Commit Graph

882 Commits

Author SHA1 Message Date
Florian Weimer
25a5eb4010 string: strerror, strsignal cannot use buffer after dlmopen (bug 32026)
Secondary namespaces have a different malloc.  Allocating the
buffer in one namespace and freeing it another results in
heap corruption.  Fix this by using a static string (potentially
translated) in secondary namespaces.  It would also be possible
to use the malloc from the initial namespace to manage the
buffer, but these functions would still not be safe to use in
auditors etc. because a call to strerror could still free a
buffer while it is used by the application.  Another approach
could use proper initial-exec TLS, duplicated in secondary
namespaces, but that would need a callback interface for freeing
libc resources in namespaces on thread exit, which does not exist
today.

Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2024-08-19 15:48:03 +02:00
Noah Goldstein
7da0886247 x86: Fix bug in strchrnul-evex512 [BZ #32078]
Issue was we were expecting not matches with CHAR before the start of
the string in the page cross case.

The check code in the page cross case:
```
    and    $0xffffffffffffffc0,%rax
    vmovdqa64 (%rax),%zmm17
    vpcmpneqb %zmm17,%zmm16,%k1
    vptestmb %zmm17,%zmm17,%k0{%k1}
    kmovq  %k0,%rax
    inc    %rax
    shr    %cl,%rax
    je     L(continue)
```

expects that all characters that neither match null nor CHAR will be
1s in `rax` prior to the `inc`. Then the `inc` will overflow all of
the 1s where no relevant match was found.

This is incorrect in the page-cross case, as the
`vmovdqa64 (%rax),%zmm17` loads from before the start of the input
string.

If there are matches with CHAR before the start of the string, `rax`
won't properly overflow.

The fix is quite simple. Just replace:

```
    inc    %rax
    shr    %cl,%rax
```
With:
```
    sar    %cl,%rax
    inc    %rax
```

The arithmetic shift will clear any matches prior to the start of the
string while maintaining the signbit so the 1s can properly overflow
to zero in the case of no matches.
Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
2024-08-15 08:11:33 -07:00
Florian Weimer
54252394c2 Enhanced test coverage for strncmp, wcsncmp
Add string/test-strncmp-nonarray and
wcsmbs/test-wcsncmp-nonarray.

This is the test that uncovered bug 31934.  Test run time
is more than one minute on a fairly current system, so turn
these into xtests that do not run automatically.

Reviewed-by: Noah Goldstein <goldstein.w.n@gmail.com>
2024-08-01 09:08:32 +02:00
Florian Weimer
783d4c0b81 Enhance test coverage for strnlen, wcsnlen
This commit adds string/test-strnlen-nonarray and
wcsmbs/test-wcsnlen-nonarray.

Reviewed-by: Noah Goldstein <goldstein.w.n@gmail.com>
2024-08-01 09:07:34 +02:00
Adhemerval Zanella
cf11e74b0d wcsmbs: Ensure wcstr worst-case linear execution time (BZ 23865)
It uses the same two-way algorithm used on strstr, strcasestr, and
memmem.  Different than strstr, neither the "shift table" optimization
nor the self-adapting filtering check is used because it would result in
a too-large shift table (and it also simplifies the implementation bit).

Checked on x86_64-linux-gnu and aarch64-linux-gnu.
Reviewed-by: DJ Delorie <dj@redhat.com>
2024-04-11 14:21:32 -03:00
Adhemerval Zanella
4b717562c4 wcsmbs: Add test-wcsstr
Parametrize test-strstr.c so it can be used to check wcsstr.

Checked on x86_64-linux-gnu and aarch64-linux-gnu.

Reviewed-by: DJ Delorie <dj@redhat.com>
2024-04-11 14:21:32 -03:00
Adhemerval Zanella
5e9696b265 string: Improve fortify with clang
It improve fortify checks for strcpy, stpcpy, strncpy, stpncpy, strcat,
strncat, strlcpy, and strlcat.  The runtime and compile checks have
similar coverage as with GCC.

