From: Florian Weimer <fw@deneb.enyo.de>
To: Joseph Myers <joseph@codesourcery.com>
Cc: "zhuyan \(M\)" <zhuyan34@huawei.com>,
"libc-alpha\@sourceware.org" <libc-alpha@sourceware.org>
Subject: Re: [PATCH v2] memcpy: use bhs/bls instead of bge/blt [BZ #25620]
Date: Thu, 30 Apr 2020 22:33:22 +0200 [thread overview]
Message-ID: <87sggk67e5.fsf@mid.deneb.enyo.de> (raw)
In-Reply-To: <alpine.DEB.2.21.2004212126110.12411@digraph.polyomino.org.uk> (Joseph Myers's message of "Tue, 21 Apr 2020 21:27:25 +0000")
* Joseph Myers:
> On Tue, 21 Apr 2020, Florian Weimer wrote:
>
>> * Joseph Myers:
>>
>> > On Mon, 13 Apr 2020, zhuyan (M) wrote:
>> >
>> >> In ARMv7, the memcpy() implementation allows for program execution to
>> >> continue in scenarios where a segmentation fault or crash should have
>> >> occurred. The dangers occur in that subsequent execution and iterations
>> >> of this code will be executed with this corrupted data.
>> >>
>> >> Such as, we use 'memcpy' copy 0x80000000 byte to buffer(The buffer size
>> >> is 100 bytes), it didn't crash.
>> >
>> > This patch includes an architecture-specific test, specific to memcpy.
>> > My understanding of Wilco's request in bug 25620 was for an
>> > architecture-independent test or tests, covering all string functions with
>> > such large arguments, so we can ensure we're consistent across
>> > architectures.
>>
>> Sure, that would be great, but can we make this independent of this
>> fix, please?
>
> I think the minimum for this fix should be an architecture-independent
> test for memcpy (but not other string functions, and not necessarily
> testing all IFUNC variants of memcpy).
I think it should be for memmove, because memmove is actually defined
in this case.
The test below passes on i686-linux-gnu and x86_64-linux-gnu.
I still see a failure with the memcpy implementation from
sysdeps/arm/armv7/multiarch/memcpy_impl.S:
info: testing memmove
tst-memmove-overflow.c:134: error: blob comparison failed
blob length: 128 bytes
left (evaluated from expected_start):
"O\036m<\vZ)xG\027f5\004S\"q@\017_.}L\033j9\bW\'vE\024c2\001P\037o>\r\\+zI\030g6\006U$sB\021`/~N\035l;\nY(wF\026e4\003R!p?\016^-|K\032i8\aV%uD\023b1\000O\036m=\f[*yH\027f5\005T#rA\020_.}M\034k:\tX\'vE\025d3\002Q o>\r"
4F 1E 6D 3C 0B 5A 29 78 47 17 66 35 04 53 22 71 40 0F 5F 2E 7D 4C 1B 6A 39 08 57 27 76 45 14 63 32 01 50 1F 6F 3E 0D 5C 2B 7A 49 18 67 36 06 55 24 73 42 11 60 2F 7E 4E 1D 6C 3B 0A 59 28 77 46 16 65 34 03 52 21 70 3F 0E 5E 2D 7C 4B 1A 69 38 07 56 25 75 44 13 62 31 00 4F 1E 6D 3D 0C 5B 2A 79 48 17 66 35 05 54 23 72 41 10 5F 2E 7D 4D 1C 6B 3A 09 58 27 76 45 15 64 33 02 51 20 6F 3E 0D
right (evaluated from start):
"O\036m<\vZ)xG\027f5\004S\"q@\017_.}L\033j9\bW\'vE\024c2\001P\037o>\r\\+zI\030g6\006U$sB\021`/~N\035l;\nY(wwF\026e4\003R!p?\016^-|K\032i8\aV%uD\023b1\000O\036m=\f[*yH\027f5\005T#rA\020_.}M\034k:\tX\'vE\025d3\002Q o>"
