diff mbox series

s390: Fix MEMCHR_Z900_G5 ifunc-variant if n>=0x80000000 [BZ #28024]

Message ID 20210629093728.2335496-1-stli@linux.ibm.com
State New
Headers show
Series s390: Fix MEMCHR_Z900_G5 ifunc-variant if n>=0x80000000 [BZ #28024] | expand

Commit Message

Stefan Liebler June 29, 2021, 9:37 a.m. UTC 
On s390 (31bit), the pointer to the first byte after s always wraps
around with n >= 0x80000000 and can lead to stop searching before
end of s.

Thus this patch just use NULL as byte after s in this case and
the srst instruction stops searching with "not found" when wrapping
around from top address to zero.

This is observable with testcase string/test-memchr
starting with commit "String: Add overflow tests for strnlen, memchr,
and strncat [BZ #27974]"
https://sourceware.org/git/?p=glibc.git;a=commit;h=da5a6fba0febbfc90896ce1b2eb75c6d8a88a72d
---
 sysdeps/s390/memchr-z900.S | 13 +++++++++++++
 1 file changed, 13 insertions(+)

Comments

Stefan Liebler July 1, 2021, 2:56 p.m. UTC | #1 
On 29/06/2021 11:37, Stefan Liebler wrote:
> On s390 (31bit), the pointer to the first byte after s always wraps
> around with n >= 0x80000000 and can lead to stop searching before
> end of s.
> 
> Thus this patch just use NULL as byte after s in this case and
> the srst instruction stops searching with "not found" when wrapping
> around from top address to zero.
> 
> This is observable with testcase string/test-memchr
> starting with commit "String: Add overflow tests for strnlen, memchr,
> and strncat [BZ #27974]"
> https://sourceware.org/git/?p=glibc.git;a=commit;h=da5a6fba0febbfc90896ce1b2eb75c6d8a88a72d
> ---
>  sysdeps/s390/memchr-z900.S | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
> 
> diff --git a/sysdeps/s390/memchr-z900.S b/sysdeps/s390/memchr-z900.S
> index 90b8a32dd6..72fd9e023f 100644
> --- a/sysdeps/s390/memchr-z900.S
> +++ b/sysdeps/s390/memchr-z900.S
> @@ -44,12 +44,25 @@ ENTRY(MEMCHR_Z900_G5)
>  	LGHI  %r0,0xff
>  	NGR   %r0,%r3
>  	LGR   %r1,%r2
> +# if ! defined __s390x__
> +	tmlh  %r4,32768
> +	jo    3f		/* Jump away if n >= 0x80000000  */
> +# endif
>  	la    %r2,0(%r4,%r1)
>  0:	srst  %r2,%r1
>  	jo    0b
>  	brc   13,1f
>  	SLGR  %r2,%r2
>  1:	br    %r14
> +# if ! defined __s390x__
> +	/* On s390 (31bit), the pointer to the first byte after s (stored in
> +	   r2) always wraps around with n >= 0x80000000 and can lead to stop
> +	   searching before end of s.  Thus just use r2=0 in this case.
> +	   If r2 < r1, the srst instruction stops searching with cc=2 "not
> +	   found" when wrapping around from top address to zero.  */
> +3:	SLGR  %r2,%r2
> +	j     0b
> +# endif
>  END(MEMCHR_Z900_G5)
>  
>  # if ! HAVE_MEMCHR_IFUNC
> 

Committed and closed the bugzilla.
diff mbox series

Patch

diff --git a/sysdeps/s390/memchr-z900.S b/sysdeps/s390/memchr-z900.S
index 90b8a32dd6..72fd9e023f 100644
--- a/sysdeps/s390/memchr-z900.S
+++ b/sysdeps/s390/memchr-z900.S
@@ -44,12 +44,25 @@  ENTRY(MEMCHR_Z900_G5)
 	LGHI  %r0,0xff
 	NGR   %r0,%r3
 	LGR   %r1,%r2
+# if ! defined __s390x__
+	tmlh  %r4,32768
+	jo    3f		/* Jump away if n >= 0x80000000  */
+# endif
 	la    %r2,0(%r4,%r1)
 0:	srst  %r2,%r1
 	jo    0b
 	brc   13,1f
 	SLGR  %r2,%r2
 1:	br    %r14
+# if ! defined __s390x__
+	/* On s390 (31bit), the pointer to the first byte after s (stored in
+	   r2) always wraps around with n >= 0x80000000 and can lead to stop
+	   searching before end of s.  Thus just use r2=0 in this case.
+	   If r2 < r1, the srst instruction stops searching with cc=2 "not
+	   found" when wrapping around from top address to zero.  */
+3:	SLGR  %r2,%r2
+	j     0b
+# endif
 END(MEMCHR_Z900_G5)
 
 # if ! HAVE_MEMCHR_IFUNC