From nobody Tue Dec 16 13:57:09 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dW1Q36Xjdz6L7mZ; Tue, 16 Dec 2025 15:42:03 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta003.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dW1Q26rllz3wRQ; Tue, 16 Dec 2025 15:42:02 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=permerror reason="p tag has invalid value: quarantine rua=mailto:p[ostmaster@cschubert.com" header.from=cschubert.com (policy=permerror); spf=pass (mx1.freebsd.org: domain of cy.schubert@cschubert.com designates 3.97.99.32 as permitted sender) smtp.mailfrom=cy.schubert@cschubert.com Received: from shw-obgw-4004b.ext.cloudfilter.net ([10.228.9.230]) by cmsmtp with ESMTPS id VSkIvvsEcAPFJVXBav60or; Tue, 16 Dec 2025 15:42:02 +0000 Received: from spqr.komquats.com ([70.66.136.217]) by cmsmtp with ESMTPSA id VXBYvUqnz5aoCVXBZvB1hS; Tue, 16 Dec 2025 15:42:02 +0000 X-Auth-User: cschuber X-Authority-Analysis: v=2.4 cv=YMSSCBGx c=1 sm=1 tr=0 ts=69417dca a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17 a=kj9zAlcOel0A:10 a=wP3pNCr1ah4A:10 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=pGLkceISAAAA:8 a=YxBL1-UpAAAA:8 a=dzxgqi4qae0D1tNeHg4A:9 a=CjuIK1q_8ugA:10 a=LK5xJRSDVpKd5WXXoEvA:22 a=Ia-lj3WSrqcvXOmTRaiG:22 Received: from slippy.cwsent.com (slippy.cwsent.com [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 901E0F4; Tue, 16 Dec 2025 07:42:00 -0800 (PST) Received: by slippy.cwsent.com (Postfix, from userid 1000) id 46D25203; Tue, 16 Dec 2025 05:57:09 -0800 (PST) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Robert Clausecker cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: 66eb78377bf1 - main - libc/amd64: fix overread conditions in stpncpy() In-reply-to: <693ee0f1.3662d.650a5e21@gitrepo.freebsd.org> References: <693ee0f1.3662d.650a5e21@gitrepo.freebsd.org> Comments: In-reply-to Robert Clausecker message dated "Sun, 14 Dec 2025 16:08:17 +0000." List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 16 Dec 2025 05:57:09 -0800 Message-Id: <20251216135709.46D25203@slippy.cwsent.com> X-CMAE-Envelope: MS4xfDkEos3KOZvcUdqm22obR27h1jAwTuYFUuD7kGEiPA9+GqxhAOPIXrwWK9YsIf8V7oUfiAIj/z1ZfAL9KbbXboLzPkKUDSsbQgb9F7hlh9oboTwTYnDK DzeAiJLeDl7W4mhNwtX4C79VHCao3862qL+p66J8jDITqyjOIHhpuWp9bdkgiR26jc0KfZ3T8rz2Z/rj3k2supysoEKVI8Ygg0pArPhCJA8Y3QAQmTSANrjr Ibj/gOK5uc1XWygsMNGhdV0dmPjhQyxli5UmCxC0qEQDaDVuKQRIWs3KUJnmeei/wiI2LkG0/XvqvqR0kyHJLDyhAXIcB/JVF8HshdRbE4s= X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.89 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.996]; NEURAL_HAM_MEDIUM(-1.00)[-0.995]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:3.97.99.32/31]; RCVD_IN_DNSWL_LOW(-0.10)[3.97.99.32:from]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]; TO_DN_SOME(0.00)[]; MIME_TRACE(0.00)[0:+]; REPLYTO_EQ_FROM(0.00)[]; DMARC_BAD_POLICY(0.00)[cschubert.com : p tag has invalid value: quarantine rua=mailto:p[ostmaster@cschubert.com]; R_DKIM_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; RCVD_TLS_LAST(0.00)[]; MLMMJ_DEST(0.00)[dev-commits-src-main@freebsd.org,dev-commits-src-all@freebsd.org]; RCPT_COUNT_THREE(0.00)[4] X-Rspamd-Queue-Id: 4dW1Q26rllz3wRQ In message <693ee0f1.3662d.650a5e21@gitrepo.freebsd.org>, Robert Clausecker wri tes: > The branch main has been updated by fuz: > > URL: