From nobody Sun Jan  4 13:23:59 2026
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dkdS00WGRz6N207
	for <dev-commits-src-branches@mlmmj.nyi.freebsd.org>; Sun, 04 Jan 2026 13:24:00 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dkdRz5FCqz3MvZ
	for <dev-commits-src-branches@FreeBSD.org>; Sun, 04 Jan 2026 13:23:59 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1767533039;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=1tm9+rsWK7fH4bI6r+ppHlK/apq55oW1us84HVaKTtM=;
	b=JwmtpgEFWJALJxqBr5GoaABSdScNU4/wztOCAmjI6eCTOR+Yn4rxoFbxgN86/rtmV9lIyb
	CPcwMQCzOMCvAe4DkiQTC2B0VEanAFuQOG44VkiSdMgut6Bfv3kYFCeF9RSH0TkQBjsPO1
	4HGSXCaSzpM5rw/STgCjugXxRsQsMrjQ3d6gj6gisqQsnEZXOLcwYagbv4WcCuS5gnvYOU
	EVhcgP+cYMwuIT+rCy9+dOCqgf4LvhjnNzC4Y7yfRI9ibxeoyn8bLZh+lEkwxWdzYN2Mw8
	LRAo1x+7WE+R6SFKDMHlgX2CeqLS1RN6dpOSGjm2/2B5LbYYYW9jL6zLvzTawg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1767533039;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=1tm9+rsWK7fH4bI6r+ppHlK/apq55oW1us84HVaKTtM=;
	b=VOa/Trc/OgoCwpiExlR9Z3EH+DfleUBNZRQfLpii1cIfPNprwtF2pRNwKvB9bRwDaH1gw0
	8qNAc1evCR20smbezNzkDUhDBryXLOpl6JtvanYSYZRy58Jbe4wCPRDgB1pRJ30HH9kE7i
	crljJBbz4Bvq2Xq2H35iYmpNy9iv8n8BpiQEHf18p6GiqM5yxbmGeQAPbhyAy/yKRqFyRE
	FNM5DwqVRdDN4p2w0u8juMJOXaRyaPeUjP7jqlnqv9kWPGGniruxmEyJFizJgu67jUnzlv
	Hv1QU0AUilMIF5nlAo5yKFkjVW8Z+jz9QE37rCOR7gqjI2pylzMBfHx0hsva9g==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1767533039; a=rsa-sha256; cv=none;
	b=TPNJdr+OdLKrcCtkGIF4Xo1W4EPP0RnnaoPCdbh16aenZreer59DOLHtFofpcgBmmv3Cwy
	q9/A2eRH84IScnzkasvvIRXGDZ6VHC+SBozpIt5GrRKOq5WX3N+pH+3/TdLrVGz6zuifdl
	k72+AsH1APMNv3Eb1pSBi4VxhorKukFhy7cabc9WatKf74A0TEmersrqhn8rsOEA9fT8rH
	eH4Ewro15EGDMQJAO3WhEHF7fqYGWDnl5/T3A3e16uTWF/lpXBRqcH0xKNVaEdMZ8j+F2t
	zfmwc6A+G+IBbpGDViO7NugsxAWxAhffWU3N4ykscsrL1BC5382Bspa7oe5Pmw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dkdRz4W6Kzck0
	for <dev-commits-src-branches@FreeBSD.org>; Sun, 04 Jan 2026 13:23:59 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 3ad84
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Sun, 04 Jan 2026 13:23:59 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Robert Clausecker <fuz@FreeBSD.org>
Subject: git: b49401c0bd4c - stable/15 - libc/amd64: fix overread conditions in stpncpy()
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: fuz
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/15
X-Git-Reftype: branch
X-Git-Commit: b49401c0bd4c2af16cee0561f6a9b90e6349193b
Auto-Submitted: auto-generated
Date: Sun, 04 Jan 2026 13:23:59 +0000
Message-Id: <695a69ef.3ad84.6e345b8@gitrepo.freebsd.org>

