Re: [PATCH v2] string: Fix OOB read on generic strncmp

public inbox for libc-alpha@sourceware.org
 help / color / mirror / Atom feed

From: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>
To: Szabolcs Nagy <szabolcs.nagy@arm.com>,
	Florian Weimer <fweimer@redhat.com>,
	"H.J. Lu" <hjl.tools@gmail.com>,
	Noah Goldstein <goldstein.w.n@gmail.com>
Cc: libc-alpha@sourceware.org
Subject: Re: [PATCH v2] string: Fix OOB read on generic strncmp
Date: Thu, 23 Feb 2023 15:15:09 -0300	[thread overview]
Message-ID: <ef6c9254-0815-4143-99fb-8b63845fb7fe@linaro.org> (raw)
In-Reply-To: <Y/ZPFmLgwSNgxphJ@arm.com>



On 22/02/23 14:21, Szabolcs Nagy wrote:
> The 02/22/2023 13:31, Adhemerval Zanella wrote:
>> For unaligned case, reading ahead can only be done if parting reads
>> matches the aligned input.
>>
>> Also extend the stratcliff tests to check such cases.
>>
>> Checked on x86_64-linux-gnu, i686-linux-gnu, powerpc64-linux-gnu,
>> and powerpc-linux-gnu by removing the arch-specific assembly
>> implementation and disabling multi-arch (it covers both LE and BE
>> for 64 and 32 bits).
> 
> thanks this looks good.
> 
> Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
> 

So before I push the fix along with the testcase, I checked all strncmp
optimization and found out that some implementations also do not handle 
this correctly as expected:

sysdeps/x86_64/multiarch/strncmp-sse2.S				FAIL
sysdeps/x86_64/multiarch/strncmp-sse4_2.S			FAIL
sysdeps/x86_64/multiarch/strncmp-avx2.S				OK
sysdeps/x86_64/multiarch/strncmp-evex.S				?
sysdeps/x86_64/multiarch/strncmp-avx2-rtm.S			?

sysdeps/ia64/strncmp.S						?

sysdeps/sparc/sparc32/sparcv9/strncmp.S				OK
sysdeps/sparc/sparc64/strncmp.S					OK

sysdeps/aarch64/strncmp.S					OK

sysdeps/powerpc/powerpc32/power7/strncmp.S			FAIL
sysdeps/powerpc/powerpc32/405/strncmp.S				?	
sysdeps/powerpc/powerpc32/strncmp.S				FAIL
sysdeps/powerpc/powerpc32/power4/strncmp.S			FAIL
sysdeps/powerpc/powerpc64/power7/strncmp.S			FAIL
sysdeps/powerpc/powerpc64/power8/strncmp.S			OK
sysdeps/powerpc/powerpc64/strncmp.S				FAIL
sysdeps/powerpc/powerpc64/le/power9/strncmp.S			OK

sysdeps/alpha/strncmp.S						FAIL

sysdeps/i386/i686/multiarch/strncmp-sse4.S			OK
sysdeps/i386/i686/multiarch/strncmp-ssse3.S			FAIL

sysdeps/s390/strncmp-vx.S					OK	

(the ? are implementations that I can really test, even qemu static
thrown illegal instruction).

Noah has brought to my attention that he tried to add similar tests,
but they were rejected by strncmp string must be null-terminated [1].

The working drafts for C standard I have access (n1256.pdf for C99 and 
n3047.pdf for c2x) do not say possibly null-terminated array (as some
stackoverflow answer state [2]) they refer only as array. So I tend
to follow Florian understanding that strncmp inputs should be NULL
terminated.

So should we really consider this a OOB read on generic strncmp?

[1] https://sourceware.org/pipermail/libc-alpha/2022-January/135130.html
[2] https://stackoverflow.com/questions/41418766/is-it-legal-to-pass-a-non-null-terminated-string-to-strncmp-in-c

next prev parent reply	other threads:[~2023-02-23 18:15 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-02-22 16:31 Adhemerval Zanella
2023-02-22 17:21 ` Szabolcs Nagy
2023-02-23 18:15   ` Adhemerval Zanella Netto [this message]
2023-02-24 10:19     ` Szabolcs Nagy
2023-02-24 10:58       ` Florian Weimer
2023-02-23 19:10 Wilco Dijkstra
2023-02-24 12:24 Wilco Dijkstra
2023-02-24 12:34 ` Adhemerval Zanella Netto
2023-02-24 12:43 ` Szabolcs Nagy
2023-02-24 12:57   ` Adhemerval Zanella Netto

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ef6c9254-0815-4143-99fb-8b63845fb7fe@linaro.org \
    --to=adhemerval.zanella@linaro.org \
    --cc=fweimer@redhat.com \
    --cc=goldstein.w.n@gmail.com \
    --cc=hjl.tools@gmail.com \
    --cc=libc-alpha@sourceware.org \
    --cc=szabolcs.nagy@arm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).