Checked on aarch64, armhf, x86_64, and i686.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
2024-02-27 10:52:58 -03:00
Stefan Liebler
ab0db3b884 Fix stringop-overflow warning in tst-strlcat2.
On s390x, I get warnings like this when do_one_test is inlined with SIZE_MAX:
In function ‘do_one_test’,
    inlined from ‘do_overflow_tests’ at tst-strlcat2.c:184:2:
tst-strlcat2.c:49:18: error: ‘strnlen’ specified bound [18446744073709550866, 18446744073709551615] exceeds maximum object size 9223372036854775807 [-Werror=stringop-overflow=]
   49 | # define STRNLEN strnlen
      |                  ^
tst-strlcat2.c:89:23: note: in expansion of macro ‘STRNLEN’
   89 |   size_t dst_length = STRNLEN (dst, n);
      |                       ^~~~~~~

This patch just marks the do_one_test function as noinline as also done in test-strncat.c:
Fix stringop-overflow warning in test-strncat.
https://sourceware.org/git/?p=glibc.git;a=commit;h=51aeab9a363a0d000d0912aa3d6490463a26fba2
2024-02-05 15:04:26 +01:00
Adhemerval Zanella Netto
ae4b8d6a0e string: Use builtins for ffs and ffsll
It allows to remove a lot of arch-specific implementations.

Checked on x86_64, aarch64, powerpc64.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2024-02-01 09:31:33 -03:00
Joseph Myers
42cc619dfb Refer to C23 in place of C2X in glibc
WG14 decided to use the name C23 as the informal name of the next
revision of the C standard (notwithstanding the publication date in
2024).  Update references to C2X in glibc to use the C23 name.

This is intended to update everything *except* where it involves
renaming files (the changes involving renaming tests are intended to
be done separately).  In the case of the _ISOC2X_SOURCE feature test
macro - the only user-visible interface involved - support for that
macro is kept for backwards compatibility, while adding
_ISOC23_SOURCE.

Tested for x86_64.
2024-02-01 11:02:01 +00:00
Adhemerval Zanella
77c6a2717d string: Disable stack protector for memset in early static initialization
For ports that use the default memset, the compiler might generate early
calls before the stack protector is initialized (for instance, riscv
with -fstack-protector-all on _dl_aux_init).

Checked on riscv64-linux-gnu-rv64imafdc-lp64d.

Reviewed-by: Florian Weimer <fweimer@redhat.com>
2024-01-23 10:22:59 -03:00
Noah Goldstein
4b00532e51 string: Add additional output in test-strchr failure
Seeing occasional failures in `__strchrnul_evex512` that are not
consistently reproducible. Hopefully by adding this the next failure
will provide enough information to debug.

Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
2024-01-01 21:06:57 -08:00
Paul Eggert
dff8da6b3e Update copyright dates with scripts/update-copyrights 2024-01-01 10:53:40 -08:00
Adhemerval Zanella
fccf38c517 string: Add internal memswap implementation
The prototype is:

  void __memswap (void *restrict p1, void *restrict p2, size_t n)

The function swaps the content of two memory blocks P1 and P2 of
len N.  Memory overlap is NOT handled.

It will be used on qsort optimization.

Checked on x86_64-linux-gnu and aarch64-linux-gnu.
Reviewed-by: Noah Goldstein <goldstein.w.n@gmail.com>
2023-10-31 14:17:33 -03:00
Sunil K Pandey
b316c9a769 Add strlcat/wcslcat testcase.
This patch implements comprehensive tests for strlcat/wcslcat
functions.  Tests are mostly derived from strncat test suites
and modified to incorporate strlcat/wcslcat specifications.

Reviewed-by: DJ Delorie <dj@redhat.com>
2023-10-17 18:19:01 -04:00
Sunil K Pandey
23871292fb Add strlcpy/wcslcpy testcase
This patch implements comprehensive tests for strlcpy/wcslcpy
functions.  Tests are mostly derived from strncpy test suites
and modified to incorporate strlcpy/wcslcpy specifications.

Reviewed-by: DJ Delorie <dj@redhat.com>
2023-10-17 18:18:55 -04:00
Mahesh Bodapati
f1c7ed0859 string: Fix tester build with fortify enable with gcc < 12
When building with fortify enabled, GCC < 12 issues a warning on the
fortify strncat wrapper might overflow the destination buffer (the
failure is tied to -Werror).

Checked on ppc64 and x86_64.
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2023-08-18 07:59:55 -05:00
Adhemerval Zanella Netto
784ae96811 string: Fix tester build with fortify enable with gcc 6
When building with fortify enabled, GCC 6 issues an warning the fortify
wrapper might overflow the destination buffer.  However, GCC does not
provide a specific flag to disable the warning (the failure is tied to
-Werror).  So to avoid disable all errors, only enable the check for
GCC 7 or newer.

