[Bug 2001932] Re: segfault in strncmp for avx2 at page boundaries

Fri Jul 28 20:14:12 UTC 2023

Hello Simon, or anyone else affected,

Accepted glibc into focal-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/glibc/2.31-0ubuntu9.12
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
focal to verification-done-focal. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-focal. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Tags removed: verification-done verification-done-focal
** Tags added: verification-needed verification-needed-focal

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/2001932

Title:
  segfault in strncmp for avx2 at page boundaries

Status in GLibC:
  Fix Released
Status in glibc package in Ubuntu:
  Fix Released
Status in glibc source package in Focal:
  Fix Committed

Bug description:
  [Impact]

  Depending on size and location of the compared buffers in memory,
  particularly at the end of their respective pages, the AVX-2
  specialized code for strncmp has an off-by-one bug that can cause a
  segfault.

  See https://sourceware.org/bugzilla/show_bug.cgi?id=25933

  [Test case]

  > test_strncmp.c cat <<EOF
  #include <sys/mman.h>
  #include <string.h>
  #include <stdio.h>

  #define PAGE_SIZE 4096
  #define VEC_SIZE 32

  int main()
  {
  	int ret;
  	char *s1 = (char *)mmap(0, PAGE_SIZE*2, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
  	char *s2 = (char *)mmap(0, PAGE_SIZE*2, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
  	mprotect(s1+PAGE_SIZE, PAGE_SIZE, PROT_NONE);
  	mprotect(s2+PAGE_SIZE, PAGE_SIZE, PROT_NONE);
  	memset(s1, 'a', PAGE_SIZE);
  	memset(s2, 'a', PAGE_SIZE);
  	s1[PAGE_SIZE-1] = 0;
  	ret = strncmp(
              s1+PAGE_SIZE-VEC_SIZE*4-1,
              s2+PAGE_SIZE-VEC_SIZE*4,
              VEC_SIZE*4);
  	printf("strncmp returned %d\n", ret);
  	return ret;
  }
  EOF
  gcc -o test_strncmp test_strncmp.c
  ./test_strncmp
  # On buggy systems (e.g. mine), that last call segfaults

  [Regression potential]

  The fix could introduce another bug in the routine, and/or a
  performance regression.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glibc/+bug/2001932/+subscriptions