public inbox for libc-stable@sourceware.org
 help / color / mirror / Atom feed
* Re: [PATCH v3 1/3] String: Add overflow tests for strnlen, memchr, and strncat [BZ #27974]
       [not found]     ` <CAFUsyfJybFaCywcCKgZNkosdFdJm0Lqn18P3fZeWQR1uxnnK_g@mail.gmail.com>
@ 2022-01-27 21:06       ` H.J. Lu
  0 siblings, 0 replies; only message in thread
From: H.J. Lu @ 2022-01-27 21:06 UTC (permalink / raw)
  To: Noah Goldstein, Libc-stable Mailing List
  Cc: GNU C Library, Carlos O'Donell

On Wed, Jun 23, 2021 at 11:30 AM Noah Goldstein <goldstein.w.n@gmail.com> wrote:
>
>
>
> On Wed, Jun 23, 2021 at 1:30 PM H.J. Lu <hjl.tools@gmail.com> wrote:
>>
>> On Tue, Jun 22, 2021 at 11:32 PM Noah Goldstein <goldstein.w.n@gmail.com> wrote:
>> >
>> > This commit adds tests for a bug in the wide char variant of the
>> > functions where the implementation may assume that maxlen for wcsnlen
>> > or n for wmemchr/strncat will not overflow when multiplied by
>> > sizeof(wchar_t).
>> >
>> > These tests show the following implementations failing on x86_64:
>> >
>> > wcsnlen-sse4_1
>> > wcsnlen-avx2
>> >
>> > wmemchr-sse2
>> > wmemchr-avx2
>> >
>> > strncat would fail as well if it where on a system that prefered
>> > either of the wcsnlen implementations that failed as it relies on
>> > wcsnlen.
>> >
>> > Signed-off-by: Noah Goldstein <goldstein.w.n@gmail.com>
>> > ---
>> > Rebased on: [PATCH v1 1/4] x86-64: Add wcslen optimize for sse4.1
>> >  string/test-memchr.c  | 39 ++++++++++++++++++++++++---
>> >  string/test-strncat.c | 61 +++++++++++++++++++++++++++++++++++++++++++
>> >  string/test-strnlen.c | 33 +++++++++++++++++++++++
>> >  3 files changed, 130 insertions(+), 3 deletions(-)
>> >
>> > diff --git a/string/test-memchr.c b/string/test-memchr.c
>> > index 665edc32af..ce964284aa 100644
>> > --- a/string/test-memchr.c
>> > +++ b/string/test-memchr.c
>> > @@ -65,8 +65,8 @@ do_one_test (impl_t *impl, const CHAR *s, int c, size_t n, CHAR *exp_res)
>> >    CHAR *res = CALL (impl, s, c, n);
>> >    if (res != exp_res)
>> >      {
>> > -      error (0, 0, "Wrong result in function %s %p %p", impl->name,
>> > -            res, exp_res);
>> > +      error (0, 0, "Wrong result in function %s (%p, %d, %zu) -> %p != %p",
>> > +             impl->name, s, c, n, res, exp_res);
>> >        ret = 1;
>> >        return;
>> >      }
>> > @@ -91,7 +91,7 @@ do_test (size_t align, size_t pos, size_t len, size_t n, int seek_char)
>> >      }
>> >    buf[align + len] = 0;
>> >
>> > -  if (pos < len)
>> > +  if (pos < MIN(n, len))
>> >      {
>> >        buf[align + pos] = seek_char;
>> >        buf[align + len] = -seek_char;
>> > @@ -107,6 +107,38 @@ do_test (size_t align, size_t pos, size_t len, size_t n, int seek_char)
>> >      do_one_test (impl, (CHAR *) (buf + align), seek_char, n, result);
>> >  }
>> >
>> > +static void
>> > +do_overflow_tests (void)
>> > +{
>> > +  size_t i, j, len;
>> > +  const size_t one = 1;
>> > +  uintptr_t buf_addr = (uintptr_t) buf1;
>> > +
>> > +  for (i = 0; i < 750; ++i)
>> > +    {
>> > +        do_test (0, i, 751, SIZE_MAX - i, BIG_CHAR);
>> > +        do_test (0, i, 751, i - buf_addr, BIG_CHAR);
