overflow bug in wcsncmp_avx2
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GLibC |
Fix Released
|
Medium
|
|||
glibc (Ubuntu) |
Fix Released
|
Medium
|
Simon Chopin | ||
Focal |
Fix Released
|
Medium
|
Simon Chopin |
Bug Description
[Impact]
See https:/
Note that we're only impacted by the avx2 issue, the evex-optimized version isn't present in the 2.31 branch.
[Test case]
> test_wcsncmp.c cat <<EOF
#include <wchar.h>
#include <assert.h>
int
main(int argc, char ** argv) {
assert(
}
EOF
gcc -static -o test_wcsncmp test_wcsncmp.c
./test_scsncmp
[Regression potential]
The patch is contained within the AVX-2 optimized routine, but it could still cause introduce a new bug there. In addition, we could see performance regressions.
In Sourceware.org Bugzilla #28755, Goldstein-w-n (goldstein-w-n) wrote : | #1 |
In Sourceware.org Bugzilla #28755, Goldstein-w-n (goldstein-w-n) wrote : | #2 |
Fix proposed in the following patches:
avx2: https:/
evex: https:/
In Sourceware.org Bugzilla #28755, Goldstein-w-n (goldstein-w-n) wrote : | #3 |
Fixed in
commit ddf0992cf57a932
Author: Noah Goldstein <email address hidden>
Date: Sun Jan 9 16:02:21 2022 -0600
x86: Fix __wcsncmp_avx2 in strcmp-avx2.S [BZ# 28755]
and
commit 7e08db3359c86c9
Author: Noah Goldstein <email address hidden>
Date: Sun Jan 9 16:02:28 2022 -0600
x86: Fix __wcsncmp_evex in strcmp-evex.S [BZ# 28755]
In Sourceware.org Bugzilla #28755, Cvs-commit (cvs-commit) wrote : | #4 |
The release/2.34/master branch has been updated by H.J. Lu <email address hidden>:
https:/
commit 72123e1b56f53f9
Author: H.J. Lu <email address hidden>
Date: Wed Jan 26 20:20:43 2022 -0800
NEWS: Add a bug entry for BZ #28755
In Sourceware.org Bugzilla #28755, Cvs-commit (cvs-commit) wrote : | #5 |
The release/2.33/master branch has been updated by H.J. Lu <email address hidden>:
https:/
commit 86c153d0922a6da
Author: H.J. Lu <email address hidden>
Date: Wed Jan 26 20:28:51 2022 -0800
NEWS: Add a bug fix entry for BZ #28755
In Sourceware.org Bugzilla #28755, Cvs-commit (cvs-commit) wrote : | #6 |
The release/2.32/master branch has been updated by H.J. Lu <email address hidden>:
https:/
commit 40eebb02ccbc2d6
Author: H.J. Lu <email address hidden>
Date: Wed Jan 26 21:00:25 2022 -0800
NEWS: Add a bug fix entry for BZ #28755
In Sourceware.org Bugzilla #28755, Cvs-commit (cvs-commit) wrote : | #7 |
The release/2.31/master branch has been updated by H.J. Lu <email address hidden>:
https:/
commit 5b136510856f374
Author: H.J. Lu <email address hidden>
Date: Thu Jan 27 05:16:30 2022 -0800
NEWS: Add a bug fix entry for BZ #28755
In Sourceware.org Bugzilla #28755, Cvs-commit (cvs-commit) wrote : | #8 |
The release/2.30/master branch has been updated by H.J. Lu <email address hidden>:
https:/
commit 9d868841f870c22
Author: H.J. Lu <email address hidden>
Date: Thu Jan 27 05:31:02 2022 -0800
NEWS: Add a bug fix entry for BZ #28755
In Sourceware.org Bugzilla #28755, Cvs-commit (cvs-commit) wrote : | #9 |
The release/2.29/master branch has been updated by H.J. Lu <email address hidden>:
https:/
commit 2f3fb944b311b67
Author: H.J. Lu <email address hidden>
Date: Thu Jan 27 05:34:02 2022 -0800
NEWS: Add a bug fix entry for BZ #28755
In Sourceware.org Bugzilla #28755, Cvs-commit (cvs-commit) wrote : | #10 |
The release/2.28/master branch has been updated by H.J. Lu <email address hidden>:
https:/
commit 43c27a754bd4177
Author: H.J. Lu <email address hidden>
Date: Thu Jan 27 07:30:10 2022 -0800
NEWS: Add a bug fix entry for BZ #28755
In Sourceware.org Bugzilla #28755, Hjl-tools (hjl-tools) wrote : | #11 |
Fixed for 2.35 and all release branches.
