From patchwork Mon Apr 13 14:16:10 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "zhuyan (M)" <zhuyan34@huawei.com>
X-Patchwork-Id: 1269832
Return-Path: <libc-alpha-bounces@sourceware.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org
 (client-ip=2620:52:3:1:0:246e:9693:128c; helo=sourceware.org;
 envelope-from=libc-alpha-bounces@sourceware.org; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=none (p=none dis=none) header.from=huawei.com
Received: from sourceware.org (server2.sourceware.org
 [IPv6:2620:52:3:1:0:246e:9693:128c])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4919dy1S6sz9sSY
	for <incoming@patchwork.ozlabs.org>; Tue, 14 Apr 2020 00:16:21 +1000 (AEST)
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 695603887007;
	Mon, 13 Apr 2020 14:16:18 +0000 (GMT)
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from huawei.com (szxga01-in.huawei.com [45.249.212.187])
 by sourceware.org (Postfix) with ESMTPS id AE67F3887000
 for <libc-alpha@sourceware.org>; Mon, 13 Apr 2020 14:16:14 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org AE67F3887000
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=huawei.com
Authentication-Results: sourceware.org;
 spf=pass smtp.mailfrom=zhuyan34@huawei.com
Received: from DGGEMM404-HUB.china.huawei.com (unknown [172.30.72.55])
 by Forcepoint Email with ESMTP id 1EFE4E9CA4F2FA7C328E;
 Mon, 13 Apr 2020 22:16:11 +0800 (CST)
Received: from dggeme759-chm.china.huawei.com (10.3.19.105) by
 DGGEMM404-HUB.china.huawei.com (10.3.20.212) with Microsoft SMTP Server (TLS)
 id 14.3.487.0; Mon, 13 Apr 2020 22:16:10 +0800
Received: from dggeme762-chm.china.huawei.com (10.3.19.108) by
 dggeme759-chm.china.huawei.com (10.3.19.105) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.1713.5; Mon, 13 Apr 2020 22:16:10 +0800
Received: from dggeme762-chm.china.huawei.com ([10.8.68.53]) by
 dggeme762-chm.china.huawei.com ([10.8.68.53]) with mapi id 15.01.1713.004;
 Mon, 13 Apr 2020 22:16:10 +0800
From: "zhuyan (M)" <zhuyan34@huawei.com>
To: "libc-alpha@sourceware.org" <libc-alpha@sourceware.org>
Subject: [PATCH v2] memcpy: use bhs/bls instead of bge/blt [BZ #25620]
Thread-Topic: [PATCH v2] memcpy: use bhs/bls instead of bge/blt [BZ #25620]
Thread-Index: AdYRngYhJjsl9n/XTDeMc4+MLLtXHA==
Date: Mon, 13 Apr 2020 14:16:10 +0000
Message-ID: <95923e664fc9426c9c121efeaa69268c@huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.67.102.217]
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-22.5 required=5.0 tests=BAYES_00, GIT_PATCH_0,
 GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_DMARC_STATUS, KAM_SHORT,
 SPF_HELO_PASS, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <http://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <http://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Cc: Joseph Myers <joseph@codesourcery.com>
Errors-To: libc-alpha-bounces@sourceware.org
Sender: "Libc-alpha" <libc-alpha-bounces@sourceware.org>

In ARMv7, the memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data.

Such as, we use 'memcpy' copy 0x80000000 byte to buffer(The buffer size is 100 bytes), it didn't crash.

Reference link: https://sourceware.org/bugzilla/attachment.cgi?id=12334&action=edit

Signed-off-by: Yan Zhu <zhuyan34@huawei.com>
---
 sysdeps/arm/Makefile                      |  6 +++-
 sysdeps/arm/armv7/multiarch/memcpy_impl.S | 14 ++++----
 sysdeps/arm/tst-armv7memcpybign.c         | 54 +++++++++++++++++++++++++++++++
 3 files changed, 66 insertions(+), 8 deletions(-)  create mode 100644 sysdeps/arm/tst-armv7memcpybign.c

--
2.12.3

diff --git a/sysdeps/arm/Makefile b/sysdeps/arm/Makefile index ad2042b93a..7c1f19e225 100644
--- a/sysdeps/arm/Makefile
+++ b/sysdeps/arm/Makefile
@@ -19,21 +19,25 @@ lib-noranlib: $(objpfx)libgcc-stubs.a
 
