Re: [PATCH v2] memcpy: use bhs/bls instead of bge/blt [BZ #25620]

[Florian Weimer <fw@deneb.enyo.de>]

* Joseph Myers:

> On Tue, 21 Apr 2020, Florian Weimer wrote:
>
>> * Joseph Myers:
>> 
>> > On Mon, 13 Apr 2020, zhuyan (M) wrote:
>> >
>> >> In ARMv7, the memcpy() implementation allows for program execution to 
>> >> continue in scenarios where a segmentation fault or crash should have 
>> >> occurred. The dangers occur in that subsequent execution and iterations 
>> >> of this code will be executed with this corrupted data.
>> >> 
>> >> Such as, we use 'memcpy' copy 0x80000000 byte to buffer(The buffer size 
>> >> is 100 bytes), it didn't crash.
>> >
>> > This patch includes an architecture-specific test, specific to memcpy.  
>> > My understanding of Wilco's request in bug 25620 was for an 
>> > architecture-independent test or tests, covering all string functions with 
>> > such large arguments, so we can ensure we're consistent across 
>> > architectures.
>> 
>> Sure, that would be great, but can we make this independent of this
>> fix, please?
>
> I think the minimum for this fix should be an architecture-independent 
> test for memcpy (but not other string functions, and not necessarily 
> testing all IFUNC variants of memcpy).

I think it should be for memmove, because memmove is actually defined
in this case.

The test below passes on i686-linux-gnu and x86_64-linux-gnu.

I still see a failure with the memcpy implementation from
sysdeps/arm/armv7/multiarch/memcpy_impl.S:

info: testing memmove
tst-memmove-overflow.c:134: error: blob comparison failed
  blob length: 128 bytes
  left (evaluated from expected_start):
      "O\036m<\vZ)xG\027f5\004S\"q@\017_.}L\033j9\bW\'vE\024c2\001P\037o>\r\\+zI\030g6\006U$sB\021`/~N\035l;\nY(wF\026e4\003R!p?\016^-|K\032i8\aV%uD\023b1\000O\036m=\f[*yH\027f5\005T#rA\020_.}M\034k:\tX\'vE\025d3\002Q o>\r"
      4F 1E 6D 3C 0B 5A 29 78 47 17 66 35 04 53 22 71 40 0F 5F 2E 7D 4C 1B 6A 39 08 57 27 76 45 14 63 32 01 50 1F 6F 3E 0D 5C 2B 7A 49 18 67 36 06 55 24 73 42 11 60 2F 7E 4E 1D 6C 3B 0A 59 28 77 46 16 65 34 03 52 21 70 3F 0E 5E 2D 7C 4B 1A 69 38 07 56 25 75 44 13 62 31 00 4F 1E 6D 3D 0C 5B 2A 79 48 17 66 35 05 54 23 72 41 10 5F 2E 7D 4D 1C 6B 3A 09 58 27 76 45 15 64 33 02 51 20 6F 3E 0D
  right (evaluated from start):
      "O\036m<\vZ)xG\027f5\004S\"q@\017_.}L\033j9\bW\'vE\024c2\001P\037o>\r\\+zI\030g6\006U$sB\021`/~N\035l;\nY(wwF\026e4\003R!p?\016^-|K\032i8\aV%uD\023b1\000O\036m=\f[*yH\027f5\005T#rA\020_.}M\034k:\tX\'vE\025d3\002Q o>"
      4F 1E 6D 3C 0B 5A 29 78 47 17 66 35 04 53 22 71 40 0F 5F 2E 7D 4C 1B 6A 39 08 57 27 76 45 14 63 32 01 50 1F 6F 3E 0D 5C 2B 7A 49 18 67 36 06 55 24 73 42 11 60 2F 7E 4E 1D 6C 3B 0A 59 28 77 77 46 16 65 34 03 52 21 70 3F 0E 5E 2D 7C 4B 1A 69 38 07 56 25 75 44 13 62 31 00 4F 1E 6D 3D 0C 5B 2A 79 48 17 66 35 05 54 23 72 41 10 5F 2E 7D 4D 1C 6B 3A 09 58 27 76 45 15 64 33 02 51 20 6F 3E
tst-memmove-overflow.c:137: error: blob comparison failed
  blob length: 128 bytes
  left (evaluated from expected_end):
      " o>\r\\+{J\031h7\006U$sC\022a0\177N\035l;\nZ)xG\026e4\003R\"q@\017^-|K\032j9\bW&uD\023b2\001P\037n=\f[*yI\030g6\005T#rA\021`/~M\034k:\tY(wF\025d3\002Q!p?\016],{J\031h8\aV%tC\022a0\000O\036m<\vZ)xH\027f5\004S\"q@\020_"
      20 6F 3E 0D 5C 2B 7B 4A 19 68 37 06 55 24 73 43 12 61 30 7F 4E 1D 6C 3B 0A 5A 29 78 47 16 65 34 03 52 22 71 40 0F 5E 2D 7C 4B 1A 6A 39 08 57 26 75 44 13 62 32 01 50 1F 6E 3D 0C 5B 2A 79 49 18 67 36 05 54 23 72 41 11 60 2F 7E 4D 1C 6B 3A 09 59 28 77 46 15 64 33 02 51 21 70 3F 0E 5D 2C 7B 4A 19 68 38 07 56 25 74 43 12 61 30 00 4F 1E 6D 3C 0B 5A 29 78 48 17 66 35 04 53 22 71 40 10 5F
  right (evaluated from start + allocation_size - sizeof (expected_end) - 1):
      "Q o>\r\\+{J\031h7\006U$sC\022a0\177N\035l;\nZ)xG\026e4\003R\"q@\017^-|K\032j9\bW&uD\023b2\001P\037n=\f[*yI\030g6\005T#rA\021`/~M\034k:\tY(wF\025d3\002Q!p?\016],{J\031h8\aV%tC\022a0\000O\036m<\vZ)xH\027f5\004S\"q@\020"
      51 20 6F 3E 0D 5C 2B 7B 4A 19 68 37 06 55 24 73 43 12 61 30 7F 4E 1D 6C 3B 0A 5A 29 78 47 16 65 34 03 52 22 71 40 0F 5E 2D 7C 4B 1A 6A 39 08 57 26 75 44 13 62 32 01 50 1F 6E 3D 0C 5B 2A 79 49 18 67 36 05 54 23 72 41 11 60 2F 7E 4D 1C 6B 3A 09 59 28 77 46 15 64 33 02 51 21 70 3F 0E 5D 2C 7B 4A 19 68 38 07 56 25 74 43 12 61 30 00 4F 1E 6D 3C 0B 5A 29 78 48 17 66 35 04 53 22 71 40 10
tst-memmove-overflow.c:139: numeric comparison failure
   left: 119 (0x77); from: start[i]
  right: 70 (0x46); from: expected_value (i + 1)
[…]

