From: fweimer@redhat.com (Florian Weimer)
To: libc-stable@sourceware.org
Subject: [2.26 COMMITTED] Fix i386 memmove issue (bug 22644).
Date: Mon, 01 Jan 2018 00:00:00 -0000 [thread overview]
Message-ID: <20180517124343.7B10243985E65@oldenburg.str.redhat.com> (raw)
From: Andrew Senkevich <andrew.n.senkevich@gmail.com>
[BZ #22644]
* sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S: Fixed
branch conditions.
* string/test-memmove.c (do_test2): New testcase.
(cherry picked from commit cd66c0e584c6d692bc8347b5e72723d02b8a8ada)
2018-03-23 Andrew Senkevich <andrew.senkevich@intel.com>
Max Horn <max@quendi.de>
[BZ #22644]
* sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S: Fixed
branch conditions.
* string/test-memmove.c (do_test2): New testcase.
diff --git a/NEWS b/NEWS
index 4d360a426e..a8016a054a 100644
--- a/NEWS
+++ b/NEWS
@@ -113,6 +113,7 @@ The following bugs are resolved with this release:
[22636] PTHREAD_STACK_MIN is too small on x86-64
[22627] $ORIGIN in $LD_LIBRARY_PATH is substituted twice
[22637] nptl: Fix stack guard size accounting
+ [22644] Fix i386 memmove issue
[22679] getcwd(3) can succeed without returning an absolute path
(CVE-2018-1000001)
[22685] powerpc: Fix syscalls during early process initialization
diff --git a/string/test-memmove.c b/string/test-memmove.c
index 51f79f6eb4..60f77f825b 100644
--- a/string/test-memmove.c
+++ b/string/test-memmove.c
@@ -24,6 +24,7 @@
# define TEST_NAME "memmove"
#endif
#include "test-string.h"
+#include <support/test-driver.h>
char *simple_memmove (char *, const char *, size_t);
@@ -245,6 +246,60 @@ do_random_tests (void)
}
}
+static void
+do_test2 (void)
+{
+ size_t size = 0x20000000;
+ uint32_t * large_buf;
+
+ large_buf = mmap ((void*) 0x70000000, size, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANON, -1, 0);
+
+ if (large_buf == MAP_FAILED)
+ error (EXIT_UNSUPPORTED, errno, "Large mmap failed");
+
+ if ((uintptr_t) large_buf > 0x80000000 - 128
+ || 0x80000000 - (uintptr_t) large_buf > 0x20000000)
+ {
+ error (0, 0, "Large mmap allocated improperly");
+ ret = EXIT_UNSUPPORTED;
+ munmap ((void *) large_buf, size);
+ return;
+ }
+
+ size_t bytes_move = 0x80000000 - (uintptr_t) large_buf;
+ size_t arr_size = bytes_move / sizeof (uint32_t);
+ size_t i;
+
+ FOR_EACH_IMPL (impl, 0)
+ {
+ for (i = 0; i < arr_size; i++)
+ large_buf[i] = (uint32_t) i;
+
+ uint32_t * dst = &large_buf[33];
+
+#ifdef TEST_BCOPY
+ CALL (impl, (char *) large_buf, (char *) dst, bytes_move);
+#else
+ CALL (impl, (char *) dst, (char *) large_buf, bytes_move);
+#endif
+
+ for (i = 0; i < arr_size; i++)
+ {
+ if (dst[i] != (uint32_t) i)
+ {
+ error (0, 0,
+ "Wrong result in function %s dst \"%p\" src \"%p\" offset \"%zd\"",
+ impl->name, dst, large_buf, i);
+ ret = 1;
+ break;
+ }
+ }
+ }
+
+ munmap ((void *) large_buf, size);
+}
+
int
test_main (void)
{
@@ -284,6 +339,9 @@ test_main (void)
}
do_random_tests ();
+
+ do_test2 ();
+
return ret;
}
diff --git a/sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S b/sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S
index 2fe2072cb1..043f4260e2 100644
--- a/sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S
+++ b/sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S
@@ -72,7 +72,7 @@ ENTRY (MEMCPY)
cmp %edx, %eax
# ifdef USE_AS_MEMMOVE
- jg L(check_forward)
+ ja L(check_forward)
L(mm_len_0_or_more_backward):
/* Now do checks for lengths. We do [0..16], [16..32], [32..64], [64..128]
@@ -81,7 +81,7 @@ L(mm_len_0_or_more_backward):
jbe L(mm_len_0_16_bytes_backward)
cmpl $32, %ecx
- jg L(mm_len_32_or_more_backward)
+ ja L(mm_len_32_or_more_backward)
/* Copy [0..32] and return. */
movdqu (%eax), %xmm0
@@ -92,7 +92,7 @@ L(mm_len_0_or_more_backward):
L(mm_len_32_or_more_backward):
cmpl $64, %ecx
- jg L(mm_len_64_or_more_backward)
+ ja L(mm_len_64_or_more_backward)
/* Copy [0..64] and return. */
movdqu (%eax), %xmm0
@@ -107,7 +107,7 @@ L(mm_len_32_or_more_backward):
L(mm_len_64_or_more_backward):
cmpl $128, %ecx
- jg L(mm_len_128_or_more_backward)
+ ja L(mm_len_128_or_more_backward)
/* Copy [0..128] and return. */
movdqu (%eax), %xmm0
@@ -132,7 +132,7 @@ L(mm_len_128_or_more_backward):
add %ecx, %eax
cmp %edx, %eax
movl SRC(%esp), %eax
- jle L(forward)
+ jbe L(forward)
PUSH (%esi)
PUSH (%edi)
PUSH (%ebx)
@@ -269,7 +269,7 @@ L(check_forward):
add %edx, %ecx
cmp %eax, %ecx
movl LEN(%esp), %ecx
- jle L(forward)
+ jbe L(forward)
/* Now do checks for lengths. We do [0..16], [0..32], [0..64], [0..128]
separately. */
reply other threads:[~2018-05-17 12:43 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180517124343.7B10243985E65@oldenburg.str.redhat.com \
--to=fweimer@redhat.com \
--cc=libc-stable@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).