[PATCH v2] string: Fix OOB read on generic strncmp

Adhemerval Zanella Netto adhemerval.zanella@linaro.org
Thu Feb 23 18:15:09 GMT 2023 


On 22/02/23 14:21, Szabolcs Nagy wrote:
> The 02/22/2023 13:31, Adhemerval Zanella wrote:
>> For unaligned case, reading ahead can only be done if parting reads
>> matches the aligned input.
>>
>> Also extend the stratcliff tests to check such cases.
>>
>> Checked on x86_64-linux-gnu, i686-linux-gnu, powerpc64-linux-gnu,
>> and powerpc-linux-gnu by removing the arch-specific assembly
>> implementation and disabling multi-arch (it covers both LE and BE
>> for 64 and 32 bits).
> 
> thanks this looks good.
> 
> Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
> 

So before I push the fix along with the testcase, I checked all strncmp
optimization and found out that some implementations also do not handle 
this correctly as expected:

sysdeps/x86_64/multiarch/strncmp-sse2.S				FAIL
sysdeps/x86_64/multiarch/strncmp-sse4_2.S			FAIL
sysdeps/x86_64/multiarch/strncmp-avx2.S				OK
sysdeps/x86_64/multiarch/strncmp-evex.S				?
sysdeps/x86_64/multiarch/strncmp-avx2-rtm.S			?

sysdeps/ia64/strncmp.S						?

sysdeps/sparc/sparc32/sparcv9/strncmp.S				OK
sysdeps/sparc/sparc64/strncmp.S					OK

sysdeps/aarch64/strncmp.S					OK

sysdeps/powerpc/powerpc32/power7/strncmp.S			FAIL
sysdeps/powerpc/powerpc32/405/strncmp.S				?	
sysdeps/powerpc/powerpc32/strncmp.S				FAIL
sysdeps/powerpc/powerpc32/power4/strncmp.S			FAIL
sysdeps/powerpc/powerpc64/power7/strncmp.S			FAIL
sysdeps/powerpc/powerpc64/power8/strncmp.S			OK
sysdeps/powerpc/powerpc64/strncmp.S				FAIL
sysdeps/powerpc/powerpc64/le/power9/strncmp.S			OK

sysdeps/alpha/strncmp.S						FAIL

sysdeps/i386/i686/multiarch/strncmp-sse4.S			OK
sysdeps/i386/i686/multiarch/strncmp-ssse3.S			FAIL

sysdeps/s390/strncmp-vx.S					OK	

(the ? are implementations that I can really test, even qemu static
thrown illegal instruction).

Noah has brought to my attention that he tried to add similar tests,
but they were rejected by strncmp string must be null-terminated [1].

The working drafts for C standard I have access (n1256.pdf for C99 and 
n3047.pdf for c2x) do not say possibly null-terminated array (as some
stackoverflow answer state [2]) they refer only as array. So I tend
to follow Florian understanding that strncmp inputs should be NULL
terminated.

So should we really consider this a OOB read on generic strncmp?

[1] https://sourceware.org/pipermail/libc-alpha/2022-January/135130.html
[2] https://stackoverflow.com/questions/41418766/is-it-legal-to-pass-a-non-null-terminated-string-to-strncmp-in-c

More information about the Libc-alpha mailing list