From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=CsNf=3Y=gmail.com=skpgkp2@sourceware.org>
Received: from mail-oi1-x232.google.com (mail-oi1-x232.google.com [IPv6:2607:f8b0:4864:20::232])
	by sourceware.org (Postfix) with ESMTPS id 0EB08384F481;
	Thu, 24 Nov 2022 03:04:47 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 0EB08384F481
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-oi1-x232.google.com with SMTP id l127so363542oia.8;
        Wed, 23 Nov 2022 19:04:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=lzPKRdgKYkS7xAIofXnJoCm6jbfc5TdSBFXn+uiGDDI=;
        b=IjwpNuThLeRMPHGi7ngPiyGWTSAvqBZynk1Ro+Pw1LZPIwVWsYxsF4SeZMtE0sqpnu
         8uhIcitvIhyAXfKdcLv42nYLGUh5zb7n9GlBljV7OEm0PIl1BoW0UkGdleFGIKrdFdUt
         1TQa5APgLmsEoIVXsG17NjgTB7irnYbgyQwYZzEbNW5p6FmVrh3htq8WBaXUi+lgYysl
         Alg3uI67IKEZ4Ux1FwM2zPZvVYV/Lw7regtuNK3RyGbA5uzauf/zWotrZAm3EyXag94E
         0GaaJ7z++bBWB6M5OXGJ59jpNedazgaOWMwrDor80HoJWqQ0dl6LT2lvdl/KBMaNeJxC
         z1vQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=lzPKRdgKYkS7xAIofXnJoCm6jbfc5TdSBFXn+uiGDDI=;
        b=Ejmh4h+o+pKlHgZA70CWpOV+o+0d2E7MvmxfDFEhf2fTm0YYVW0edxsKV0CXcP62uC
         T1/ODdV17FVIp0a+gqD4Vr/BJ0MFRyP6w6ZpDtssPuLhao+GQ0e7TDvfuSi9K3GJhChP
         Q3SVN0uGVS+p+LOjJG/qkQgi/XIBaUfnR4lUFjNTdPfqW+oPLTgKUtjO125PTo7uGgs5
         RoB+qgKxhwFPGVM7+XikKTn3vTl9rsloha1bBwgBlA31qmVS3RqD0R+jAQZXGIOZiDh4
         haw94RUrbkhMWTlELmdLpevMklJIPCR9sKVXM5Zd+YZBVPmy+wjONLiOkrMA9oXuiieH
         AIxw==
X-Gm-Message-State: ANoB5plkFCfuZOmFH/40p0iiy4qgFeXSRjifVrcKSvNxPcylXAp9CPjQ
	3Gh+7/HPtgKojfAZ59fV6cevuKc+M8rvD7ECPpZK9u/w
X-Google-Smtp-Source: AA0mqf5yp1DdvXzJbyCX26LeqBE3o+Hqm6l80NnbxprjWcVG6B07xWhLBl+hArR3ycfmSHvk5SuaKiCDFeBz1LRO4e4=
X-Received: by 2002:a05:6808:1824:b0:357:65d7:1427 with SMTP id
 bh36-20020a056808182400b0035765d71427mr15885566oib.105.1669259086241; Wed, 23
 Nov 2022 19:04:46 -0800 (PST)
MIME-Version: 1.0
References: <20220921005804.7131-1-goldstein.w.n@gmail.com>
 <CAMe9rOobcrtq0dSy5pPqDNahBjJVd7LVs-iT6FcQw5VO7mRi=g@mail.gmail.com>
 <CAMAf5_e7i=f5xp8UWx3Qai6donnwmyku5Qp3y=f5Bcufj6+7Qg@mail.gmail.com> <CAMe9rOrBK2O690Kfg0wjsKzH6zcgao9agtJXOQnzSnAk-tCUAg@mail.gmail.com>
In-Reply-To: <CAMe9rOrBK2O690Kfg0wjsKzH6zcgao9agtJXOQnzSnAk-tCUAg@mail.gmail.com>
From: Sunil Pandey <skpgkp2@gmail.com>
Date: Wed, 23 Nov 2022 19:04:10 -0800
Message-ID: <CAMAf5_doA_D3r1-J=7CTW1C=3eusTBBHbbnOLg3iu2scaesLyg@mail.gmail.com>
Subject: Re: [PATCH v1] x86: Fix wcsnlen-avx2 page cross length comparison [BZ #29591]
To: "H.J. Lu" <hjl.tools@gmail.com>
Cc: Libc-stable Mailing List <libc-stable@sourceware.org>, Noah Goldstein <goldstein.w.n@gmail.com>, 
	libc-alpha@sourceware.org
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-7.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,GIT_PATCH_0,HK_RANDOM_ENVFROM,HK_RANDOM_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-stable.sourceware.org>

On Wed, Nov 23, 2022 at 4:23 PM H.J. Lu <hjl.tools@gmail.com> wrote:
>
> On Wed, Nov 23, 2022 at 2:21 PM Sunil Pandey <skpgkp2@gmail.com> wrote:
> >
> > On Wed, Sep 21, 2022 at 3:02 PM H.J. Lu via Libc-alpha
> > <libc-alpha@sourceware.org> wrote:
> > >
> > > On Tue, Sep 20, 2022 at 5:58 PM Noah Goldstein <goldstein.w.n@gmail.com> wrote:
> > > >
> > > > Previous implementation was adjusting length (rsi) to match
> > > > bytes (eax), but since there is no bound to length this can cause
> > > > overflow.
