- Comment #3 from Carlos O'Donell <carlos at redhat dot com> ---
Additionally fixed in in 2.32, 2.31, 2.30, 2.29, and 2.28 to resolve ifunc
backports.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-03-01 16:46 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-20 22:55 [Bug string/29591] New: wcsnlen length can overflow in page cross case goldstein.w.n at gmail dot com
2022-09-20 22:58 ` [Bug string/29591] " goldstein.w.n at gmail dot com
2023-03-01 16:45 ` carlos at redhat dot com
2023-03-01 16:46 ` carlos at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).