Page MenuHomeFreeBSD
Differential D46052

lib/libc/amd64/string: fix overread condition in memccpy
ClosedPublic
Actions

Authored by fuz on Jul 20 2024, 8:32 PM.
Tags
None
Referenced Files
F93139728: D46052.id.diff
Sat, Sep 7, 2:21 PM
F93093094: D46052.id141539.diff
Sat, Sep 7, 6:42 AM
Unknown Object (File)
Fri, Sep 6, 1:21 AM
Unknown Object (File)
Mon, Sep 2, 12:00 PM
Unknown Object (File)
Sat, Aug 31, 4:53 AM
Unknown Object (File)
Thu, Aug 22, 3:25 AM
Unknown Object (File)
Wed, Aug 21, 1:49 PM
Unknown Object (File)
Thu, Aug 15, 12:53 PM
View All 12 Files
Subscribers
getz
imp
swills

Details

Reviewers
mjg
emaste
getz
Commits
rG644d81447118: lib/libc/amd64/string: fix overread condition in memccpy
rG9082398090bc: lib/libc/amd64/string: fix overread condition in memccpy
Summary

An overread condition in memccpy(dst, src, c, len) would occur if
src does not cross a 16 byte boundary and there is no instance of
c between *src and the next 16 byte boundary. This could cause a
read fault if src is just before the end of a page and the next page
is unmapped or unreadable.

The bug is a consequence of basing memccpy() on the strlcpy() code:
whereas strlcpy() assumes that src is a nul-terminated string and
hence a terminator is always present, c may not be present at all in
the source string. It was not caught earlier due to insufficient
unit test design.

Performance is reduced slighty as a result of the extra check.

os: FreeBSD
arch: amd64
cpu: 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz
        │ memccpy.unfixed.out │         memccpy.fixed.out          │
        │       sec/op        │   sec/op     vs base               │
Short             66.76µ ± 0%   68.37µ ± 1%  +2.42% (p=0.000 n=20)
Mid               7.938µ ± 0%   7.996µ ± 1%  +0.73% (p=0.003 n=20)
Long              3.577µ ± 0%   3.576µ ± 0%  -0.02% (p=0.005 n=20)
geomean           12.38µ        12.50µ       +1.04%

        │ memccpy.unfixed.out │          memccpy.fixed.out          │
        │         B/s         │     B/s       vs base               │
Short            1.744Gi ± 0%   1.703Gi ± 1%  -2.36% (p=0.000 n=20)
Mid              14.67Gi ± 0%   14.56Gi ± 1%  -0.72% (p=0.003 n=20)
Long             32.55Gi ± 0%   32.55Gi ± 0%  +0.02% (p=0.005 n=20)
geomean          9.407Gi        9.310Gi       -1.03%

Reported by: @getz
See also: D46051
MFC: stable/14

Test Plan

See D46051.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

fuz created this revision.Jul 20 2024, 8:32 PM
Herald added a subscriber: imp. · View Herald TranscriptJul 20 2024, 8:32 PM
fuz requested review of this revision.Jul 20 2024, 8:32 PM
Harbormaster completed remote builds in B58745: Diff 141179.Jul 20 2024, 8:32 PM
fuz added a comment.Jul 20 2024, 9:25 PM

I may have to rework this one. The changed limit check means that the code now fails with phony size limits (i.e. len == SIZE_MAX). I'll have to see how to solve this one without sacrificing more performance.

fuz updated this revision to Diff 141481.Jul 28 2024, 4:35 PM
  • lib/libc/amd64/string/memccpy.S: improve performance

The performance is now 6.9% faster than how it was before the bug fix
for the short case and only 0.36% slower for the mid case. The long
case is unchanged. The bug remains fixed.

Please review this change set, I don't plan to update it further.

os: FreeBSD
arch: amd64
cpu: 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz
        │ memccpy.unfixed.out │        memccpy.fixed.7.out         │
        │       sec/op        │   sec/op     vs base               │
Short             66.76µ ± 0%   62.45µ ± 1%  -6.44% (p=0.000 n=20)
Mid               7.938µ ± 0%   7.967µ ± 0%  +0.36% (p=0.001 n=20)
Long              3.577µ ± 0%   3.577µ ± 0%       ~ (p=0.429 n=20)
geomean           12.38µ        12.12µ       -2.08%

        │ memccpy.unfixed.out │         memccpy.fixed.7.out         │
        │         B/s         │     B/s       vs base               │
Short            1.744Gi ± 0%   1.864Gi ± 1%  +6.89% (p=0.000 n=20)
Mid              14.67Gi ± 0%   14.61Gi ± 0%  -0.36% (p=0.001 n=20)
Long             32.55Gi ± 0%   32.55Gi ± 0%       ~ (p=0.429 n=20)
geomean          9.407Gi        9.606Gi       +2.12%
Harbormaster completed remote builds in B58872: Diff 141481.Jul 28 2024, 4:36 PM
swills added a subscriber: swills.Jul 28 2024, 5:09 PM
getz accepted this revision.Jul 29 2024, 12:20 PM

Looks good, gonna revise the aarch64 port of this to handle it the same way.

This revision is now accepted and ready to land.Jul 29 2024, 12:20 PM
getz mentioned this in D46170: lib/libc/aarch64/string: add memccpy SIMD implementation.Jul 29 2024, 12:49 PM
Closed by commit rG9082398090bc: lib/libc/amd64/string: fix overread condition in memccpy (authored by fuz). · Explain WhyJul 29 2024, 7:38 PM
This revision was automatically updated to reflect the committed changes.
fuz added a commit: rG9082398090bc: lib/libc/amd64/string: fix overread condition in memccpy.
fuz mentioned this in D46051: lib/libc/tests/string: improve memccpy "bounds" unit test.Aug 7 2024, 10:23 AM
fuz added a commit: rG644d81447118: lib/libc/amd64/string: fix overread condition in memccpy.Aug 7 2024, 2:19 PM

Revision Contents
Changeset List

PathSize
lib/
libc/
amd64/
string/
113 lines

Diff 141539

View Options

lib/libc/amd64/string/memccpy.S

Loading...