> > > >
> > > > Fix is to just convert the byte-count (eax) to length by dividing by
> > > > sizeof (wchar_t) before the comparison.
> > > >
> > > > Full check passes on x86-64 and build succeeds w/ and w/o multiarch.
> > > > ---
> > > >  string/test-strnlen.c                  | 70 +++++++++++++++-----------
> > > >  sysdeps/x86_64/multiarch/strlen-avx2.S |  7 +--
> > > >  2 files changed, 43 insertions(+), 34 deletions(-)
> > > >
> > > > diff --git a/string/test-strnlen.c b/string/test-strnlen.c
> > > > index 4a9375112a..5cbaf4b734 100644
> > > > --- a/string/test-strnlen.c
> > > > +++ b/string/test-strnlen.c
> > > > @@ -73,7 +73,7 @@ do_test (size_t align, size_t len, size_t maxlen, int max_char)
> > > >  {
> > > >    size_t i;
> > > >
> > > > -  align &= 63;
> > > > +  align &= (getpagesize () / sizeof (CHAR) - 1);
> > > >    if ((align + len) * sizeof (CHAR) >= page_size)
> > > >      return;
> > > >
> > > > @@ -90,38 +90,50 @@ do_test (size_t align, size_t len, size_t maxlen, int max_char)
> > > >  static void
> > > >  do_overflow_tests (void)
> > > >  {
> > > > -  size_t i, j, len;
> > > > +  size_t i, j, al_idx, repeats, len;
> > > >    const size_t one = 1;
> > > >    uintptr_t buf_addr = (uintptr_t) buf1;
> > > > +  const size_t alignments[] = { 0, 1, 7, 9, 31, 33, 63, 65, 95, 97, 127, 129 };
> > > >
> > > > -  for (i = 0; i < 750; ++i)
> > > > +  for (al_idx = 0; al_idx < sizeof (alignments) / sizeof (alignments[0]);
> > > > +       al_idx++)
> > > >      {
> > > > -      do_test (1, i, SIZE_MAX, BIG_CHAR);
> > > > -
> > > > -      do_test (0, i, SIZE_MAX - i, BIG_CHAR);
> > > > -      do_test (0, i, i - buf_addr, BIG_CHAR);
> > > > -      do_test (0, i, -buf_addr - i, BIG_CHAR);
> > > > -      do_test (0, i, SIZE_MAX - buf_addr - i, BIG_CHAR);
> > > > -      do_test (0, i, SIZE_MAX - buf_addr + i, BIG_CHAR);
> > > > -
> > > > -      len = 0;
> > > > -      for (j = 8 * sizeof(size_t) - 1; j ; --j)
> > > > -        {
> > > > -          len |= one << j;
> > > > -          do_test (0, i, len - i, BIG_CHAR);
> > > > -          do_test (0, i, len + i, BIG_CHAR);
> > > > -          do_test (0, i, len - buf_addr - i, BIG_CHAR);
> > > > -          do_test (0, i, len - buf_addr + i, BIG_CHAR);
> > > > -
> > > > -          do_test (0, i, ~len - i, BIG_CHAR);
> > > > -          do_test (0, i, ~len + i, BIG_CHAR);
> > > > -          do_test (0, i, ~len - buf_addr - i, BIG_CHAR);
> > > > -          do_test (0, i, ~len - buf_addr + i, BIG_CHAR);
> > > > -
> > > > -          do_test (0, i, -buf_addr, BIG_CHAR);
> > > > -          do_test (0, i, j - buf_addr, BIG_CHAR);
> > > > -          do_test (0, i, -buf_addr - j, BIG_CHAR);
> > > > -        }
> > > > +      for (repeats = 0; repeats < 2; ++repeats)
> > > > +       {
> > > > +         size_t align = repeats ? (getpagesize () - alignments[al_idx])
> > > > +                                : alignments[al_idx];