In Sourceware.org Bugzilla #28755, Cvs-commit (cvs-commit) wrote : | #12 |
The master branch has been updated by H.J. Lu <email address hidden>:
https:/
commit aa5a720056d37cf
Author: H.J. Lu <email address hidden>
Date: Thu Feb 17 08:10:35 2022 -0800
string: Add a testcase for wcsncmp with SIZE_MAX [BZ #28755]
Verify that wcsncmp (L("abc"), L("abd"), SIZE_MAX) == 0. The new test
fails without
commit ddf0992cf57a932
Author: Noah Goldstein <email address hidden>
Date: Sun Jan 9 16:02:21 2022 -0600
x86: Fix __wcsncmp_avx2 in strcmp-avx2.S [BZ# 28755]
and
commit 7e08db3359c86c9
Author: Noah Goldstein <email address hidden>
Date: Sun Jan 9 16:02:28 2022 -0600
x86: Fix __wcsncmp_evex in strcmp-evex.S [BZ# 28755]
This is for BZ #28755.
Reviewed-by: Sunil K Pandey <email address hidden>
In Sourceware.org Bugzilla #28755, Cvs-commit (cvs-commit) wrote : | #13 |
The release/2.35/master branch has been updated by H.J. Lu <email address hidden>:
https:/
commit a30807b7db924d3
Author: H.J. Lu <email address hidden>
Date: Thu Feb 17 08:10:35 2022 -0800
string: Add a testcase for wcsncmp with SIZE_MAX [BZ #28755]
Verify that wcsncmp (L("abc"), L("abd"), SIZE_MAX) == 0. The new test
fails without
commit ddf0992cf57a932
Author: Noah Goldstein <email address hidden>
Date: Sun Jan 9 16:02:21 2022 -0600
x86: Fix __wcsncmp_avx2 in strcmp-avx2.S [BZ# 28755]
and
commit 7e08db3359c86c9
Author: Noah Goldstein <email address hidden>
Date: Sun Jan 9 16:02:28 2022 -0600
x86: Fix __wcsncmp_evex in strcmp-evex.S [BZ# 28755]
This is for BZ #28755.
Reviewed-by: Sunil K Pandey <email address hidden>
(cherry picked from commit aa5a720056d37cf
In Sourceware.org Bugzilla #28755, Cvs-commit (cvs-commit) wrote : | #14 |
The release/2.34/master branch has been updated by H.J. Lu <email address hidden>:
https:/
commit 04d60ce0f21ffe2
Author: H.J. Lu <email address hidden>
Date: Thu Feb 17 08:10:35 2022 -0800
string: Add a testcase for wcsncmp with SIZE_MAX [BZ #28755]
Verify that wcsncmp (L("abc"), L("abd"), SIZE_MAX) == 0. The new test
fails without
commit ddf0992cf57a932
Author: Noah Goldstein <email address hidden>
Date: Sun Jan 9 16:02:21 2022 -0600
x86: Fix __wcsncmp_avx2 in strcmp-avx2.S [BZ# 28755]
and
commit 7e08db3359c86c9
Author: Noah Goldstein <email address hidden>
Date: Sun Jan 9 16:02:28 2022 -0600
x86: Fix __wcsncmp_evex in strcmp-evex.S [BZ# 28755]
This is for BZ #28755.
Reviewed-by: Sunil K Pandey <email address hidden>
(cherry picked from commit aa5a720056d37cf
In Sourceware.org Bugzilla #28755, Cvs-commit (cvs-commit) wrote : | #15 |
The release/2.33/master branch has been updated by H.J. Lu <email address hidden>:
https:/
commit cb922428dc7c526
Author: H.J. Lu <email address hidden>
Date: Thu Feb 17 08:10:35 2022 -0800
string: Add a testcase for wcsncmp with SIZE_MAX [BZ #28755]
Verify that wcsncmp (L("abc"), L("abd"), SIZE_MAX) == 0. The new test
fails without
commit ddf0992cf57a932
Author: Noah Goldstein <email address hidden>
Date: Sun Jan 9 16:02:21 2022 -0600
x86: Fix __wcsncmp_avx2 in strcmp-avx2.S [BZ# 28755]
and
commit 7e08db3359c86c9
Author: Noah Goldstein <email address hidden>
Date: Sun Jan 9 16:02:28 2022 -0600
x86: Fix __wcsncmp_evex in strcmp-evex.S [BZ# 28755]
This is for BZ #28755.