https://cgit.FreeBSD.org/src/commit/?id=66eb78377bf109af1d9e25626bf254b4 > 369436ec > > commit 66eb78377bf109af1d9e25626bf254b4369436ec > Author: Robert Clausecker > AuthorDate: 2025-12-10 20:45:18 +0000 > Commit: Robert Clausecker > CommitDate: 2025-12-14 16:06:05 +0000 > > libc/amd64: fix overread conditions in stpncpy() > > Due to incorrect unit test design, two overread conditions went > undetected in the amd64 baseline stpncpy() implementation. > For buffers of 1--16 and 32 bytes that do not contain nul bytes > and end exactly at a page boundary, the code would incorrectly > read 16 bytes from the next page, possibly crossing into an > unmapped page and crashing the program. If the next page was > mapped, the code would then proceed with the expected behaviour > of the stpncpy() function. > > Three changes were made to fix the bug: > > - an off-by-one error is fixed in the code deciding whether to > enter the runt case or not, entering it for 0 instead of 0 - in the runt case, the logic to skip reading a second 16-byte > chunk if the buffer ends in the first chunk was fixed to > account for buffers that end at a 16-byte boundary but do not > hold a nul byte. > - in the runt case, the logic to transform the location of the > end of the input buffer into a bit mask was fixed to allow > the case of n==32, which was previously impossible due to the > incorrect logic for entering said case. > > The performance impact should be minimal. > > PR: 291359 > See also: D54169 > Reported by: Collin Funk > Reviewed by: getz > Approved by: markj (mentor) > MFC after: 1 week > Fixes: 90253d49db09a9b1490c448d05314f3e4bbfa468 (D42519) > Differential Revision: https://reviews.freebsd.org/D54170 > --- > lib/libc/amd64/string/stpncpy.S | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/lib/libc/amd64/string/stpncpy.S b/lib/libc/amd64/string/stpncpy. > S > index 5ce0dd093a9e..df22bb9f0c53 100644 > --- a/lib/libc/amd64/string/stpncpy.S > +++ b/lib/libc/amd64/string/stpncpy.S > @@ -100,7 +100,7 @@ ARCHENTRY(__stpncpy, baseline) > movdqa (%rsi), %xmm0 # load head > and $0xf, %ecx # offset from alignment > mov $-1, %r9d > - lea -32(%rcx), %rax # set up overflow-proof compari > son rdx+rcx<=32 > + lea -33(%rcx), %rax # set up overflow-proof compari > son rdx+rcx<=32 > shl %cl, %r9d # mask of bytes belonging to th > e string > sub %rcx, %rdi # adjust RDI to correspond to R > SI > pxor %xmm1, %xmm1 > @@ -223,8 +223,9 @@ ARCHENTRY(__stpncpy, baseline) > > /* 1--32 bytes to copy, bounce through the stack */ > .Lrunt: movdqa %xmm1, bounce+16(%rsp) # clear out rest of on- > stack copy > - bts %r10d, %r8d # treat end of buffer as end of > string > - and %r9w, %r8w # end of string within first bu > ffer? > + bts %r10, %r8 # treat end of buffer as end of > string > + and %r9d, %r8d # mask out head before string > + test $0x1ffff, %r8d # end of string within first ch > unk or right after? > jnz 0f # if yes, do not inspect second > buffer > > movdqa 16(%rsi), %xmm0 # load second chunk of input > I've opened PR/291720 regarding a significant regression caused by this commit. It affects my older machines, resulting in enviornment (getenv) corruption. It does not affect my newer (and with more RAM) machines. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e**(i*pi)+1=0