From nobody Sun Dec 14 16:08:17 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dTp5F4KH8z6KQgZ
	for <dev-commits-src-main@mlmmj.nyi.freebsd.org>; Sun, 14 Dec 2025 16:08:17 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dTp5F2nJ4z44mh
	for <dev-commits-src-main@FreeBSD.org>; Sun, 14 Dec 2025 16:08:17 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1765728497;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=2QrF4E7ahVVxkEQEY9YGJ9lJMDXnxF2NS9Tl7migrNw=;
	b=M79YT8zGea16ifmQvODGCV42WIQXAxeWAB4sd7ssWSYn9fXKGybSBUld7i49+/aXjSnv7B
	zoAAryrAnALBMja9TLG7HQMjmQYKpvTMA9QmTl4swVBIFyDwj6OKEYJuL9+AyVf/MeUvni
	LM0Wf2b2lmCOTZwwEwgHKn9BXt3WNN5IHVyPl+5kr1nNKfMyW8l/FKCiex3CDLh2ZJMG0h
	A+au+COejlT7BDTe09NWJig9JL8JtrYQoh6tOMQl64BxwwKTWbrhIypzeJtcy4MH2BdaT4
	ozpypID0q6JKT+OortRwdlevPBSH1AX11/mVM6Bgy/V74pigwSFh7N2CB6OwZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1765728497;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=2QrF4E7ahVVxkEQEY9YGJ9lJMDXnxF2NS9Tl7migrNw=;
	b=JsESMX8bIzgzPT6UZ3unnyQHWqCA/gXQhpxcLOmDvO4XF7QFV3PRQ9GE/bfE5nuRLHi2Uj
	awwnLwW0zEqWuy89tOJcKdoRDLHzpc01UJNw1GTnkCn6WAO/PQYDcn6d3kPw71Dy4nZn1p
	05PxIqvQDIgkYt36Ka8SMxUrvS8KJ5hkSMdhp20v0wjUSeLb2OwrByHKKnq7dVmq6hKp2h
	H4SrwzmCELkhF8SP6OcJRDtcn3otDJxuiEGuSttz00/x/It5r/Z+aoF0O9t2IoG22rrK/Y
	9LesLSp7KIhzHZtqp+6zDGlL00TN9XvA4cN4FsVzuUy+KLuf5ZncTsdqh3ubGg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1765728497; a=rsa-sha256; cv=none;
	b=docanDbZMp2IFHcgJ+qdmVqBs2WGs2edZOVvXAsw7JXhL/Sy9NS5HCiptO60ClaqYaRR9q
	rjRNZBhp01+3g6w2ceH81C/sfWICvTnVyehUTH1E9s/T4y1772RA4OUL7azLtLyY/wg0R6
	PLx7SMd6g0Mj2i6YYB0BJ4+tDlYxbesMdHCUI8Kl01ki80GxZG99tmoTXJ3AfxvrBnos4R
	G2VKTL+y8mRuRgTro8r47muZyIVKtIlHRQ+pWkGGzxcHl89zwMumeN6RxptoLa40hNG7mH
	ZOP3NHNqV4LYgexyni47mo3C6yvDEz7sooOp4iG6uoO++72Veroibakop25HFQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dTp5F2KGjzh4J
	for <dev-commits-src-main@FreeBSD.org>; Sun, 14 Dec 2025 16:08:17 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 3662d
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Sun, 14 Dec 2025 16:08:17 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
From: Robert Clausecker <fuz@FreeBSD.org>
Subject: git: 66eb78377bf1 - main - libc/amd64: fix overread conditions in stpncpy()
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: fuz
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 66eb78377bf109af1d9e25626bf254b4369436ec
Auto-Submitted: auto-generated
Date: Sun, 14 Dec 2025 16:08:17 +0000
Message-Id: <693ee0f1.3662d.650a5e21@gitrepo.freebsd.org>

The branch main has been updated by fuz:

URL: https://cgit.FreeBSD.org/src/commit/?id=66eb78377bf109af1d9e25626bf254b4369436ec

commit 66eb78377bf109af1d9e25626bf254b4369436ec
Author:     Robert Clausecker <fuz@FreeBSD.org>
AuthorDate: 2025-12-10 20:45:18 +0000
Commit:     Robert Clausecker <fuz@FreeBSD.org>
CommitDate: 2025-12-14 16:06:05 +0000

    libc/amd64: fix overread conditions in stpncpy()
    
    Due to incorrect unit test design, two overread conditions went
    undetected in the amd64 baseline stpncpy() implementation.
    For buffers of 1--16 and 32 bytes that do not contain nul bytes
    and end exactly at a page boundary, the code would incorrectly
    read 16 bytes from the next page, possibly crossing into an
    unmapped page and crashing the program.  If the next page was
    mapped, the code would then proceed with the expected behaviour
    of the stpncpy() function.
    
    Three changes were made to fix the bug:
    
     - an off-by-one error is fixed in the code deciding whether to
       enter the runt case or not, entering it for 0<n<=32 bytes
       instead of 0<n<32 bytes as it was before.
     - in the runt case, the logic to skip reading a second 16-byte
       chunk if the buffer ends in the first chunk was fixed to
       account for buffers that end at a 16-byte boundary but do not
       hold a nul byte.
     - in the runt case, the logic to transform the location of the
       end of the input buffer into a bit mask was fixed to allow
       the case of n==32, which was previously impossible due to the
       incorrect logic for entering said case.
    
    The performance impact should be minimal.
    
    PR:             291359
    See also:       D54169
    Reported by:    Collin Funk <collin.funk1@gmail.com>
    Reviewed by:    getz
    Approved by:    markj (mentor)
    MFC after:      1 week
    Fixes:          90253d49db09a9b1490c448d05314f3e4bbfa468 (D42519)
    Differential Revision:  https://reviews.freebsd.org/D54170
---
 lib/libc/amd64/string/stpncpy.S | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/lib/libc/amd64/string/stpncpy.S b/lib/libc/amd64/string/stpncpy.S
index 5ce0dd093a9e..df22bb9f0c53 100644
--- a/lib/libc/amd64/string/stpncpy.S
+++ b/lib/libc/amd64/string/stpncpy.S
@@ -100,7 +100,7 @@ ARCHENTRY(__stpncpy, baseline)
 	movdqa		(%rsi), %xmm0		# load head
 	and		$0xf, %ecx		# offset from alignment
 	mov		$-1, %r9d
-	lea		-32(%rcx), %rax		# set up overflow-proof comparison rdx+rcx<=32
+	lea		-33(%rcx), %rax		# set up overflow-proof comparison rdx+rcx<=32
 	shl		%cl, %r9d		# mask of bytes belonging to the string
 	sub		%rcx, %rdi		# adjust RDI to correspond to RSI
 	pxor		%xmm1, %xmm1
@@ -223,8 +223,9 @@ ARCHENTRY(__stpncpy, baseline)
 
 	/* 1--32 bytes to copy, bounce through the stack */
 .Lrunt:	movdqa		%xmm1, bounce+16(%rsp)	# clear out rest of on-stack copy
-	bts		%r10d, %r8d		# treat end of buffer as end of string
-	and		%r9w, %r8w		# end of string within first buffer?
+	bts		%r10, %r8		# treat end of buffer as end of string
+	and		%r9d, %r8d		# mask out head before string
+	test		$0x1ffff, %r8d		# end of string within first chunk or right after?
 	jnz		0f			# if yes, do not inspect second buffer
 
 	movdqa		16(%rsi), %xmm0		# load second chunk of input