Checked on i686-linux-gnu.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2023-07-26 10:45:49 -03:00
Adhemerval Zanella Netto
c2dc8ab6a5 string: Fix tester with fortify enabled
If fortify is enabled, the truncated output warning is issued by
the wrapper itself:

In function ‘strncpy’,
    inlined from ‘test_strncpy’ at tester.c:505:10:
../string/bits/string_fortified.h:95:10: error: ‘__builtin_strncpy’
destination unchanged after copying no bytes from a string of length 3
[-Werror=stringop-truncation]
   95 |   return __builtin___strncpy_chk (__dest, __src, __len,
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   96 |                                   __glibc_objsize (__dest));
      |                                   ~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ../include/bits/string_fortified.h:1,
                 from ../string/string.h:548,
                 from ../include/string.h:60,
                 from tester.c:33,
                 from inl-tester.c:6:
In function ‘strncpy’,
    inlined from ‘test_strncpy’ at tester.c:505:10:

Checked on x86_64-linux-gnu.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2023-07-24 15:26:17 -03:00
Adhemerval Zanella Netto
85ac7edcdf string: Fix bug-strncat1 with fortify enabled
If fortify is enabled, the truncated output warning is issued by
the wrapper itself:

bug-strncat1.c: In function ‘main’:
bug-strncat1.c:14:3: error: ‘__builtin___strncat_chk’ output truncated
copying 1 byte from a string of length 2 [-Werror=stringop-truncation]
   14 |   strncat (d, "\5\6", 1);
      |   ^

Checked on x86_64-linux-gnu.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2023-07-24 15:26:17 -03:00
Frédéric Bérat
20c894d21e Exclude routines from fortification
Since the _FORTIFY_SOURCE feature uses some routines of Glibc, they need to
be excluded from the fortification.

On top of that:
 - some tests explicitly verify that some level of fortification works
   appropriately, we therefore shouldn't modify the level set for them.
 - some objects need to be build with optimization disabled, which
   prevents _FORTIFY_SOURCE to be used for them.

Assembler files that implement architecture specific versions of the
fortified routines were not excluded from _FORTIFY_SOURCE as there is no
C header included that would impact their behavior.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-07-05 16:59:48 +02:00
Florian Weimer
1d44530a5b string: strerror must not return NULL (bug 30555)
For strerror, this fixes commit 28aff04781 ("string:
Implement strerror in terms of strerror_l").  This commit avoids
returning NULL for strerror_l as well, although POSIX allows this
behavior for strerror_l.

Reviewed-by: Arjun Shankar <arjun@redhat.com>
2023-06-15 19:54:09 +02:00
Florian Weimer
454a20c875 Implement strlcpy and strlcat [BZ #178]
These functions are about to be added to POSIX, under Austin Group
issue 986.

The fortified strlcat implementation does not raise SIGABRT if the
destination buffer does not contain a null terminator, it just
inherits the non-failing regular strlcat behavior.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-06-14 18:10:08 +02:00
Paul Pluzhnikov
7f0d9e61f4 Fix all the remaining misspellings -- BZ 25337 2023-06-02 01:39:48 +00:00
Joe Simmons-Talbott
0c48aa0551 string: Add tests for strndup (BZ #30266)
Copy strncpy tests for strndup.  Covers some basic testcases with random
strings.  Remove tests that set the destination's bytes and checked the
resulting buffer's bytes.  Remove wide character test support since
wcsndup() doesn't exist.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2023-04-21 10:50:42 -03:00
Joe Simmons-Talbott
eaaad78db4 string: Add tests for strdup (BZ #30266)
Copy strcpy tests for strdup.  Covers some basic testcases with random
strings.  Add a zero-length string testcase.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2023-04-21 10:28:01 -03:00
Joe Simmons-Talbott
1626d8a521 string: Allow use of test-string.h for non-ifunc implementations.
Mark two variables as unused to silence warning when using
test-string.h for non-ifunc implementations.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2023-04-21 10:28:01 -03:00
Florian Weimer
30e3ca78f9 <string.h>: Make strchrnul, strcasestr, memmem available by default
FreeBSD makes them available by default, too, so there does not seem
to be a reason to restrict these functions to _GNU_SOURCE.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
2023-04-06 16:41:12 +02:00
Stefan Liebler
51aeab9a36 Fix stringop-overflow warning in test-strncat.
Starting with commit
b2c474f8de
"x86: Fix strncat-avx2.S reading past length [BZ #30065]"