4F 1E 6D 3C 0B 5A 29 78 47 17 66 35 04 53 22 71 40 0F 5F 2E 7D 4C 1B 6A 39 08 57 27 76 45 14 63 32 01 50 1F 6F 3E 0D 5C 2B 7A 49 18 67 36 06 55 24 73 42 11 60 2F 7E 4E 1D 6C 3B 0A 59 28 77 77 46 16 65 34 03 52 21 70 3F 0E 5E 2D 7C 4B 1A 69 38 07 56 25 75 44 13 62 31 00 4F 1E 6D 3D 0C 5B 2A 79 48 17 66 35 05 54 23 72 41 10 5F 2E 7D 4D 1C 6B 3A 09 58 27 76 45 15 64 33 02 51 20 6F 3E
tst-memmove-overflow.c:137: error: blob comparison failed
blob length: 128 bytes
left (evaluated from expected_end):
" o>\r\\+{J\031h7\006U$sC\022a0\177N\035l;\nZ)xG\026e4\003R\"q@\017^-|K\032j9\bW&uD\023b2\001P\037n=\f[*yI\030g6\005T#rA\021`/~M\034k:\tY(wF\025d3\002Q!p?\016],{J\031h8\aV%tC\022a0\000O\036m<\vZ)xH\027f5\004S\"q@\020_"
20 6F 3E 0D 5C 2B 7B 4A 19 68 37 06 55 24 73 43 12 61 30 7F 4E 1D 6C 3B 0A 5A 29 78 47 16 65 34 03 52 22 71 40 0F 5E 2D 7C 4B 1A 6A 39 08 57 26 75 44 13 62 32 01 50 1F 6E 3D 0C 5B 2A 79 49 18 67 36 05 54 23 72 41 11 60 2F 7E 4D 1C 6B 3A 09 59 28 77 46 15 64 33 02 51 21 70 3F 0E 5D 2C 7B 4A 19 68 38 07 56 25 74 43 12 61 30 00 4F 1E 6D 3C 0B 5A 29 78 48 17 66 35 04 53 22 71 40 10 5F
right (evaluated from start + allocation_size - sizeof (expected_end) - 1):
"Q o>\r\\+{J\031h7\006U$sC\022a0\177N\035l;\nZ)xG\026e4\003R\"q@\017^-|K\032j9\bW&uD\023b2\001P\037n=\f[*yI\030g6\005T#rA\021`/~M\034k:\tY(wF\025d3\002Q!p?\016],{J\031h8\aV%tC\022a0\000O\036m<\vZ)xH\027f5\004S\"q@\020"
51 20 6F 3E 0D 5C 2B 7B 4A 19 68 37 06 55 24 73 43 12 61 30 7F 4E 1D 6C 3B 0A 5A 29 78 47 16 65 34 03 52 22 71 40 0F 5E 2D 7C 4B 1A 6A 39 08 57 26 75 44 13 62 32 01 50 1F 6E 3D 0C 5B 2A 79 49 18 67 36 05 54 23 72 41 11 60 2F 7E 4D 1C 6B 3A 09 59 28 77 46 15 64 33 02 51 21 70 3F 0E 5D 2C 7B 4A 19 68 38 07 56 25 74 43 12 61 30 00 4F 1E 6D 3C 0B 5A 29 78 48 17 66 35 04 53 22 71 40 10
tst-memmove-overflow.c:139: numeric comparison failure
left: 119 (0x77); from: start[i]
right: 70 (0x46); from: expected_value (i + 1)
[…]
Apparently, the copy stops after the first 62 bytes.
Furthermore, the test exposes a similar bug in sysdeps/arm/memcpy.S:
ENTRY(memcpy)
[…]
subs r2, r2, #4
blt 8f
So an early exit is taken.
8<------------------------------------------------------------------8<
Subject: string: Add string/tst-memmove-overflow, a test case for bug 25620
-----
string/Makefile | 2 +-
string/tst-memmove-overflow.c | 153 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 154 insertions(+), 1 deletion(-)
diff --git a/string/Makefile b/string/Makefile
index c46785f1a1..e1cca5516b 100644
--- a/string/Makefile
+++ b/string/Makefile
@@ -60,7 +60,7 @@ tests := tester inl-tester noinl-tester testcopy test-ffs \
bug-envz1 tst-strxfrm2 tst-endian tst-svc2 \
tst-strtok_r bug-strcoll2 tst-cmp tst-xbzero-opt \
test-endian-types test-endian-file-scope \
- test-endian-sign-conversion
+ test-endian-sign-conversion tst-memmove-overflow
# This test allocates a lot of memory and can run for a long time.
xtests = tst-strcoll-overflow
diff --git a/string/tst-memmove-overflow.c b/string/tst-memmove-overflow.c
new file mode 100644
index 0000000000..8e7a533266
--- /dev/null
+++ b/string/tst-memmove-overflow.c
@@ -0,0 +1,153 @@
+/* Test for signed comparision bug in memmove (bug 25620).
