From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
	id D3BF73858C55; Tue, 20 Sep 2022 22:55:36 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org D3BF73858C55
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1663714536;
	bh=CJmLSyIfowuhQTcQ7LSYMCaAdrcshCuhkujZuG/c39w=;
	h=From:To:Subject:Date:From;
	b=KevCv/2a+j3ZUCrHN2cWyeymlr+9OLlsoOGPBIV+vK48EFhu3mADkkhKlr+1SV1+1
	 /bWdekxonrLMAd/OHGrnks+ujk2niD65sE0ey5Z+q7+OZ5TNxibSEnetE1zcA1NoTA
	 5O+1mxsOjuZahF+/0F5H1mxN//Gr3E+M/Ld1+kxw=
From: "goldstein.w.n at gmail dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug string/29591] New: wcsnlen length can overflow in page cross
 case.
Date: Tue, 20 Sep 2022 22:55:36 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: string
X-Bugzilla-Version: 2.36
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: goldstein.w.n at gmail dot com
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter target_milestone
Message-ID: <bug-29591-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
List-Id: <glibc-bugs.sourceware.org>

https://sourceware.org/bugzilla/show_bug.cgi?id=3D29591

            Bug ID: 29591
           Summary: wcsnlen length can overflow in page cross case.
           Product: glibc
           Version: 2.36
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: string
          Assignee: unassigned at sourceware dot org
          Reporter: goldstein.w.n at gmail dot com
  Target Milestone: ---

```
#include <assert.h>
#include <stdint.h>
#include <string.h>
#include <sys/mman.h>
#include <wchar.h>

#define PAGE_SIZE 4096
static void *
make_buf(uint64_t sz) {
    void * p =3D mmap(NULL, 2 * PAGE_SIZE + sz, PROT_NONE,
                    MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
    assert(p !=3D NULL);
    assert(!mprotect(p + PAGE_SIZE, sz, PROT_READ | PROT_WRITE));
    return p + PAGE_SIZE;
}

size_t __wcsnlen_avx2(wchar_t const *, size_t);
size_t __wcsnlen_evex(wchar_t const *, size_t);

int
main(int argc, char ** argv) {
    wchar_t * buf  =3D (wchar_t *)make_buf(PAGE_SIZE);
    wchar_t * wstr =3D buf + (PAGE_SIZE / sizeof(wchar_t)) - 2;

    /* Expect wstr len =3D=3D 1.  */
    memset(wstr, -1, sizeof(wchar_t));
    memset(wstr + 1, 0, sizeof(wchar_t));


    assert(__wcsnlen_evex(wstr, (1UL << 63)) =3D=3D 1);
    assert(__wcsnlen_avx2(wstr, (1UL << 63)) =3D=3D 1);
}
```

Build statically so `__wcsnlen_avx2` / `__wcsnlen_evex` are defined.


Output:
```
wcsnlen: wcsnlen.c:31: main: Assertion `__wcsnlen_avx2(wstr, (1UL << 63)) =
=3D=3D 1'
failed.
Aborted (core dumped)
```

--=20
You are receiving this mail because:
You are on the CC list for the bug.=