Reviewed-by: Sunil K Pandey <email address hidden>
(cherry picked from commit aa5a720056d37cf
In Sourceware.org Bugzilla #28755, Cvs-commit (cvs-commit) wrote : | #16 |
The release/2.32/master branch has been updated by H.J. Lu <email address hidden>:
https:/
commit 0f8a2390000c4e9
Author: H.J. Lu <email address hidden>
Date: Thu Feb 17 08:10:35 2022 -0800
string: Add a testcase for wcsncmp with SIZE_MAX [BZ #28755]
Verify that wcsncmp (L("abc"), L("abd"), SIZE_MAX) == 0. The new test
fails without
commit ddf0992cf57a932
Author: Noah Goldstein <email address hidden>
Date: Sun Jan 9 16:02:21 2022 -0600
x86: Fix __wcsncmp_avx2 in strcmp-avx2.S [BZ# 28755]
and
commit 7e08db3359c86c9
Author: Noah Goldstein <email address hidden>
Date: Sun Jan 9 16:02:28 2022 -0600
x86: Fix __wcsncmp_evex in strcmp-evex.S [BZ# 28755]
This is for BZ #28755.
Reviewed-by: Sunil K Pandey <email address hidden>
(cherry picked from commit aa5a720056d37cf
In Sourceware.org Bugzilla #28755, Cvs-commit (cvs-commit) wrote : | #17 |
The release/2.31/master branch has been updated by H.J. Lu <email address hidden>:
https:/
commit 775c05b28c1883c
Author: H.J. Lu <email address hidden>
Date: Thu Feb 17 08:10:35 2022 -0800
string: Add a testcase for wcsncmp with SIZE_MAX [BZ #28755]
Verify that wcsncmp (L("abc"), L("abd"), SIZE_MAX) == 0. The new test
fails without
commit ddf0992cf57a932
Author: Noah Goldstein <email address hidden>
Date: Sun Jan 9 16:02:21 2022 -0600
x86: Fix __wcsncmp_avx2 in strcmp-avx2.S [BZ# 28755]
and
commit 7e08db3359c86c9
Author: Noah Goldstein <email address hidden>
Date: Sun Jan 9 16:02:28 2022 -0600
x86: Fix __wcsncmp_evex in strcmp-evex.S [BZ# 28755]
This is for BZ #28755.
Reviewed-by: Sunil K Pandey <email address hidden>
(cherry picked from commit aa5a720056d37cf
In Sourceware.org Bugzilla #28755, Cvs-commit (cvs-commit) wrote : | #18 |
The release/2.30/master branch has been updated by H.J. Lu <email address hidden>:
https:/
commit 70522b1c1d1ffa5
Author: H.J. Lu <email address hidden>
Date: Thu Feb 17 08:10:35 2022 -0800
string: Add a testcase for wcsncmp with SIZE_MAX [BZ #28755]
Verify that wcsncmp (L("abc"), L("abd"), SIZE_MAX) == 0. The new test
fails without
commit ddf0992cf57a932
Author: Noah Goldstein <email address hidden>
Date: Sun Jan 9 16:02:21 2022 -0600
x86: Fix __wcsncmp_avx2 in strcmp-avx2.S [BZ# 28755]
and
commit 7e08db3359c86c9
Author: Noah Goldstein <email address hidden>
Date: Sun Jan 9 16:02:28 2022 -0600
x86: Fix __wcsncmp_evex in strcmp-evex.S [BZ# 28755]
This is for BZ #28755.
Reviewed-by: Sunil K Pandey <email address hidden>
(cherry picked from commit aa5a720056d37cf
In Sourceware.org Bugzilla #28755, Cvs-commit (cvs-commit) wrote : | #19 |
The release/2.29/master branch has been updated by H.J. Lu <email address hidden>:
https:/
commit a486152569be7cc
Author: H.J. Lu <email address hidden>
Date: Thu Feb 17 08:10:35 2022 -0800
string: Add a testcase for wcsncmp with SIZE_MAX [BZ #28755]
Verify that wcsncmp (L("abc"), L("abd"), SIZE_MAX) == 0. The new test
fails without
commit ddf0992cf57a932
Author: Noah Goldstein <email address hidden>
Date: Sun Jan 9 16:02:21 2022 -0600
x86: Fix __wcsncmp_avx2 in strcmp-avx2.S [BZ# 28755]
and
commit 7e08db3359c86c9
Author: Noah Goldstein <email address hidden>
Date: Sun Jan 9 16:02:28 2022 -0600
x86: Fix __wcsncmp_evex in strcmp-evex.S [BZ# 28755]
This is for BZ #28755.
