diff options
| author | Robert Clausecker <fuz@FreeBSD.org> | 2025-12-10 20:45:18 +0000 |
|---|---|---|
| committer | Robert Clausecker <fuz@FreeBSD.org> | 2025-12-14 16:06:05 +0000 |
| commit | 66eb78377bf109af1d9e25626bf254b4369436ec (patch) | |
| tree | 328a79991a3b4e570a127c671c215a7ce2c82f26 /cddl/(public-mirror) | |
| parent | 123c086200491819595abc271d360e605288fd18 (diff) | |
Due to incorrect unit test design, two overread conditions went
undetected in the amd64 baseline stpncpy() implementation.
For buffers of 1--16 and 32 bytes that do not contain nul bytes
and end exactly at a page boundary, the code would incorrectly
read 16 bytes from the next page, possibly crossing into an
unmapped page and crashing the program. If the next page was
mapped, the code would then proceed with the expected behaviour
of the stpncpy() function.
Three changes were made to fix the bug:
- an off-by-one error is fixed in the code deciding whether to
enter the runt case or not, entering it for 0<n<=32 bytes
instead of 0<n<32 bytes as it was before.
- in the runt case, the logic to skip reading a second 16-byte
chunk if the buffer ends in the first chunk was fixed to
account for buffers that end at a 16-byte boundary but do not
hold a nul byte.
- in the runt case, the logic to transform the location of the
end of the input buffer into a bit mask was fixed to allow
the case of n==32, which was previously impossible due to the
incorrect logic for entering said case.
The performance impact should be minimal.
PR: 291359
See also: D54169
Reported by: Collin Funk <collin.funk1@gmail.com>
Reviewed by: getz
Approved by: markj (mentor)
MFC after: 1 week
Fixes: 90253d49db09a9b1490c448d05314f3e4bbfa468 (D42519)
Differential Revision: https://reviews.freebsd.org/D54170
Diffstat (limited to 'cddl/(public-mirror)')
0 files changed, 0 insertions, 0 deletions