The branch stable/15 has been updated by fuz:

URL: https://cgit.FreeBSD.org/src/commit/?id=b49401c0bd4c2af16cee0561f6a9b90e6349193b

commit b49401c0bd4c2af16cee0561f6a9b90e6349193b
Author:     Robert Clausecker <fuz@FreeBSD.org>
AuthorDate: 2025-12-10 20:45:18 +0000
Commit:     Robert Clausecker <fuz@FreeBSD.org>
CommitDate: 2026-01-04 13:22:50 +0000

    libc/amd64: fix overread conditions in stpncpy()
    
    Due to incorrect unit test design, two overread conditions went
    undetected in the amd64 baseline stpncpy() implementation.
    For buffers of 1--16 and 32 bytes that do not contain nul bytes
    and end exactly at a page boundary, the code would incorrectly
    read 16 bytes from the next page, possibly crossing into an
    unmapped page and crashing the program.  If the next page was
    mapped, the code would then proceed with the expected behaviour
    of the stpncpy() function.
    
    Three changes were made to fix the bug:
    
     - an off-by-one error is fixed in the code deciding whether to
       enter the runt case or not, entering it for 0<n<=32 bytes
       instead of 0<n<32 bytes as it was before.
     - in the runt case, the logic to skip reading a second 16-byte
       chunk if the buffer ends in the first chunk was fixed to
       account for buffers that end at a 16-byte boundary but do not
       hold a nul byte.
     - in the runt case, the logic to transform the location of the
       end of the input buffer into a bit mask was fixed to allow
       the case of n==32, which was previously impossible due to the
       incorrect logic for entering said case.
    
    The performance impact should be minimal.
    
    PR:             291359
    See also:       D54169
    Reported by:    Collin Funk <collin.funk1@gmail.com>
    Reviewed by:    getz
    Approved by:    markj (mentor)
    MFC after:      1 week
    Fixes:          90253d49db09a9b1490c448d05314f3e4bbfa468 (D42519)
    Differential Revision:  https://reviews.freebsd.org/D54170
    
    (cherry picked from commit 66eb78377bf109af1d9e25626bf254b4369436ec)
---
 lib/libc/amd64/string/stpncpy.S | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/lib/libc/amd64/string/stpncpy.S b/lib/libc/amd64/string/stpncpy.S
index 5ce0dd093a9e..df22bb9f0c53 100644
--- a/lib/libc/amd64/string/stpncpy.S
+++ b/lib/libc/amd64/string/stpncpy.S
@@ -100,7 +100,7 @@ ARCHENTRY(__stpncpy, baseline)
 	movdqa		(%rsi), %xmm0		# load head
 	and		$0xf, %ecx		# offset from alignment
 	mov		$-1, %r9d
-	lea		-32(%rcx), %rax		# set up overflow-proof comparison rdx+rcx<=32
+	lea		-33(%rcx), %rax		# set up overflow-proof comparison rdx+rcx<=32
 	shl		%cl, %r9d		# mask of bytes belonging to the string
 	sub		%rcx, %rdi		# adjust RDI to correspond to RSI
 	pxor		%xmm1, %xmm1
@@ -223,8 +223,9 @@ ARCHENTRY(__stpncpy, baseline)
 
 	/* 1--32 bytes to copy, bounce through the stack */
 .Lrunt:	movdqa		%xmm1, bounce+16(%rsp)	# clear out rest of on-stack copy
-	bts		%r10d, %r8d		# treat end of buffer as end of string
-	and		%r9w, %r8w		# end of string within first buffer?
+	bts		%r10, %r8		# treat end of buffer as end of string
+	and		%r9d, %r8d		# mask out head before string
+	test		$0x1ffff, %r8d		# end of string within first chunk or right after?
 	jnz		0f			# if yes, do not inspect second buffer
 
 	movdqa		16(%rsi), %xmm0		# load second chunk of input