Message ID | 201412221953.sBMJrFOu030187@farm-0002.internal.tilera.com |
---|---|
State | New |
Headers | show |
Is this bug covered by an existing testcase? If not, I think one should be added (architecture-independent).
On 12/22/2014 3:05 PM, Joseph Myers wrote: > Is this bug covered by an existing testcase? If not, I think one should > be added (architecture-independent). It was revealed by HJ's modification to check2() in string/test-strstr.c to test for page boundary. So arguably we are more or less covered. In fact for this particular bug we need it to be the case that the skipped-over NUL value is in an address that is >= 4, mod 8, which happens to be true in this case, but I'm not sure it was by design. However, that test case does reliably catch this particular bug. I think I must not have re-checked the ILP32 build of glibc since committing the optimized strstr in September, or else I just missed the FAIL from this one.
diff --git a/ChangeLog b/ChangeLog index 4ad8b90161cf..77abebf47806 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2014-12-22 Chris Metcalf <cmetcalf@ezchip.com> + + [BZ #17746] + * sysdeps/tile/tilegx/strstr.c (STRSTR2): Remove implicit boolean + conversion. + 2014-12-22 Steve Ellcey <sellcey@imgtec.com> * sysdeps/unix/mips/sysdep.h (__mips_isa_rev): Set diff --git a/NEWS b/NEWS index cf0756b2e04b..56dfff03bf32 100644 --- a/NEWS +++ b/NEWS @@ -15,7 +15,7 @@ Version 2.21 17522, 17555, 17570, 17571, 17572, 17573, 17574, 17581, 17582, 17583, 17584, 17585, 17589, 17594, 17601, 17608, 17616, 17625, 17630, 17633, 17634, 17647, 17653, 17657, 17664, 17665, 17668, 17682, 17717, 17719, - 17722, 17724, 17725, 17733, 17744, 17745. + 17722, 17724, 17725, 17733, 17744, 17745, 17746. * CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag under certain input conditions resulting in the execution of a shell for diff --git a/sysdeps/tile/tilegx/strstr.c b/sysdeps/tile/tilegx/strstr.c index d04f12910db2..de5adaff91c7 100644 --- a/sysdeps/tile/tilegx/strstr.c +++ b/sysdeps/tile/tilegx/strstr.c @@ -154,7 +154,7 @@ STRSTR2 (const char *haystack_start, const char *needle) /* Look for a terminating '\0'. */ zero_matches = __insn_v1cmpeqi (v, 0); uint64_t byte1_matches = __insn_v1cmpeq (v, byte1); - if (__builtin_expect (zero_matches, 0)) + if (__builtin_expect (zero_matches != 0, 0)) { /* This is the last vector. Don't worry about matches crossing into the next vector. Shift the second byte