Bug 25226 - strstr: Invalid result if needle crosses page on s390-z15 ifunc variant.
Summary: strstr: Invalid result if needle crosses page on s390-z15 ifunc variant.
Status: RESOLVED FIXED
Alias: None
Product: glibc
Classification: Unclassified
Component: string (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: 2.31
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-27 08:29 UTC by Stefan Liebler
Modified: 2019-11-27 11:57 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Liebler 2019-11-27 08:29:01 UTC 
If the specified needle crosses a page-boundary, the s390-z15 ifunc variant of
strstr truncates the needle which results in invalid results.

Example:
needle = "Hello" <page-boundary> "World"
really used needle = "Hello"
haystack = "abc HelloBug def"
result = "HelloBug def"

This only happens if the needle before page-boundary contains 9 or less characters.
The s390-z15 ifunc variant of strstr was introduces in glibc 2.30.
Comment 1 Sourceware Commits 2019-11-27 11:38:18 UTC 
The master branch has been updated by Stefan Liebler <stli@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bfdb731438206b0f70fe7afa890681155c30b419

commit bfdb731438206b0f70fe7afa890681155c30b419
Author: Stefan Liebler <stli@linux.ibm.com>
Date:   Wed Nov 27 12:35:40 2019 +0100

    S390: Fix handling of needles crossing a page in strstr z15 ifunc-variant. [BZ #25226]
    
    If the specified needle crosses a page-boundary, the s390-z15 ifunc variant of
    strstr truncates the needle which results in invalid results.
    
    This is fixed by loading the needle beyond the page boundary to v18 instead of v16.
    The bug is sometimes observable in test-strstr.c in check1 and check2 as the
    haystack and needle is stored on stack. Thus the needle can be on a page boundary.
    
    check2 is now extended to test haystack / needles located on stack, at end of page
    and on two pages.
    
    This bug was introduced with commit 6f47401bd5fc71209219779a0426170a9a7395b0
    ("S390: Add arch13 strstr ifunc variant.") and is already released in glibc 2.30.
Comment 2 Sourceware Commits 2019-11-27 11:55:23 UTC 
The release/2.30/master branch has been updated by Stefan Liebler <stli@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f4419b0d0181da28f18cba40068f2e75300f5020

commit f4419b0d0181da28f18cba40068f2e75300f5020
Author: Stefan Liebler <stli@linux.ibm.com>
Date:   Wed Nov 27 12:35:40 2019 +0100

    S390: Fix handling of needles crossing a page in strstr z15 ifunc-variant. [BZ #25226]
    
    If the specified needle crosses a page-boundary, the s390-z15 ifunc variant of
    strstr truncates the needle which results in invalid results.
    
    This is fixed by loading the needle beyond the page boundary to v18 instead of v16.
    The bug is sometimes observable in test-strstr.c in check1 and check2 as the
    haystack and needle is stored on stack. Thus the needle can be on a page boundary.
    
    check2 is now extended to test haystack / needles located on stack, at end of page
    and on two pages.
    
    This bug was introduced with commit 6f47401bd5fc71209219779a0426170a9a7395b0
    ("S390: Add arch13 strstr ifunc variant.") and is already released in glibc 2.30.
    
    (cherry picked from commit bfdb731438206b0f70fe7afa890681155c30b419)
Comment 3 Stefan Liebler 2019-11-27 11:57:23 UTC 
Resolved upstream and backported to glibc 2.30 release branch.
See comments 1 and 2.