Reviewed-by: Sunil K Pandey <email address hidden>
(cherry picked from commit aa5a720056d37cf
In Sourceware.org Bugzilla #28755, Cvs-commit (cvs-commit) wrote : | #20 |
The release/2.28/master branch has been updated by H.J. Lu <email address hidden>:
https:/
commit 9e050d1370587e8
Author: H.J. Lu <email address hidden>
Date: Thu Feb 17 08:10:35 2022 -0800
string: Add a testcase for wcsncmp with SIZE_MAX [BZ #28755]
Verify that wcsncmp (L("abc"), L("abd"), SIZE_MAX) == 0. The new test
fails without
commit ddf0992cf57a932
Author: Noah Goldstein <email address hidden>
Date: Sun Jan 9 16:02:21 2022 -0600
x86: Fix __wcsncmp_avx2 in strcmp-avx2.S [BZ# 28755]
and
commit 7e08db3359c86c9
Author: Noah Goldstein <email address hidden>
Date: Sun Jan 9 16:02:28 2022 -0600
x86: Fix __wcsncmp_evex in strcmp-evex.S [BZ# 28755]
This is for BZ #28755.
Reviewed-by: Sunil K Pandey <email address hidden>
(cherry picked from commit aa5a720056d37cf
Changed in glibc (Ubuntu): | |
status: | New → Fix Released |
Changed in glibc (Ubuntu Focal): | |
status: | New → In Progress |
assignee: | nobody → Simon Chopin (schopin) |
importance: | Undecided → Medium |
Changed in glibc: | |
importance: | Unknown → Medium |
status: | Unknown → Fix Released |
Brian Murray (brian-murray) wrote : Please test proposed package | #21 |
Hello Simon, or anyone else affected,
Accepted glibc into focal-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Changed in glibc (Ubuntu Focal): | |
status: | In Progress → Fix Committed |
tags: | added: verification-needed verification-needed-focal |
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (glibc/2.31-0ubuntu9.10) | #22 |
All autopkgtests for the newly accepted glibc (2.31-0ubuntu9.10) for focal have finished running.
The following regressions have been reported in tests triggered by the package:
4ti2/1.
android-
android-
apparmor/unknown (armhf)
apport/
at-spi2-
atk1.0/
augustus/unknown (armhf)
autodock-
autopilot-gtk/1.6.0 (armhf)
bgw-replstatus/
biosquid/
blackbox/0.70.1-38 (armhf)
bomstrip/9-13 (armhf)
borgbackup/
bosh/0.6-10 (armhf)
botch/0.22-3 (armhf)
brlaser/6-1build1 (armhf)
burp/2.2.18-2 (armhf)
butt/unknown (armhf)
cargo/0.
ceph/15.
chafa/1.2.1-1 (armhf)
clearcut/1.0.9-5 (armhf)
consulfs/0.2.1-1 (armhf)
coturn/
dune-common/
fpc/3.0.4+dfsg-23 (arm64)
frameworkintegr
heaptrack/
jsonnet/unknown (armhf)
kbibtex/
kholidays/
kiconthemes/
kitemmodels/
kpty/5.
libdbd-
libgdata/0.17.12-1 (armhf)
libtk-tablematr
linux-gcp-
linux-gke-
linux-lowlatenc
linux-oracle-
magicrescue/
mercurial/
modemmanager-
node-ws/7.2.1-3 (armhf)
octave-
osmo-mgw/1.4.0-1 (armhf)
php-excimer/
polkit-
qcustomplot/
qutip/4.4.1-6build1 (amd64)
r-cran-ps/1.3.2-2 (armhf)
ruby-bootsnap/
ruby-standalone
ruby2.7/
sks/1.1.6-14 (s390x)
systemd/
threadweaver/
tomb/2.7+dfsg2-1 (amd64)
umockdev/
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
https:/
[1] https:/
Thank you!
Simon Chopin (schopin) wrote : | #23 |
Verified in a fresh LXD container:
root@focal-glibc:~# gcc -static -o test_wcsncmp test_wcsncmp.c
In file included from test_wcsncmp.c:2:
test_wcsncmp.c: In function ‘main’:
test_wcsncmp.