> > > > +         align /= sizeof (CHAR);
> > > > +         for (i = 0; i < 750; ++i)
> > > > +           {
> > > > +             do_test (align, i, SIZE_MAX, BIG_CHAR);
> > > > +
> > > > +             do_test (align, i, SIZE_MAX - i, BIG_CHAR);
> > > > +             do_test (align, i, i - buf_addr, BIG_CHAR);
> > > > +             do_test (align, i, -buf_addr - i, BIG_CHAR);
> > > > +             do_test (align, i, SIZE_MAX - buf_addr - i, BIG_CHAR);
> > > > +             do_test (align, i, SIZE_MAX - buf_addr + i, BIG_CHAR);
> > > > +
> > > > +             len = 0;
> > > > +             for (j = 8 * sizeof (size_t) - 1; j; --j)
> > > > +               {
> > > > +                 len |= one << j;
> > > > +                 do_test (align, i, len, BIG_CHAR);
> > > > +                 do_test (align, i, len - i, BIG_CHAR);
> > > > +                 do_test (align, i, len + i, BIG_CHAR);
> > > > +                 do_test (align, i, len - buf_addr - i, BIG_CHAR);
> > > > +                 do_test (align, i, len - buf_addr + i, BIG_CHAR);
> > > > +
> > > > +                 do_test (align, i, ~len - i, BIG_CHAR);
> > > > +                 do_test (align, i, ~len + i, BIG_CHAR);
> > > > +                 do_test (align, i, ~len - buf_addr - i, BIG_CHAR);
> > > > +                 do_test (align, i, ~len - buf_addr + i, BIG_CHAR);
> > > > +
> > > > +                 do_test (align, i, -buf_addr, BIG_CHAR);
> > > > +                 do_test (align, i, j - buf_addr, BIG_CHAR);
> > > > +                 do_test (align, i, -buf_addr - j, BIG_CHAR);
> > > > +               }
> > > > +           }
> > > > +       }
> > > >      }
> > > >  }
> > > >
> > > > diff --git a/sysdeps/x86_64/multiarch/strlen-avx2.S b/sysdeps/x86_64/multiarch/strlen-avx2.S
> > > > index 0593fb303b..b9b58ef599 100644
> > > > --- a/sysdeps/x86_64/multiarch/strlen-avx2.S
> > > > +++ b/sysdeps/x86_64/multiarch/strlen-avx2.S
> > > > @@ -544,14 +544,11 @@ L(return_vzeroupper):
> > > >  L(cross_page_less_vec):
> > > >         tzcntl  %eax, %eax
> > > >  #  ifdef USE_AS_WCSLEN
> > > > -       /* NB: Multiply length by 4 to get byte count.  */
> > > > -       sall    $2, %esi
> > > > +       /* NB: Divide by 4 to convert from byte-count to length.  */
> > > > +       shrl    $2, %eax
> > > >  #  endif
> > > >         cmpq    %rax, %rsi
> > > >         cmovb   %esi, %eax
> > > > -#  ifdef USE_AS_WCSLEN
> > > > -       shrl    $2, %eax
> > > > -#  endif
> > > >         VZEROUPPER_RETURN
> > > >  # endif
> > > >
> > > > --
> > > > 2.34.1
> > > >
> > >
> > > LGTM.
> > >
> > > Thanks.
> > >
> > > --
> > > H.J.
> >
> > I would like to backport this patch to affected release branches  from
> > 2.36 to 2.33.
> >
> > Any comments/suggestions or objections on this.
> >
>
> OK.
>
> Thanks.
>
>
> --
> H.J.

Just ran testing from 2.32 to 2.26. All of them have this issue.

Ok for 2.32 to 2.26 branches?

--Sunil