 ifeq ($(build-shared),yes)
 ifeq ($(have-arm-tls-desc),yes)
-tests += tst-armtlsdescloc tst-armtlsdescextnow tst-armtlsdescextlazy
+tests += tst-armtlsdescloc tst-armtlsdescextnow tst-armtlsdescextlazy 
+tst-armv7memcpybign
 modules-names += tst-armtlsdesclocmod
 modules-names += tst-armtlsdescextlazymod tst-armtlsdescextnowmod
+modeles-names += tst-armv7memcpybignmod
 CPPFLAGS-tst-armtlsdescextnowmod.c += -Dstatic=  CPPFLAGS-tst-armtlsdescextlazymod.c += -Dstatic=  CFLAGS-tst-armtlsdesclocmod.c += -mtls-dialect=gnu2  CFLAGS-tst-armtlsdescextnowmod.c += -mtls-dialect=gnu2  CFLAGS-tst-armtlsdescextlazymod.c += -mtls-dialect=gnu2
+CFLAGS-tst-armv7memcpybign.c += -mtls-dialect=gnu2
 LDFLAGS-tst-armtlsdescextnowmod.so += -Wl,-z,now  tst-armtlsdescloc-ENV = LD_BIND_NOW=1  tst-armtlsdescextnow-ENV = LD_BIND_NOW=1  tst-armtlsdescextlazy-ENV = LD_BIND_NOW=1
+tst-armv7memcpybign-ENV = LD_BIND_NOW=1
 $(objpfx)tst-armtlsdescloc: $(objpfx)tst-armtlsdesclocmod.so
 $(objpfx)tst-armtlsdescextnow: $(objpfx)tst-armtlsdescextnowmod.so
 $(objpfx)tst-armtlsdescextlazy: $(objpfx)tst-armtlsdescextlazymod.so
+$(objpfx)tst-armv7memcpybign: $(objpfx)tst-armv7memcpybignmod.so
 endif
 endif
 endif
diff --git a/sysdeps/arm/armv7/multiarch/memcpy_impl.S b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
index bf4ac7077f..7455bdc6c7 100644
--- a/sysdeps/arm/armv7/multiarch/memcpy_impl.S
+++ b/sysdeps/arm/armv7/multiarch/memcpy_impl.S
@@ -268,7 +268,7 @@ ENTRY(memcpy)
 
 	mov	dst, dstin	/* Preserve dstin, we need to return it.  */
 	cmp	count, #64
-	bge	.Lcpy_not_short
+	bhs	.Lcpy_not_short
 	/* Deal with small copies quickly by dropping straight into the
 	   exit block.  */
 
@@ -351,10 +351,10 @@ ENTRY(memcpy)
 
 1:
 	subs	tmp2, count, #64	/* Use tmp2 for count.  */
-	blt	.Ltail63aligned
+	bls	.Ltail63aligned
 
 	cmp	tmp2, #512
-	bge	.Lcpy_body_long
+	bhs	.Lcpy_body_long
 
 .Lcpy_body_medium:			/* Count in tmp2.  */
 #ifdef USE_VFP
@@ -378,7 +378,7 @@ ENTRY(memcpy)
 	add	src, src, #64
 	vstr	d1, [dst, #56]
 	add	dst, dst, #64
-	bge	1b
+	bhs	1b
 	tst	tmp2, #0x3f
 	beq	.Ldone
 
@@ -412,7 +412,7 @@ ENTRY(memcpy)
 	ldrd	A_l, A_h, [src, #64]!
 	strd	A_l, A_h, [dst, #64]!
 	subs	tmp2, tmp2, #64
-	bge	1b
+	bhs	1b
 	tst	tmp2, #0x3f
 	bne	1f
 	ldr	tmp2,[sp], #FRAME_SIZE
@@ -482,7 +482,7 @@ ENTRY(memcpy)
 	add	src, src, #32
 
 	subs	tmp2, tmp2, #prefetch_lines * 64 * 2
-	blt	2f
+	bls	2f
 1:
 	cpy_line_vfp	d3, 0
 	cpy_line_vfp	d4, 64
@@ -494,7 +494,7 @@ ENTRY(memcpy)
 	add	dst, dst, #2 * 64
 	add	src, src, #2 * 64
 	subs	tmp2, tmp2, #prefetch_lines * 64
-	bge	1b
+	bhs	1b
 
 2:
 	cpy_tail_vfp	d3, 0
diff --git a/sysdeps/arm/tst-armv7memcpybign.c b/sysdeps/arm/tst-armv7memcpybign.c
new file mode 100644
index 0000000000..c9f0873c90
--- /dev/null
+++ b/sysdeps/arm/tst-armv7memcpybign.c
@@ -0,0 +1,54 @@
+/* Test scenes where ARMv7 memcpy parameter num is very large.
+   Copyright (C) 2020 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>. */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <string.h>
+
+int g_ret = 0;
+
+void
+sigsegv_handle(int signum)
+{
+  printf("Enter sigsegv_handle function\n");
+  g_ret = signum;
+  exit(0);
+}
+
+int
+memcpy_big_n (void)
+{
+  char buf[100] = {0};
+  memcpy(buf, "abcd", 0x80000000);
+}
+
+int
+do_test (void)
+{
+  signal(SIGSEGV, sigsegv_handle);
+  memcpy_big_n();
+  if (g_ret == 0)
+    return 1;
+  else
+    return 0;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
+