>> > +        do_test (0, i, 751, -buf_addr - i, BIG_CHAR);
>> > +        do_test (0, i, 751, SIZE_MAX - buf_addr - i, BIG_CHAR);
>> > +        do_test (0, i, 751, SIZE_MAX - buf_addr + i, BIG_CHAR);
>> > +
>> > +      len = 0;
>> > +      for (j = 8 * sizeof(size_t) - 1; j ; --j)
>> > +        {
>> > +          len |= one << j;
>> > +          do_test (0, i, 751, len - i, BIG_CHAR);
>> > +          do_test (0, i, 751, len + i, BIG_CHAR);
>> > +          do_test (0, i, 751, len - buf_addr - i, BIG_CHAR);
>> > +          do_test (0, i, 751, len - buf_addr + i, BIG_CHAR);
>> > +
>> > +          do_test (0, i, 751, ~len - i, BIG_CHAR);
>> > +          do_test (0, i, 751, ~len + i, BIG_CHAR);
>> > +          do_test (0, i, 751, ~len - buf_addr - i, BIG_CHAR);
>> > +          do_test (0, i, 751, ~len - buf_addr + i, BIG_CHAR);
>> > +        }
>> > +    }
>> > +}
>> > +
>> >  static void
>> >  do_random_tests (void)
>> >  {
>> > @@ -221,6 +253,7 @@ test_main (void)
>> >      do_test (page_size / 2 - i, i, i, 1, 0x9B);
>> >
>> >    do_random_tests ();
>> > +  do_overflow_tests ();
>> >    return ret;
>> >  }
>> >
>> > diff --git a/string/test-strncat.c b/string/test-strncat.c
>> > index 2ef917b820..37ea26ea05 100644
>> > --- a/string/test-strncat.c
>> > +++ b/string/test-strncat.c
>> > @@ -134,6 +134,66 @@ do_test (size_t align1, size_t align2, size_t len1, size_t len2,
>> >      }
>> >  }
>> >
>> > +static void
>> > +do_overflow_tests (void)
>> > +{
>> > +  size_t i, j, len;
>> > +  const size_t one = 1;
>> > +  CHAR *s1, *s2;
>> > +  uintptr_t s1_addr;
>> > +  s1 = (CHAR *) buf1;
>> > +  s2 = (CHAR *) buf2;
>> > +  s1_addr = (uintptr_t)s1;
>> > + for (j = 0; j < 200; ++j)
>> > +      s2[j] = 32 + 23 * j % (BIG_CHAR - 32);
>> > + s2[200] = 0;
>> > +  for (i = 0; i < 750; ++i) {
>> > +    for (j = 0; j < i; ++j)
>> > +      s1[j] = 32 + 23 * j % (BIG_CHAR - 32);
>> > +    s1[i] = '\0';
>> > +
>> > +       FOR_EACH_IMPL (impl, 0)
>> > +    {
>> > +      s2[200] = '\0';
>> > +      do_one_test (impl, s2, s1, SIZE_MAX - i);
>> > +      s2[200] = '\0';
>> > +      do_one_test (impl, s2, s1, i - s1_addr);
>> > +      s2[200] = '\0';
>> > +      do_one_test (impl, s2, s1, -s1_addr - i);
>> > +      s2[200] = '\0';
>> > +      do_one_test (impl, s2, s1, SIZE_MAX - s1_addr - i);
>> > +      s2[200] = '\0';
>> > +      do_one_test (impl, s2, s1, SIZE_MAX - s1_addr + i);
>> > +    }
>> > +
>> > +    len = 0;
>> > +    for (j = 8 * sizeof(size_t) - 1; j ; --j)
>> > +      {
>> > +        len |= one << j;
>> > +        FOR_EACH_IMPL (impl, 0)
>> > +          {
>> > +            s2[200] = '\0';
>> > +            do_one_test (impl, s2, s1, len - i);
>> > +            s2[200] = '\0';
>> > +            do_one_test (impl, s2, s1, len + i);
>> > +            s2[200] = '\0';
>> > +            do_one_test (impl, s2, s1, len - s1_addr - i);
>> > +            s2[200] = '\0';
>> > +            do_one_test (impl, s2, s1, len - s1_addr + i);
>> > +
>> > +            s2[200] = '\0';
>> > +            do_one_test (impl, s2, s1, ~len - i);
>> > +            s2[200] = '\0';