6 | assert(
| ^~~~~~~~~~~~~~
root@focal-glibc:~# ./test_wcsncmp && echo OK
OK
tags: |
added: verification-done verification-done-focal removed: verification-needed verification-needed-focal |
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : | #24 |
All autopkgtests for the newly accepted glibc (2.31-0ubuntu9.10) for focal have finished running.
The following regressions have been reported in tests triggered by the package:
cargo/0.
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
https:/
[1] https:/
Thank you!
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (glibc/2.31-0ubuntu9.11) | #25 |
All autopkgtests for the newly accepted glibc (2.31-0ubuntu9.11) for focal have finished running.
The following regressions have been reported in tests triggered by the package:
dune-common/
khtml/5.
kitemmodels/
kpeople/
kplotting/
kpty/5.
kxmlgui/
linux-nvidia-
netplan.
nfs-utils/
ruby-stackprof/
sbd/1.4.1-3 (s390x)
threadweaver/
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
https:/
[1] https:/
Thank you!
Brian Murray (brian-murray) wrote : Please test proposed package | #26 |
Hello Simon, or anyone else affected,
Accepted glibc into focal-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
tags: |
added: verification-needed verification-needed-focal removed: verification-done verification-done-focal |
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (glibc/2.31-0ubuntu9.12) | #27 |
All autopkgtests for the newly accepted glibc (2.31-0ubuntu9.12) for focal have finished running.
The following regressions have been reported in tests triggered by the package:
aevol/5.
c-icap/1:0.5.3-3 (armhf)
cysignals/
dbus/1.
docker.
flatpak/
kholidays/
kplotting/
libimage-
libreoffice/
libxml-
libxml-
linux-aws-
linux-gcp-
linux-lowlatenc
mariadb-
postgresql-
r-bioc-
r-cran-
systemd/
threadweaver/
utox/0.17.1-1 (arm64)
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
https:/
[1] https:/
Thank you!
Simon Chopin (schopin) wrote : | #28 |
Verified in a fresh container:
root@focal-glibc:~# ./test_wcsncmp
root@focal-glibc:~# echo $?
0
root@focal-glibc:~# dpkg -l libc6
Desired=
| Status=
|/ Err?=(none)
||/ Name Version Architecture Description
+++-===
ii libc6:amd64 2.31-0ubuntu9.12 amd64 GNU C Library: Shared libraries
tags: |
added: verification-done verification-done-focal removed: verification-needed verification-needed-focal |
Łukasz Zemczak (sil2100) wrote : Update Released | #29 |
The verification of the Stable Release Update for glibc has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
Launchpad Janitor (janitor) wrote : | #30 |
This bug was fixed in the package glibc - 2.31-0ubuntu9.12
---------------
glibc (2.31-0ubuntu9.12) focal; urgency=medium
* Drop SVE memcpy implementation due to kernel-related performance
regression
glibc (2.31-0ubuntu9.11) focal; urgency=medium
* Drop memcmp arm64 SIMD optimization patch due to performance regression
on Raspberry Pi 3+ and 4
glibc (2.31-0ubuntu9.10) focal; urgency=medium
[ Andrei Gherzan ]
* d/p/lp1910312: Backport upstream fix for SEM_STAT_ANY (LP: #1910312)
[ Simon Chopin ]
* d/p/lp1999551/*: backport mem{cmp,cpy} optimizations for arm64 (LP: #1999551)
* d/p/lp2001932/*: fix segfault in AVX2 strncmp (LP: #2001932)
* d/p/lp2001975/*: fix overflow in AVX2 wcsncmp (LP: #2001975)
-- Simon Chopin <email address hidden> Wed, 26 Jul 2023 09:44:39 +0200
Changed in glibc (Ubuntu Focal): | |
status: | Fix Committed → Fix Released |
Similiar to [BZ 27974](https:/ /sourceware. org/bugzilla/ show_bug. cgi?id= 27974). The multiply of length by sizeof (wchar_t) can overflow if length is >= 2^62 which can lead to incorrect results.
For example:
#include <wchar.h> __wcsncmp_ evex(L" abc", L"abd", (1UL << 62)) != 0); __wcsncmp_ avx2(L" abc", L"abd", (1UL << 62)) != 0);
int
main(int argc, char ** argv) {
assert(
assert(
}
Will fail on either assert.