From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <goldstein.w.n@gmail.com>
Received: from mail-pf1-x434.google.com (mail-pf1-x434.google.com [IPv6:2607:f8b0:4864:20::434])
	by sourceware.org (Postfix) with ESMTPS id C8D7D3858C55
	for <libc-alpha@sourceware.org>; Wed, 21 Sep 2022 00:58:11 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org C8D7D3858C55
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-pf1-x434.google.com with SMTP id b75so4355681pfb.7
        for <libc-alpha@sourceware.org>; Tue, 20 Sep 2022 17:58:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date;
        bh=eLbm0ZLVBMlIMuXAwmAJv+06uBoqPo9gnWOKqIFWdAw=;
        b=ObP5uyyCLhcCYGcDt//1PEQe7NvGls2JUt/ZbRVBZrAB87nVIqzwb2YUeIhZHS5FPP
         iHzOe1SGaz2NvMCjyvQUkde0fsToXGjzRHGFjODEVnSifEbHZYDlak1giiscYuBlCfuz
         iaiYFGYJIuPvGOXddblx8KogEZ/2CFkS/2Qqfpwe7ojq/rRSlugAFSA73teL6YUPGojS
         1VFsMZYAqyxBTyiHiJtA/SnnqnPWJtYyYyTluKPGyAkI1iVrrTTwzHc2qL9pXR1Hctg1
         zVGvW5fYyHoiOFZIXeJhVrTq4E/0B9oSDgyDpS5AczllLI8fZlP8PJIieSjOB8x8nbTt
         PJLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date;
        bh=eLbm0ZLVBMlIMuXAwmAJv+06uBoqPo9gnWOKqIFWdAw=;
        b=C5IF57QaACZ96Gf0J8KCaarE5b8hBdIpiUecukM9kOdVki+iBhmiqlUjed0vS1I5vh
         psM8kH1e6kKATgnLddJFWRrvkGPWt74Ewei6/frTm94hyo6VcUCHMmCv7VoFhmbXheEd
         bSQKxUxMx66jCg5ECu45PsLvoYeIkH6RoUktKiASkqnalj+GDk4jOe9JyjCIrLyIXJMf
         AYMcsmk3toA9amS89ImCzzds8Tevzq1CLyMVEprIGXxtv/FhCX0ZV4BIA0VDPO1WJX0Q
         Wgbm5JkiAOdy86FyQZRM5cRa095zUXFT+qGzI8jFKP/D/EdWrRNvhJ9r3ADjKL9O/12P
         ovrw==
X-Gm-Message-State: ACrzQf1XYQKMYLIVjp4/G2QIlshLgskxFI3ieefNF6q3mquSV6VXjiZN
	IOr+3s2P64/yX6QpuFxocwRpDrQw5o0=
X-Google-Smtp-Source: AMsMyM7BSYYsvtfsrBy+x9ER8pWr4cu6C5FsktwARorApm02eHIx2tQ5f9nmt6IMavYu5TIBfVm8Ng==
X-Received: by 2002:a05:6a00:a22:b0:54e:6a90:fbef with SMTP id p34-20020a056a000a2200b0054e6a90fbefmr13952131pfh.53.1663721890323;
        Tue, 20 Sep 2022 17:58:10 -0700 (PDT)
Received: from noah-tgl.webpass.net (136-24-166-223.cab.webpass.net. [136.24.166.223])
        by smtp.gmail.com with ESMTPSA id t8-20020a170902e84800b001753654d9c5sm542108plg.95.2022.09.20.17.58.09
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 20 Sep 2022 17:58:09 -0700 (PDT)
From: Noah Goldstein <goldstein.w.n@gmail.com>
To: libc-alpha@sourceware.org
Cc: goldstein.w.n@gmail.com,
	hjl.tools@gmail.com,
	carlos@systemhalted.org
Subject: [PATCH v1] x86: Fix wcsnlen-avx2 page cross length comparison [BZ #29591]
Date: Tue, 20 Sep 2022 17:58:04 -0700
Message-Id: <20220921005804.7131-1-goldstein.w.n@gmail.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-12.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-alpha.sourceware.org>

Previous implementation was adjusting length (rsi) to match
bytes (eax), but since there is no bound to length this can cause
overflow.

Fix is to just convert the byte-count (eax) to length by dividing by
sizeof (wchar_t) before the comparison.

