This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH v3] powerpc: strstr optimization

From: Joseph Myers <joseph at codesourcery dot com>
To: Carlos O'Donell <carlos at redhat dot com>
Cc: Tulio Magno Quites Machado Filho <tuliom at linux dot vnet dot ibm dot com>, Steve Munroe <sjmunroe at us dot ibm dot com>, Florian Weimer <fweimer at redhat dot com>, Ondřej Bílka <neleai at seznam dot cz>, GNU C Library <libc-alpha at sourceware dot org>, Rajalakshmi Srinivasaraghavan <raji at linux dot vnet dot ibm dot com>
Date: Wed, 22 Jul 2015 19:33:09 +0000
Subject: Re: [PATCH v3] powerpc: strstr optimization
Authentication-results: sourceware.org; auth=none
References: <558A5642 dot 5020107 at linux dot vnet dot ibm dot com> <558A5761 dot 2000409 at linux dot vnet dot ibm dot com> <87oajpm8nc dot fsf at totoro dot br dot ibm dot com> <871tgijuri dot fsf at linux dot vnet dot ibm dot com> <55A6FE3F dot 6090701 at redhat dot com> <55A70B70 dot 6090607 at redhat dot com> <20150716195538 dot GA5140 at domone> <55A8110C dot 7000209 at redhat dot com> <alpine dot DEB dot 2 dot 10 dot 1507221607370 dot 21570 at digraph dot polyomino dot org dot uk> <55AFD91C dot 30404 at redhat dot com>

On Wed, 22 Jul 2015, Carlos O'Donell wrote:

> > If there's a quadratic worst case newly introduced for 2.22, I'd consider 
> > that a security hole (denial of service) that needs to block the release 
> > of 2.22 until it's fixed (possibly by removing the implementation in 
> > question).
> 
> Joseph,
> 
> We have had quadratic worse case in our string routines for years without
> it blocking a release. I agree that it is not the best case for a release

And I believe we established a consensus, when removing the SSE4 
implementation (bug 12100), that such implementations are not suitable for 
inclusion in glibc.

> to have such behaviour, but should it block this release?

As a denial-of-service regression (for any code that may use strstr on 
untrusted inputs), yes.

-- 
Joseph S. Myers
joseph@codesourcery.com

References:
- Re: [PATCH v3] powerpc: strstr optimization
  - From: Tulio Magno Quites Machado Filho
- Re: [PATCH v3] powerpc: strstr optimization
  - From: Tulio Magno Quites Machado Filho
- Re: [PATCH v3] powerpc: strstr optimization
  - From: Carlos O'Donell
- Re: [PATCH v3] powerpc: strstr optimization
  - From: Carlos O'Donell
- Re: [PATCH v3] powerpc: strstr optimization
  - From: OndÅej BÃlka
- Re: [PATCH v3] powerpc: strstr optimization
  - From: Carlos O'Donell
- Re: [PATCH v3] powerpc: strstr optimization
  - From: Joseph Myers
- Re: [PATCH v3] powerpc: strstr optimization
  - From: Carlos O'Donell

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]