[Bug 2001932] Re: segfault in strncmp for avx2 at page boundaries

Simon Chopin 2001932 at bugs.launchpad.net
Fri Jun 9 10:34:20 UTC 2023 

The performance part was just my attempt at imagining what could
possibly go wrong. As it turns out, I hadn't seen that upstream had the
exact same concern and so did microbenchmarks on the patch before
accepting it. Sadly, those benchmarks aren't designed to run against
installed libraries, they expect the full build tree to be available.

I looked at the bug and patch history of the affected routines, and
haven't seen any report of performance regression.

The benchmarks in bug 1999551 were explicitly designed for the arm64
architecture, and so don't apply here.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/2001932

Title:
  segfault in strncmp for avx2 at page boundaries

Status in GLibC:
  Fix Released
Status in glibc package in Ubuntu:
  Fix Released
Status in glibc source package in Focal:
  In Progress

Bug description:
  [Impact]

  Depending on size and location of the compared buffers in memory,
  particularly at the end of their respective pages, the AVX-2
  specialized code for strncmp has an off-by-one bug that can cause a
  segfault.

  See https://sourceware.org/bugzilla/show_bug.cgi?id=25933

  [Test case]

  > test_strncmp.c cat <<EOF
  #include <sys/mman.h>
  #include <string.h>
  #include <stdio.h>

  #define PAGE_SIZE 4096
  #define VEC_SIZE 32

  int main()
  {
  	int ret;
  	char *s1 = (char *)mmap(0, PAGE_SIZE*2, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
  	char *s2 = (char *)mmap(0, PAGE_SIZE*2, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
  	mprotect(s1+PAGE_SIZE, PAGE_SIZE, PROT_NONE);
  	mprotect(s2+PAGE_SIZE, PAGE_SIZE, PROT_NONE);
  	memset(s1, 'a', PAGE_SIZE);
  	memset(s2, 'a', PAGE_SIZE);
  	s1[PAGE_SIZE-1] = 0;
  	ret = strncmp(
              s1+PAGE_SIZE-VEC_SIZE*4-1,
              s2+PAGE_SIZE-VEC_SIZE*4,
              VEC_SIZE*4);
  	printf("strncmp returned %d\n", ret);
  	return ret;
  }
  EOF
  gcc -o test_strncmp test_strncmp.c
  ./test_strncmp
  # On buggy systems (e.g. mine), that last call segfaults

  [Regression potential]

  The fix could introduce another bug in the routine, and/or a
  performance regression.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glibc/+bug/2001932/+subscriptions

More information about the foundations-bugs mailing list