Apparently, the copy stops after the first 62 bytes.

Furthermore, the test exposes a similar bug in sysdeps/arm/memcpy.S:

ENTRY(memcpy)
[…]
		subs	r2, r2, #4
		blt	8f

So an early exit is taken.

8<------------------------------------------------------------------8<
Subject: string: Add string/tst-memmove-overflow, a test case for bug 25620

-----
 string/Makefile               |   2 +-
 string/tst-memmove-overflow.c | 153 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 154 insertions(+), 1 deletion(-)

diff --git a/string/Makefile b/string/Makefile
index c46785f1a1..e1cca5516b 100644
--- a/string/Makefile
+++ b/string/Makefile
@@ -60,7 +60,7 @@ tests		:= tester inl-tester noinl-tester testcopy test-ffs	\
 		   bug-envz1 tst-strxfrm2 tst-endian tst-svc2		\
 		   tst-strtok_r bug-strcoll2 tst-cmp tst-xbzero-opt	\
 		   test-endian-types test-endian-file-scope		\
-		   test-endian-sign-conversion
+		   test-endian-sign-conversion tst-memmove-overflow
 
 # This test allocates a lot of memory and can run for a long time.
 xtests = tst-strcoll-overflow
diff --git a/string/tst-memmove-overflow.c b/string/tst-memmove-overflow.c
new file mode 100644
index 0000000000..8e7a533266
--- /dev/null
+++ b/string/tst-memmove-overflow.c
@@ -0,0 +1,153 @@
+/* Test for signed comparision bug in memmove (bug 25620).
+   Copyright (C) 2020 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+/* This test shifts a memory region which is a bit larger than 2 GiB
+   by one byte.  In order to make it more likely that the memory
+   allocation succeeds on 32-bit systems, most of the allocation
+   consists of shared pages.  Only a portion at the start and end of
+   the allocation are unshared, and contain a specific non-repeating
+   bit pattern.  */
+
+#include <array_length.h>
+#include <libc-diag.h>
+#include <stdint.h>
+#include <string.h>
+#include <support/blob_repeat.h>
+#include <support/check.h>
+#include <support/xunistd.h>
+#include <sys/mman.h>
+#include <unistd.h>
+
+#define TEST_MAIN
+#define TEST_NAME "memmove"
+#include "test-string.h"
+#include <support/test-driver.h>
+
+IMPL (memmove, 1)
+
+/* The allocation is 2 GiB plus 8 MiB large.  This should work with
+   all page sizes that occur in practice.  */
+static const size_t allocation_size = (2U << 30) + (8U << 20);
+
+/* Size of the part of the allocation which is not shared, at the
+   start and the end of the overall allocation.  4 MiB.  */
+static const size_t unshared_size = 4U << 20;
+
+/* Compute the expected byte at the given index.  This is used to
+   produce a non-repeating pattern.  */
+static inline unsigned char
+expected_value (size_t index)
+{
+  uint32_t randomized = 0x9e3779b9 * index; /* Based on golden ratio.  */
+  return randomized >> 25;	/* Result is in the range [0, 127].  */
+}
+
+static int
+test_main (void)
+{
+  test_init ();
+
+  FOR_EACH_IMPL (impl, 0)
+    {
+      printf ("info: testing %s\n", impl->name);
+
+      /* Check that the allocation sizes are multiples of the page
+	 size.  */
+      TEST_COMPARE (allocation_size % xsysconf (_SC_PAGESIZE), 0);
+      TEST_COMPARE (unshared_size % xsysconf (_SC_PAGESIZE), 0);
+
