[Bug 2001932] Re: segfault in strncmp for avx2 at page boundaries

Launchpad Bug Tracker 2001932 at bugs.launchpad.net
Mon Oct 2 15:50:50 UTC 2023 

This bug was fixed in the package glibc - 2.31-0ubuntu9.12

---------------
glibc (2.31-0ubuntu9.12) focal; urgency=medium

  * Drop SVE memcpy implementation due to kernel-related performance
    regression

glibc (2.31-0ubuntu9.11) focal; urgency=medium

  * Drop memcmp arm64 SIMD optimization patch due to performance regression
    on Raspberry Pi 3+ and 4

glibc (2.31-0ubuntu9.10) focal; urgency=medium

  [ Andrei Gherzan ]
  * d/p/lp1910312: Backport upstream fix for SEM_STAT_ANY (LP: #1910312)

  [ Simon Chopin ]
  * d/p/lp1999551/*: backport mem{cmp,cpy} optimizations for arm64 (LP: #1999551)
  * d/p/lp2001932/*: fix segfault in AVX2 strncmp (LP: #2001932)
  * d/p/lp2001975/*: fix overflow in AVX2 wcsncmp (LP: #2001975)

 -- Simon Chopin <schopin at ubuntu.com>  Wed, 26 Jul 2023 09:44:39 +0200

** Changed in: glibc (Ubuntu Focal)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/2001932

Title:
  segfault in strncmp for avx2 at page boundaries

Status in GLibC:
  Fix Released
Status in glibc package in Ubuntu:
  Fix Released
Status in glibc source package in Focal:
  Fix Released

Bug description:
  [Impact]

  Depending on size and location of the compared buffers in memory,
  particularly at the end of their respective pages, the AVX-2
  specialized code for strncmp has an off-by-one bug that can cause a
  segfault.

  See https://sourceware.org/bugzilla/show_bug.cgi?id=25933

  [Test case]

  > test_strncmp.c cat <<EOF
  #include <sys/mman.h>
  #include <string.h>
  #include <stdio.h>

  #define PAGE_SIZE 4096
  #define VEC_SIZE 32

  int main()
  {
  	int ret;
  	char *s1 = (char *)mmap(0, PAGE_SIZE*2, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
  	char *s2 = (char *)mmap(0, PAGE_SIZE*2, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
  	mprotect(s1+PAGE_SIZE, PAGE_SIZE, PROT_NONE);
  	mprotect(s2+PAGE_SIZE, PAGE_SIZE, PROT_NONE);
  	memset(s1, 'a', PAGE_SIZE);
  	memset(s2, 'a', PAGE_SIZE);
  	s1[PAGE_SIZE-1] = 0;
  	ret = strncmp(
              s1+PAGE_SIZE-VEC_SIZE*4-1,
              s2+PAGE_SIZE-VEC_SIZE*4,
              VEC_SIZE*4);
  	printf("strncmp returned %d\n", ret);
  	return ret;
  }
  EOF
  gcc -o test_strncmp test_strncmp.c
  ./test_strncmp
  # On buggy systems (e.g. mine), that last call segfaults

  [Regression potential]

  The fix could introduce another bug in the routine, and/or a
  performance regression.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glibc/+bug/2001932/+subscriptions

More information about the foundations-bugs mailing list