Building on s390 the test fails due warnings like:

In function ‘do_one_test’,
    inlined from ‘do_overflow_tests’ at test-strncat.c:175:7:
test-strncat.c:31:18: error: ‘strnlen’ specified bound [4294966546, 4294967295] exceeds maximum object size 2147483647 [-Werror=stringop-overflow=]
   31 | # define STRNLEN strnlen
      |                  ^
test-strncat.c:83:16: note: in expansion of macro ‘STRNLEN’
   83 |   size_t len = STRNLEN (src, n);
|                ^~~~~~~

In all werror cases, the call to strnlen (.., SIZE_MAX) is inlined.
Therefore this patch just marks the do_one_test function as noinline.

Reviewed-by: Wilco Dijkstra  <Wilco.Dijkstra@arm.com>
2023-03-02 14:25:34 +01:00
Adhemerval Zanella
fb95c31638 string: Disable stack protector in early static initialization
For powerpc, strncmp is used on _dl_string_platform issued by
__tcb_parse_hwcap_and_convert_at_platform.

Reviewed-by: Carlos Eduardo Seo <carlos.seo@linaro.org>
2023-02-08 17:14:03 -03:00
Adhemerval Zanella
22999b2f0f string: Add libc_hidden_proto for memrchr
Although static linker can optimize it to local call, it follows the
internal scheme to provide hidden proto and definitions.

Reviewed-by: Carlos Eduardo Seo <carlos.seo@linaro.org>
2023-02-08 17:13:58 -03:00
Adhemerval Zanella
7ea510127e string: Add libc_hidden_proto for strchrnul
Although static linker can optimize it to local call, it follows the
internal scheme to provide hidden proto and definitions.

Reviewed-by: Carlos Eduardo Seo <carlos.seo@linaro.org>
2023-02-08 17:13:56 -03:00
Adhemerval Zanella
0b9d2d4a76 string: Hook up the default implementation on test-strrchr
And remove SIMPLE_STRRCHR, which is not used anywhere.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
2023-02-06 16:19:35 -03:00
Adhemerval Zanella
77a9e5c97e string: Hook up the default implementation on test-memrchr
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
2023-02-06 16:19:35 -03:00
Adhemerval Zanella
0dfa8617b5 string: Hook up the default implementation on test-memchr
And remove SIMPLE_MEMCHR, which is not used anywhere.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
2023-02-06 16:19:35 -03:00
Adhemerval Zanella
3092c84900 string: Hook up the default implementation on test-strcpy
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
2023-02-06 16:19:35 -03:00
Adhemerval Zanella
11aabacce8 string: Hook up the default implementation on test-stpcpy
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
2023-02-06 16:19:35 -03:00
Adhemerval Zanella
c863e33f78 string: Hook up the default implementation on test-strncmp
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
2023-02-06 16:19:35 -03:00
Adhemerval Zanella
e7a0c81e61 string: Hook up the default implementation on test-strcmp
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
2023-02-06 16:19:35 -03:00
Adhemerval Zanella
c19e3394a2 string: Hook up the default implementation on test-strchr
Also remove the simple_STRCHR, which can be easily replaced.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
2023-02-06 16:19:35 -03:00
Adhemerval Zanella
b79cffb391 string: Hook up the default implementation on test-strnlen
Also remove the SIMPLE_STRNLEN, which is not used anywhere.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
2023-02-06 16:19:35 -03:00
Adhemerval Zanella
52d9adc9e3 string: Hook up the default implementation on test-strlen
Also remove the simple_STRLEN and builtin_strlen, which are not used
anywhere.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
2023-02-06 16:19:35 -03:00
Adhemerval Zanella
167f6230af string: Improve generic strrchr with memrchr and strlen
Now that both strlen and memrchr have word vectorized implementation,
it should be faster to implement strrchr based on memrchr over the
string length instead of calling strchr on a loop.

Checked on x86_64-linux-gnu, i686-linux-gnu, powerpc-linux-gnu,
and powerpc64-linux-gnu by removing the arch-specific assembly
implementation and disabling multi-arch (it covers both LE and BE
for 64 and 32 bits).
2023-02-06 16:19:35 -03:00
Adhemerval Zanella
9d4fa7a1ca string: Improve generic memrchr
New algorithm read the lastaligned address and mask off the unwanted
bytes.  The loop now read word-aligned address and check using the
has_eq macro.