+ Copyright (C) 2020 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+/* This test shifts a memory region which is a bit larger than 2 GiB
+ by one byte. In order to make it more likely that the memory
+ allocation succeeds on 32-bit systems, most of the allocation
+ consists of shared pages. Only a portion at the start and end of
+ the allocation are unshared, and contain a specific non-repeating
+ bit pattern. */
+
+#include <array_length.h>
+#include <libc-diag.h>
+#include <stdint.h>
+#include <string.h>
+#include <support/blob_repeat.h>
+#include <support/check.h>
+#include <support/xunistd.h>
+#include <sys/mman.h>
+#include <unistd.h>
+
+#define TEST_MAIN
+#define TEST_NAME "memmove"
+#include "test-string.h"
+#include <support/test-driver.h>
+
+IMPL (memmove, 1)
+
+/* The allocation is 2 GiB plus 8 MiB large. This should work with
+ all page sizes that occur in practice. */
+static const size_t allocation_size = (2U << 30) + (8U << 20);
+
+/* Size of the part of the allocation which is not shared, at the
+ start and the end of the overall allocation. 4 MiB. */
+static const size_t unshared_size = 4U << 20;
+
+/* Compute the expected byte at the given index. This is used to
+ produce a non-repeating pattern. */
+static inline unsigned char
+expected_value (size_t index)
+{
+ uint32_t randomized = 0x9e3779b9 * index; /* Based on golden ratio. */
+ return randomized >> 25; /* Result is in the range [0, 127]. */
+}
+
+static int
+test_main (void)
+{
+ test_init ();
+
+ FOR_EACH_IMPL (impl, 0)
+ {
+ printf ("info: testing %s\n", impl->name);
+
+ /* Check that the allocation sizes are multiples of the page
+ size. */
+ TEST_COMPARE (allocation_size % xsysconf (_SC_PAGESIZE), 0);
+ TEST_COMPARE (unshared_size % xsysconf (_SC_PAGESIZE), 0);
+
+ /* The repeating pattern has the MSB set in all bytes. */
+ unsigned char repeating_pattern[128];
+ for (unsigned int i = 0; i < array_length (repeating_pattern); ++i)
+ repeating_pattern[i] = 0x80 | i;
+
+ struct support_blob_repeat repeat
+ = support_blob_repeat_allocate (repeating_pattern,
+ sizeof (repeating_pattern),
+ (allocation_size
+ / sizeof (repeating_pattern)));
+ if (repeat.start == NULL)
+ FAIL_UNSUPPORTED ("repeated blob allocation failed: %m");
+ TEST_COMPARE (repeat.size, allocation_size);
+
+ /* Unshared the start and the end of the allocation. */
+ unsigned char *start = repeat.start;
+ xmmap (start, unshared_size,
+ PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1);
+ xmmap (start + allocation_size - unshared_size, unshared_size,
+ PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1);
+
+ /* Initialize the non-repeating pattern. */
+ for (size_t i = 0; i < unshared_size; ++i)
+ start[i] = expected_value (i);
+ for (size_t i = allocation_size - unshared_size; i < allocation_size;
+ ++i)
+ start[i] = expected_value (i);
+
+ /* Make sure that there was really no sharing. */
+ asm volatile ("" ::: "memory");
+ for (size_t i = 0; i < unshared_size; ++i)
+ TEST_COMPARE (start[i], expected_value (i));
+ for (size_t i = allocation_size - unshared_size; i < allocation_size;
+ ++i)
+ TEST_COMPARE (start[i], expected_value (i));
+
+ /* Used for a nicer error diagnostic using
+ TEST_COMPARE_BLOB. */
+ unsigned char expected_start[128];
+ memcpy (expected_start, start + 1, sizeof (expected_start));
+ unsigned char expected_end[128];
+ memcpy (expected_end,
+ start + allocation_size - sizeof (expected_end),
+ sizeof (expected_end));
+
+ /* Move the entire allocation forward by one byte. */
+ DIAG_PUSH_NEEDS_COMMENT;
+#if __GNUC_PREREQ (8, 0)
+ /* GCC 8 warns about string function argument overflows. */
+ DIAG_IGNORE_NEEDS_COMMENT (8, "-Warray-bounds");
+ DIAG_IGNORE_NEEDS_COMMENT (8, "-Wstringop-overflow");
+#endif
+ memmove (start, start + 1, allocation_size - 1);
+ DIAG_POP_NEEDS_COMMENT;
+
+ /* Check that the unshared of the memory region have been
+ shifted as expected. The TEST_COMPARE_BLOB checks are
+ redundant, but produce nicer diagnostics. */
+ asm volatile ("" ::: "memory");
+ TEST_COMPARE_BLOB (expected_start, sizeof (expected_start),
+ start, sizeof (expected_start));
+ TEST_COMPARE_BLOB (expected_end, sizeof (expected_end),
+ start + allocation_size - sizeof (expected_end) - 1,
+ sizeof (expected_end));
+ for (size_t i = 0; i < unshared_size - 1; ++i)
+ TEST_COMPARE (start[i], expected_value (i + 1));
+ /* The gap between the start and the end has shared mappings at
+ unspecified boundaries, so do not check the expected values
+ here. */
+ for (size_t i = allocation_size - unshared_size; i < allocation_size - 1;
+ ++i)
+ TEST_COMPARE (start[i], expected_value (i + 1));
+
+ support_blob_repeat_free (&repeat);
+ }
+
+ return 0;
+}
+
+#include <support/test-driver.c>
next prev parent reply other threads:[~2020-04-30 20:33 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-13 14:16 zhuyan (M)
2020-04-14 22:26 ` Joseph Myers
2020-04-21 14:36 ` Florian Weimer
2020-04-21 21:27 ` Joseph Myers
2020-04-28 21:14 ` Florian Weimer
2020-04-30 20:33 ` Florian Weimer [this message]
2020-04-30 20:22 ` Florian Weimer
2020-04-15 11:59 Wilco Dijkstra
2020-05-01 12:58 Wilco Dijkstra
2020-05-06 12:40 zhuyan (M)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sggk67e5.fsf@mid.deneb.enyo.de \
--to=fw@deneb.enyo.de \
--cc=joseph@codesourcery.com \
--cc=libc-alpha@sourceware.org \
--cc=zhuyan34@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).