+      /* The repeating pattern has the MSB set in all bytes.  */
+      unsigned char repeating_pattern[128];
+      for (unsigned int i = 0; i < array_length (repeating_pattern); ++i)
+	repeating_pattern[i] = 0x80 | i;
+
+      struct support_blob_repeat repeat
+	= support_blob_repeat_allocate (repeating_pattern,
+					sizeof (repeating_pattern),
+					(allocation_size
+					 / sizeof (repeating_pattern)));
+      if (repeat.start == NULL)
+	FAIL_UNSUPPORTED ("repeated blob allocation failed: %m");
+      TEST_COMPARE (repeat.size, allocation_size);
+
+      /* Unshared the start and the end of the allocation.  */
+      unsigned char *start = repeat.start;
+      xmmap (start, unshared_size,
+	     PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1);
+      xmmap (start + allocation_size - unshared_size, unshared_size,
+	     PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1);
+
+      /* Initialize the non-repeating pattern.  */
+      for (size_t i = 0; i < unshared_size; ++i)
+	start[i] = expected_value (i);
+      for (size_t i = allocation_size - unshared_size; i < allocation_size;
+	   ++i)
+	start[i] = expected_value (i);
+
+      /* Make sure that there was really no sharing.  */
+      asm volatile ("" ::: "memory");
+      for (size_t i = 0; i < unshared_size; ++i)
+	TEST_COMPARE (start[i], expected_value (i));
+      for (size_t i = allocation_size - unshared_size; i < allocation_size;
+	   ++i)
+	TEST_COMPARE (start[i], expected_value (i));
+
+      /* Used for a nicer error diagnostic using
+	 TEST_COMPARE_BLOB.  */
+      unsigned char expected_start[128];
+      memcpy (expected_start, start + 1, sizeof (expected_start));
+      unsigned char expected_end[128];
+      memcpy (expected_end,
+	      start + allocation_size - sizeof (expected_end),
+	      sizeof (expected_end));
+
+      /* Move the entire allocation forward by one byte.  */
+      DIAG_PUSH_NEEDS_COMMENT;
+#if __GNUC_PREREQ (8, 0)
+      /* GCC 8 warns about string function argument overflows.  */
+      DIAG_IGNORE_NEEDS_COMMENT (8, "-Warray-bounds");
+      DIAG_IGNORE_NEEDS_COMMENT (8, "-Wstringop-overflow");
+#endif
+      memmove (start, start + 1, allocation_size - 1);
+      DIAG_POP_NEEDS_COMMENT;
+
+      /* Check that the unshared of the memory region have been
+	 shifted as expected.  The TEST_COMPARE_BLOB checks are
+	 redundant, but produce nicer diagnostics.  */
+      asm volatile ("" ::: "memory");
+      TEST_COMPARE_BLOB (expected_start, sizeof (expected_start),
+			 start, sizeof (expected_start));
+      TEST_COMPARE_BLOB (expected_end, sizeof (expected_end),
+			 start + allocation_size - sizeof (expected_end) - 1,
+			 sizeof (expected_end));
+      for (size_t i = 0; i < unshared_size - 1; ++i)
+	TEST_COMPARE (start[i], expected_value (i + 1));
+      /* The gap between the start and the end has shared mappings at
+	 unspecified boundaries, so do not check the expected values
+	 here.  */
+      for (size_t i = allocation_size - unshared_size; i < allocation_size - 1;
+	   ++i)
+	TEST_COMPARE (start[i], expected_value (i + 1));
+
+      support_blob_repeat_free (&repeat);
+    }
+
+  return 0;
+}
+
+#include <support/test-driver.c>