Checked on x86_64-linux-gnu, i686-linux-gnu, powerpc-linux-gnu,
and powerpc64-linux-gnu by removing the arch-specific assembly
implementation and disabling multi-arch (it covers both LE and BE
for 64 and 32 bits).

Co-authored-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Noah Goldstein <goldstein.w.n@gmail.com>
2023-02-06 16:19:35 -03:00
Adhemerval Zanella
0f4254311e string: Improve generic strnlen with memchr
It also cleanups the multiple inclusion by leaving the ifunc
implementation to undef the weak_alias and libc_hidden_def.

Co-authored-by: Richard Henderson  <richard.henderson@linaro.org>
Reviewed-by: Noah Goldstein <goldstein.w.n@gmail.com>
2023-02-06 16:19:35 -03:00
Adhemerval Zanella
2a8867a17f string: Improve generic memchr
New algorithm read the first aligned address and mask off the
unwanted bytes (this strategy is similar to arch-specific
implementations used on powerpc, sparc, and sh).

The loop now read word-aligned address and check using the has_eq
macro.

Checked on x86_64-linux-gnu, i686-linux-gnu, powerpc-linux-gnu,
and powerpc64-linux-gnu by removing the arch-specific assembly
implementation and disabling multi-arch (it covers both LE and BE
for 64 and 32 bits).

Co-authored-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Noah Goldstein <goldstein.w.n@gmail.com>
2023-02-06 16:19:35 -03:00
Adhemerval Zanella
3709ed9047 string: Improve generic strcpy
Now that stpcpy is vectorized based on op_t, it should be better to
call it instead of strlen plus memcpy.

Checked on x86_64-linux-gnu, i686-linux-gnu, powerpc64-linux-gnu,
and powerpc-linux-gnu by removing the arch-specific assembly
implementation and disabling multi-arch (it covers both LE and BE
for 64 and 32 bits).

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Noah Goldstein <goldstein.w.n@gmail.com>
2023-02-06 16:19:35 -03:00
Adhemerval Zanella
30c1dfde31 string: Improve generic stpcpy
It follows the strategy:

  - Align the destination on word boundary using byte operations.

  - If source is also word aligned, read a word per time, check for
    null (using has_zero from string-fzb.h), and write the remaining
    bytes.

  - If source is not word aligned, loop by aligning the source, and
    merging the result of two reads.  Similar to aligned case,
    check for null with has_zero, and write the remaining bytes if
    null is found.

Checked on x86_64-linux-gnu, i686-linux-gnu, powerpc64-linux-gnu,
and powerpc-linux-gnu by removing the arch-specific assembly
implementation and disabling multi-arch (it covers both LE and BE
for 64 and 32 bits).

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Noah Goldstein <goldstein.w.n@gmail.com>
2023-02-06 16:19:35 -03:00
Adhemerval Zanella
367c31b5d6 string: Improve generic strncmp
It follows the strategy:

   - Align the first input to word boundary using byte operations.

   - If second input is also word aligned, read a word per time, check
     for  null (using has_zero), and check final words using byte
     operation.

   - If second input is not word aligned, loop by aligning the source,
     and merge the result of two reads.  Similar to aligned case, check
     for null with has_zero, and check final words using byte operation.

Checked on x86_64-linux-gnu, i686-linux-gnu, powerpc64-linux-gnu,
and powerpc-linux-gnu by removing the arch-specific assembly
implementation and disabling multi-arch (it covers both LE and BE
for 64 and 32 bits).

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
2023-02-06 16:19:35 -03:00
Adhemerval Zanella
30cf54bf30 string: Improve generic strcmp
It follows the strategy:

  - Align the first input to word boundary using byte operations.

  - If second input is also word aligned, read a word per time, check for
    null (using has_zero), and check final words using byte operation.

  - If second input is not word aligned, loop by aligning the source, and
    merging the result of two reads.  Similar to aligned case, check for
    null with has_zero, and check final words using byte operation.

Checked on x86_64-linux-gnu, i686-linux-gnu, powerpc64-linux-gnu,
and powerpc-linux-gnu by removing the arch-specific assembly
implementation and disabling multi-arch (it covers both LE and BE
for 64 and 32 bits).

Co-authored-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Noah Goldstein <goldstein.w.n@gmail.com>
2023-02-06 16:19:35 -03:00