Message ID | 20230221190612.2034413-1-adhemerval.zanella@linaro.org |
---|---|
State | New |
Headers | show |
Series | string: Fix OOB read on generic strncmp | expand |
The 02/21/2023 16:06, Adhemerval Zanella wrote: > For unaligned case, reading ahead can only be done if parting reads > matches the aligned input. > > Also extend the stratcliff tests to check such cases. > > Checked on x86_64-linux-gnu, i686-linux-gnu, powerpc64-linux-gnu, > and powerpc-linux-gnu by removing the arch-specific assembly > implementation and disabling multi-arch (it covers both LE and BE > for 64 and 32 bits). > --- > string/stratcliff.c | 17 +++++++++++++++++ > string/strncmp.c | 13 ++++++++++++- > 2 files changed, 29 insertions(+), 1 deletion(-) > > diff --git a/string/stratcliff.c b/string/stratcliff.c > index 74d64cc03d..864d856921 100644 > --- a/string/stratcliff.c > +++ b/string/stratcliff.c > @@ -409,6 +409,23 @@ do_test (void) > } > } > > + for (outer = 1; outer < 32; ++outer) > + for (middle = 0; middle < 16; ++middle) > + { > + MEMSET (adr + middle, L('T'), 256); > + adr[256] = L('\0'); > + MEMSET (dest + nchars - outer, L('T'), outer - 1); > + dest[nchars - outer] = L('U'); > + > + if (STRNCMP (adr + middle, &dest[nchars - middle - 1], outer) > 0) > + { > + printf ("%s 1 flunked for outer = %zu, middle = %zu, " > + "inner = %zu\n", > + STRINGIFY (STRNCMP), outer, middle, inner); > + result = 1; > + } > + } > + this depends on dest[nchars-1] != 'T' when outer > middle+1 and dest[nchars-middle-1] <= 'T' when outer < middle which is not clear from the context. below the existing if (STRNCMP (adr + middle, dest + nchars - outer, outer) >= 0) ... i'd just add if (STRNCMP (adr + middle, dest + nchars - outer, outer + 99) >= 0) ... and then with flipped args too. > diff --git a/string/strncmp.c b/string/strncmp.c > index 4c8bf36bb9..751bf53d55 100644 > --- a/string/strncmp.c > +++ b/string/strncmp.c > @@ -73,7 +73,11 @@ strncmp_unaligned_loop (const op_t *x1, const op_t *x2, op_t w1, uintptr_t ofs, > uintptr_t sh_2 = sizeof(op_t) * CHAR_BIT - sh_1; > > op_t w2 = MERGE (w2a, sh_1, (op_t)-1, sh_2); > - if (!has_zero (w2) && n > (sizeof (op_t) - ofs)) > + > + /* Reading ahead is wrong if w1 and w2 already differs. */ > + op_t w1a = MERGE (w1, 0, (op_t)-1, sh_2); > + > + if (!has_zero (w2) && w2 == w1a && n >= (sizeof (op_t) - ofs)) > { > op_t w2b; > > @@ -90,6 +94,13 @@ strncmp_unaligned_loop (const op_t *x1, const op_t *x2, op_t w1, uintptr_t ofs, > if (has_zero (w2b) || n <= (sizeof (op_t) - ofs)) > break; > w1 = *x1++; > + > + /* Reading ahead is wrong if w1 and w2 already differs. */ > + w2 = MERGE (w2b, sh_1, (op_t)-1, sh_2); > + w1a = MERGE (w1, 0, (op_t)-1, sh_2); > + if (w2 != w1a) > + return final_cmp (w1a, w2, n); > + > w2a = w2b; > } i have difficulty following this code, but it looks ok to me.
diff --git a/string/stratcliff.c b/string/stratcliff.c index 74d64cc03d..864d856921 100644 --- a/string/stratcliff.c +++ b/string/stratcliff.c @@ -409,6 +409,23 @@ do_test (void) } } + for (outer = 1; outer < 32; ++outer) + for (middle = 0; middle < 16; ++middle) + { + MEMSET (adr + middle, L('T'), 256); + adr[256] = L('\0'); + MEMSET (dest + nchars - outer, L('T'), outer - 1); + dest[nchars - outer] = L('U'); + + if (STRNCMP (adr + middle, &dest[nchars - middle - 1], outer) > 0) + { + printf ("%s 1 flunked for outer = %zu, middle = %zu, " + "inner = %zu\n", + STRINGIFY (STRNCMP), outer, middle, inner); + result = 1; + } + } + /* strncpy/wcsncpy tests */ adr[nchars - 1] = L('T'); for (outer = nchars; outer >= max128; --outer) diff --git a/string/strncmp.c b/string/strncmp.c index 4c8bf36bb9..751bf53d55 100644 --- a/string/strncmp.c +++ b/string/strncmp.c @@ -73,7 +73,11 @@ strncmp_unaligned_loop (const op_t *x1, const op_t *x2, op_t w1, uintptr_t ofs, uintptr_t sh_2 = sizeof(op_t) * CHAR_BIT - sh_1; op_t w2 = MERGE (w2a, sh_1, (op_t)-1, sh_2); - if (!has_zero (w2) && n > (sizeof (op_t) - ofs)) + + /* Reading ahead is wrong if w1 and w2 already differs. */ + op_t w1a = MERGE (w1, 0, (op_t)-1, sh_2); + + if (!has_zero (w2) && w2 == w1a && n >= (sizeof (op_t) - ofs)) { op_t w2b; @@ -90,6 +94,13 @@ strncmp_unaligned_loop (const op_t *x1, const op_t *x2, op_t w1, uintptr_t ofs, if (has_zero (w2b) || n <= (sizeof (op_t) - ofs)) break; w1 = *x1++; + + /* Reading ahead is wrong if w1 and w2 already differs. */ + w2 = MERGE (w2b, sh_1, (op_t)-1, sh_2); + w1a = MERGE (w1, 0, (op_t)-1, sh_2); + if (w2 != w1a) + return final_cmp (w1a, w2, n); + w2a = w2b; }