This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH]: Use RAX_LP/RDX_LP on SAVE_PTR in sysdeps/x86_64/strtok.S
On Wed, Jun 13, 2012 at 2:26 PM, Roland McGrath <roland@hack.frob.com> wrote:
> Now I see what actually matters about the test. ?You don't really need
> something machine-dependent. ?You can make sure they're adjacent just by
> putting them together in a struct, and making it a global variable to
> ensure the compiler doesn't optimize away the adjacency. ?Or you could use
> a more direct paranoia test by putting SAVEPTR into a struct with uintptr_t
> magic-number fields on either side and ensuring they don't get clobbered.
>
> But the way that we usually test for this kind of bug is to mmap a two-page
> region, mprotect the second page to PROT_NONE, and then use:
> ? ? ? ?char **saveptrp = page + page_size - sizeof (*saveptrp)
>
> It probably makes sense to use test-string.h to do the setup for you,
> since we already have it.
>
> To be really thorough, you could also do a second variant that puts SAVEPTR
> at the beginning of a page and checks for the other direction of overrun.
> But that's probably overkill, and test-string.h's machinery is not handy
> for that.
>
Here is a patch to implement those. I also use
LP_SIZE on save_ptr. OK to install?
Thanks.
--
H.J.
---
[BZ #14229]
* string/Makefile (tests): Add tst-strtok_r and tst-strtok_r2.
* string/tst-strtok_r.c: New file.
* string/tst-strtok_r2.c: Likewise.
* sysdeps/x86_64/strtok.S: Use LP_SIZE on save_ptr and use
RAX_LP/RDX_LP on SAVE_PTR.
diff --git a/string/Makefile b/string/Makefile
index 80923a2..d9aef03 100644
--- a/string/Makefile
+++ b/string/Makefile
@@ -56,7 +56,7 @@ tests := tester inl-tester noinl-tester testcopy test-ffs \
tst-strtok tst-strxfrm bug-strcoll1 tst-strfry \
bug-strtok1 $(addprefix test-,$(strop-tests)) \
bug-envz1 tst-strxfrm2 tst-endian tst-svc2 \
- bug-strstr1 bug-strchr1
+ bug-strstr1 bug-strchr1 tst-strtok_r tst-strtok_r2
include ../Rules
diff --git a/string/tst-strtok_r.c b/string/tst-strtok_r.c
new file mode 100644
index 0000000..fe11cd6
--- /dev/null
+++ b/string/tst-strtok_r.c
@@ -0,0 +1,36 @@
+/* Test strtok_r regression for BZ #14229.
+ Copyright (C) 2012 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <string.h>
+
+/* Verify updating SAVEPTR won't override the first few bytes in LINE. */
+struct
+ {
+ char *saveptr;
+ char line[];
+ } data = { 0, "udf 75868 1 - Live 0xffffffffa0bfb000\n" };
+
+static int
+do_test (void)
+{
+ char *tok = strtok_r (data.line, " \t", &data.saveptr);
+ return strcmp (tok, "udf") != 0;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
diff --git a/string/tst-strtok_r2.c b/string/tst-strtok_r2.c
new file mode 100644
index 0000000..b40a837
--- /dev/null
+++ b/string/tst-strtok_r2.c
@@ -0,0 +1,37 @@
+/* Test strtok_r regression for BZ #14229.
+ Copyright (C) 2012 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#define TEST_MAIN
+#define BUF1PAGES 1
+#include "test-string.h"
+
+int
+test_main (void)
+{
+ char line[] = "udf 75868 1 - Live 0xffffffffa0bfb000\n";
+ char **saveptrp;
+ char *tok;
+
+ test_init ();
+
+ saveptrp = (char **) (buf1 + page_size - sizeof (*saveptrp));
+ tok = strtok_r (line, " \t", saveptrp);
+ return strcmp (tok, "udf") != 0;
+}
+
+#include "../test-skeleton.c"
diff --git a/sysdeps/x86_64/strtok.S b/sysdeps/x86_64/strtok.S
index 150f4d6..fe4a947 100644
--- a/sysdeps/x86_64/strtok.S
+++ b/sysdeps/x86_64/strtok.S
@@ -1,6 +1,6 @@
/* strtok (str, delim) -- Return next DELIM separated token from STR.
For AMD x86-64.
- Copyright (C) 1998,2000-2003,2005,2006 Free Software Foundation, Inc.
+ Copyright (C) 1998-2012 Free Software Foundation, Inc.
This file is part of the GNU C Library.
Based on i686 version contributed by Ulrich Drepper
<drepper@cygnus.com>, 1998.
@@ -45,9 +45,9 @@
.bss
.local save_ptr
ASM_TYPE_DIRECTIVE (save_ptr, @object)
- .size save_ptr, 8
+ .size save_ptr, LP_SIZE
save_ptr:
- .space 8
+ .space LP_SIZE
# ifdef PIC
# define SAVE_PTR save_ptr(%rip)
@@ -79,13 +79,12 @@ ENTRY (BP_SYM (FUNCTION))
#ifdef USE_AS_STRTOK_R
/* The value is stored in the third argument. */
- movq %rdx, %rax
- movq %rdx, %r9 /* Save value - see def. of SAVE_PTR. */
- movq (%rax), %rax
+ mov %RDX_LP, %R9_LP /* Save value - see def. of SAVE_PTR. */
+ mov (%rdx), %RAX_LP
#else
/* The value is in the local variable defined above. But
we have to take care for PIC code. */
- movq SAVE_PTR, %rax
+ mov SAVE_PTR, %RAX_LP
#endif
movq %r8, %rdx /* Get start of string. */
@@ -194,7 +193,7 @@ L(8): cmpq %rax, %rdx
cmovne %rcx, %rdx
/* Store the pointer to the next character. */
- movq %rdx, SAVE_PTR
+ mov %RDX_LP, SAVE_PTR
L(epilogue):
/* Remove the stopset table. */
@@ -205,7 +204,7 @@ L(epilogue):
L(returnNULL):
xorl %eax, %eax
/* Store the pointer to the next character. */
- movq %rdx, SAVE_PTR
+ mov %RDX_LP, SAVE_PTR
jmp L(epilogue)
END (BP_SYM (FUNCTION))