>> > +            do_one_test (impl, s2, s1, ~len + i);
>> > +            s2[200] = '\0';
>> > +            do_one_test (impl, s2, s1, ~len - s1_addr - i);
>> > +            s2[200] = '\0';
>> > +            do_one_test (impl, s2, s1, ~len - s1_addr + i);
>> > +          }
>> > +      }
>> > +  }
>> > +}
>> > +
>> >  static void
>> >  do_random_tests (void)
>> >  {
>> > @@ -316,6 +376,7 @@ test_main (void)
>> >      }
>> >
>> >    do_random_tests ();
>> > +  do_overflow_tests ();
>> >    return ret;
>> >  }
>> >
>> > diff --git a/string/test-strnlen.c b/string/test-strnlen.c
>> > index 920f58e97b..f53e09263f 100644
>> > --- a/string/test-strnlen.c
>> > +++ b/string/test-strnlen.c
>> > @@ -89,6 +89,38 @@ do_test (size_t align, size_t len, size_t maxlen, int max_char)
>> >      do_one_test (impl, (CHAR *) (buf + align), maxlen, MIN (len, maxlen));
>> >  }
>> >
>> > +static void
>> > +do_overflow_tests (void)
>> > +{
>> > +  size_t i, j, len;
>> > +  const size_t one = 1;
>> > +  uintptr_t buf_addr = (uintptr_t) buf1;
>> > +
>> > +  for (i = 0; i < 750; ++i)
>> > +    {
>> > +      do_test (0, i, SIZE_MAX - i, BIG_CHAR);
>> > +      do_test (0, i, i - buf_addr, BIG_CHAR);
>> > +      do_test (0, i, -buf_addr - i, BIG_CHAR);
>> > +      do_test (0, i, SIZE_MAX - buf_addr - i, BIG_CHAR);
>> > +      do_test (0, i, SIZE_MAX - buf_addr + i, BIG_CHAR);
>> > +
>> > +      len = 0;
>> > +      for (j = 8 * sizeof(size_t) - 1; j ; --j)
>> > +        {
>> > +          len |= one << j;
>> > +          do_test (0, i, len - i, BIG_CHAR);
>> > +          do_test (0, i, len + i, BIG_CHAR);
>> > +          do_test (0, i, len - buf_addr - i, BIG_CHAR);
>> > +          do_test (0, i, len - buf_addr + i, BIG_CHAR);
>> > +
>> > +          do_test (0, i, ~len - i, BIG_CHAR);
>> > +          do_test (0, i, ~len + i, BIG_CHAR);
>> > +          do_test (0, i, ~len - buf_addr - i, BIG_CHAR);
>> > +          do_test (0, i, ~len - buf_addr + i, BIG_CHAR);
>> > +        }
>> > +    }
>> > +}
>> > +
>> >  static void
>> >  do_random_tests (void)
>> >  {
>> > @@ -283,6 +315,7 @@ test_main (void)
>> >    do_random_tests ();
>> >    do_page_tests ();
>> >    do_page_2_tests ();
>> > +  do_overflow_tests ();
>> >    return ret;
>> >  }
>> >
>> > --
>> > 2.25.1
>> >
>>
>> LGTM.
>>
>> Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
>>
>> Thanks.
>>
>> --
>> H.J.
>
>
> Pushed and closed the bug report (left comment in bug report with the commits).

I am backporting this patch set to release branches, including their dependency
patches.

-- 
H.J.

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2022-01-27 21:06 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <20210609205257.123944-1-goldstein.w.n@gmail.com>
     [not found] ` <20210623063149.1167067-1-goldstein.w.n@gmail.com>
     [not found]   ` <CAMe9rOq2pMOO6V0X1M1EhT5yt50_VZ713WyM8MtBq4qSmmnLow@mail.gmail.com>
     [not found]     ` <CAFUsyfJybFaCywcCKgZNkosdFdJm0Lqn18P3fZeWQR1uxnnK_g@mail.gmail.com>
2022-01-27 21:06       ` [PATCH v3 1/3] String: Add overflow tests for strnlen, memchr, and strncat [BZ #27974] H.J. Lu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).