From nobody Sun Jan  4 13:27:30 2026
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dkdX25WVJz6N21G
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Sun, 04 Jan 2026 13:27:30 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dkdX21xwbz3NnN
	for <dev-commits-src-all@FreeBSD.org>; Sun, 04 Jan 2026 13:27:30 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1767533250;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=epJ5kVENtkCBTISFhlkceHUD2MDAnOKGqgt1v9z7pL8=;
	b=l7n9EV+kX9TstrjLtjREJoSOBothX2WT7jupO6l/nOwnptypUK7lJ4l1s+nhw98u6I6qrY
	Y7KoBiHLoFKgZIrHKk+GhUSBNyKsJMSi2B/4uFuJS522lWZOvj5a/nwiPTYPmd2QQPUN3f
	AnL//8wyJQ9kSASYJBhm/u24vcSXXnyG7dCpHin5ADJHNMwfMd/4eQ6LmtJ7E/OCUo70A4
	SpKnOQ6Gk8YuCFeCF0Xm0P/zuIaJXx7WUUpSHPyv8D2n8U+6EGiSNn8WsddtnO6u3TdBL0
	LjW/eqNISKEzXx+5y73HPGMCm/wDZcF4+tRlE9u91nPt/Ekjk1wCx2TNr4humQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1767533250;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=epJ5kVENtkCBTISFhlkceHUD2MDAnOKGqgt1v9z7pL8=;
	b=u1duMk4Jjph47BIuX6EZvbIWgKa3bQDQ163wlcyA0Akz76vrYqUgGYQOM4q7SDYV010Wu9
	D7QJdtHFieN/K6sIYcUlJ9tXd3LU5RT3U4YQ6R4G+7V1SADWxDpVbm2hWTVlRoWVj0P5xh
	mlb5gYxMfFs9WYHgdQklvipTzqZZqIOT2a8klWnm8PwLq3HvrkZn84BK32LCa/KDBLB41i
	SPJSlvU99z3j2EKuw6FWod3d9PW4DLzqUnKaVdnPMRSXkHwM0LMLyfrT5c9ND13v5epjQO
	QX3XBAEQ7MCyHIzHVSmgX5VDSKbek1cYYoBHi2VEg3Fy2bfVl7Kc5TmnH2me5w==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1767533250; a=rsa-sha256; cv=none;
	b=Zsm9QDJsVjnTS38396ExUPIpzorOIoakPkb96DtOYdAjiBrDkR9E/IQs4/H8vavAqdzwQI
	9cQVYLhgL9KQycYZfQYcraAOlP2vydWPtKDllKUfWKxurBTkCudV9/dYpddgpk9J7VlFBs
	eMVULDCLGU4OyduU3LsPVZBcSfJtWJc4zgFKakTXSlNLiN7xdQj1bdA7o7uFQdbbFXKY+U
	BaVBrWLmnwuGRuOaFklPhxeS6CFX1whveH4GrIoYaPzfe2kXec3Ny+n968+jP4qY3FrgaM
	qBFTmhgcsRRtaqjmHvXoTv8AlP6a/xKfmA/yEpqt3cH1gzGbYqft2ov0d33OTA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dkdX21Vg3zd3h
	for <dev-commits-src-all@FreeBSD.org>; Sun, 04 Jan 2026 13:27:30 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 3a166
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Sun, 04 Jan 2026 13:27:30 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Robert Clausecker <fuz@FreeBSD.org>
Subject: git: b0dc25c6d378 - stable/14 - libc/amd64: fix overread conditions in stpncpy()
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: fuz
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: b0dc25c6d378fbab41f86e494d4e7fcbadeb1b74
Auto-Submitted: auto-generated
Date: Sun, 04 Jan 2026 13:27:30 +0000
Message-Id: <695a6ac2.3a166.30e2c471@gitrepo.freebsd.org>

The branch stable/14 has been updated by fuz:

URL: https://cgit.FreeBSD.org/src/commit/?id=b0dc25c6d378fbab41f86e494d4e7fcbadeb1b74

commit b0dc25c6d378fbab41f86e494d4e7fcbadeb1b74
Author:     Robert Clausecker <fuz@FreeBSD.org>
AuthorDate: 2025-12-10 20:45:18 +0000
Commit:     Robert Clausecker <fuz@FreeBSD.org>
CommitDate: 2026-01-04 13:25:33 +0000

    libc/amd64: fix overread conditions in stpncpy()
    
    Due to incorrect unit test design, two overread conditions went
    undetected in the amd64 baseline stpncpy() implementation.
    For buffers of 1--16 and 32 bytes that do not contain nul bytes
    and end exactly at a page boundary, the code would incorrectly
    read 16 bytes from the next page, possibly crossing into an
    unmapped page and crashing the program.  If the next page was
    mapped, the code would then proceed with the expected behaviour
    of the stpncpy() function.
    
    Three changes were made to fix the bug:
    
     - an off-by-one error is fixed in the code deciding whether to
       enter the runt case or not, entering it for 0<n<=32 bytes
       instead of 0<n<32 bytes as it was before.
     - in the runt case, the logic to skip reading a second 16-byte
       chunk if the buffer ends in the first chunk was fixed to
       account for buffers that end at a 16-byte boundary but do not
       hold a nul byte.
     - in the runt case, the logic to transform the location of the
       end of the input buffer into a bit mask was fixed to allow
       the case of n==32, which was previously impossible due to the
       incorrect logic for entering said case.
    
    The performance impact should be minimal.
    
    PR:             291359
    See also:       D54169
    Reported by:    Collin Funk <collin.funk1@gmail.com>
    Reviewed by:    getz
    Approved by:    markj (mentor)
    MFC after:      1 week
    Fixes:          90253d49db09a9b1490c448d05314f3e4bbfa468 (D42519)
    Differential Revision:  https://reviews.freebsd.org/D54170
    
    (cherry picked from commit 66eb78377bf109af1d9e25626bf254b4369436ec)
---
 lib/libc/amd64/string/stpncpy.S | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/lib/libc/amd64/string/stpncpy.S b/lib/libc/amd64/string/stpncpy.S
index 5ce0dd093a9e..df22bb9f0c53 100644
--- a/lib/libc/amd64/string/stpncpy.S
+++ b/lib/libc/amd64/string/stpncpy.S
@@ -100,7 +100,7 @@ ARCHENTRY(__stpncpy, baseline)
 	movdqa		(%rsi), %xmm0		# load head
 	and		$0xf, %ecx		# offset from alignment
 	mov		$-1, %r9d
-	lea		-32(%rcx), %rax		# set up overflow-proof comparison rdx+rcx<=32
+	lea		-33(%rcx), %rax		# set up overflow-proof comparison rdx+rcx<=32
 	shl		%cl, %r9d		# mask of bytes belonging to the string
 	sub		%rcx, %rdi		# adjust RDI to correspond to RSI
 	pxor		%xmm1, %xmm1
@@ -223,8 +223,9 @@ ARCHENTRY(__stpncpy, baseline)
 
 	/* 1--32 bytes to copy, bounce through the stack */
 .Lrunt:	movdqa		%xmm1, bounce+16(%rsp)	# clear out rest of on-stack copy
-	bts		%r10d, %r8d		# treat end of buffer as end of string
-	and		%r9w, %r8w		# end of string within first buffer?
+	bts		%r10, %r8		# treat end of buffer as end of string
+	and		%r9d, %r8d		# mask out head before string
+	test		$0x1ffff, %r8d		# end of string within first chunk or right after?
 	jnz		0f			# if yes, do not inspect second buffer
 
 	movdqa		16(%rsi), %xmm0		# load second chunk of input