Full check passes on x86-64 and build succeeds w/ and w/o multiarch.
---
 string/test-strnlen.c                  | 70 +++++++++++++++-----------
 sysdeps/x86_64/multiarch/strlen-avx2.S |  7 +--
 2 files changed, 43 insertions(+), 34 deletions(-)

diff --git a/string/test-strnlen.c b/string/test-strnlen.c
index 4a9375112a..5cbaf4b734 100644
--- a/string/test-strnlen.c
+++ b/string/test-strnlen.c
@@ -73,7 +73,7 @@ do_test (size_t align, size_t len, size_t maxlen, int max_char)
 {
   size_t i;
 
-  align &= 63;
+  align &= (getpagesize () / sizeof (CHAR) - 1);
   if ((align + len) * sizeof (CHAR) >= page_size)
     return;
 
@@ -90,38 +90,50 @@ do_test (size_t align, size_t len, size_t maxlen, int max_char)
 static void
 do_overflow_tests (void)
 {
-  size_t i, j, len;
+  size_t i, j, al_idx, repeats, len;
   const size_t one = 1;
   uintptr_t buf_addr = (uintptr_t) buf1;
+  const size_t alignments[] = { 0, 1, 7, 9, 31, 33, 63, 65, 95, 97, 127, 129 };
 
-  for (i = 0; i < 750; ++i)
+  for (al_idx = 0; al_idx < sizeof (alignments) / sizeof (alignments[0]);
+       al_idx++)
     {
-      do_test (1, i, SIZE_MAX, BIG_CHAR);
-
-      do_test (0, i, SIZE_MAX - i, BIG_CHAR);
-      do_test (0, i, i - buf_addr, BIG_CHAR);
-      do_test (0, i, -buf_addr - i, BIG_CHAR);
-      do_test (0, i, SIZE_MAX - buf_addr - i, BIG_CHAR);
-      do_test (0, i, SIZE_MAX - buf_addr + i, BIG_CHAR);
-
-      len = 0;
-      for (j = 8 * sizeof(size_t) - 1; j ; --j)
-        {
-          len |= one << j;
-          do_test (0, i, len - i, BIG_CHAR);
-          do_test (0, i, len + i, BIG_CHAR);
-          do_test (0, i, len - buf_addr - i, BIG_CHAR);
-          do_test (0, i, len - buf_addr + i, BIG_CHAR);
-
-          do_test (0, i, ~len - i, BIG_CHAR);
-          do_test (0, i, ~len + i, BIG_CHAR);
-          do_test (0, i, ~len - buf_addr - i, BIG_CHAR);
-          do_test (0, i, ~len - buf_addr + i, BIG_CHAR);
-
-          do_test (0, i, -buf_addr, BIG_CHAR);
-          do_test (0, i, j - buf_addr, BIG_CHAR);
-          do_test (0, i, -buf_addr - j, BIG_CHAR);
-        }
+      for (repeats = 0; repeats < 2; ++repeats)
+	{
+	  size_t align = repeats ? (getpagesize () - alignments[al_idx])
+				 : alignments[al_idx];
+	  align /= sizeof (CHAR);
+	  for (i = 0; i < 750; ++i)
+	    {
+	      do_test (align, i, SIZE_MAX, BIG_CHAR);
+
+	      do_test (align, i, SIZE_MAX - i, BIG_CHAR);
+	      do_test (align, i, i - buf_addr, BIG_CHAR);
+	      do_test (align, i, -buf_addr - i, BIG_CHAR);
+	      do_test (align, i, SIZE_MAX - buf_addr - i, BIG_CHAR);
+	      do_test (align, i, SIZE_MAX - buf_addr + i, BIG_CHAR);
+
+	      len = 0;
+	      for (j = 8 * sizeof (size_t) - 1; j; --j)
+		{
+		  len |= one << j;
+		  do_test (align, i, len, BIG_CHAR);
+		  do_test (align, i, len - i, BIG_CHAR);
+		  do_test (align, i, len + i, BIG_CHAR);
+		  do_test (align, i, len - buf_addr - i, BIG_CHAR);
+		  do_test (align, i, len - buf_addr + i, BIG_CHAR);
+
+		  do_test (align, i, ~len - i, BIG_CHAR);
+		  do_test (align, i, ~len + i, BIG_CHAR);
+		  do_test (align, i, ~len - buf_addr - i, BIG_CHAR);
+		  do_test (align, i, ~len - buf_addr + i, BIG_CHAR);
+
+		  do_test (align, i, -buf_addr, BIG_CHAR);
+		  do_test (align, i, j - buf_addr, BIG_CHAR);
+		  do_test (align, i, -buf_addr - j, BIG_CHAR);
+		}
+	    }
+	}
     }
 }
 
diff --git a/sysdeps/x86_64/multiarch/strlen-avx2.S b/sysdeps/x86_64/multiarch/strlen-avx2.S
index 0593fb303b..b9b58ef599 100644
--- a/sysdeps/x86_64/multiarch/strlen-avx2.S
+++ b/sysdeps/x86_64/multiarch/strlen-avx2.S
@@ -544,14 +544,11 @@ L(return_vzeroupper):
 L(cross_page_less_vec):
 	tzcntl	%eax, %eax
 #  ifdef USE_AS_WCSLEN
-	/* NB: Multiply length by 4 to get byte count.  */
-	sall	$2, %esi
+	/* NB: Divide by 4 to convert from byte-count to length.  */
+	shrl	$2, %eax
 #  endif
 	cmpq	%rax, %rsi
 	cmovb	%esi, %eax
-#  ifdef USE_AS_WCSLEN
-	shrl	$2, %eax
-#  endif
 	VZEROUPPER_RETURN
 # endif
 
-- 
2.34.1