[libc][bug] Fix out of bound write in memcpy wi software prefetching

gchatelet · gchatelet · commit b41ea8ede9d2 · 2024-04-30T13:58:41.000Z
This bug showed up when running fuzzers newly added fuzzers llvm#90591.
diff --git a/libc/src/string/memory_utils/x86_64/inline_memcpy.h b/libc/src/string/memory_utils/x86_64/inline_memcpy.h
@@ -107,7 +107,13 @@ inline_memcpy_x86_sse2_ge64_sw_prefetching(Ptr __restrict dst,
       offset += K_THREE_CACHELINES;
     }
   }
-  return builtin::Memcpy<32>::loop_and_tail_offset(dst, src, count, offset);
+  // We don't use 'loop_and_tail_offset' because it assumes at least one
+  // iteration of the loop.
+  while (offset + 32 <= count) {
+    builtin::Memcpy<32>::block_offset(dst, src, offset);
+    offset += 32;
+  }
+  return builtin::Memcpy<32>::tail(dst, src, count);
 }
 
 [[maybe_unused]] LIBC_INLINE void
@@ -140,6 +146,12 @@ inline_memcpy_x86_avx_ge64_sw_prefetching(Ptr __restrict dst,
     offset += K_THREE_CACHELINES;
   }
   return builtin::Memcpy<64>::loop_and_tail_offset(dst, src, count, offset);
+  // We don't use 'loop_and_tail_offset' because it assumes at least one
+  // iteration of the loop.
+  while (offset + 64 <= count) {
+    builtin::Memcpy<64>::block_offset(dst, src, offset);
+    offset += 64;
+  }
 }
 
 [[maybe_unused]] LIBC_INLINE void

Original file line number	Diff line number	Diff line change
`@@ -107,7 +107,13 @@ inline_memcpy_x86_sse2_ge64_sw_prefetching(Ptr __restrict dst,`
`107`	`107`	`offset += K_THREE_CACHELINES;`
`108`	`108`	`}`
`109`	`109`	`}`
`110`		`- return builtin::Memcpy<32>::loop_and_tail_offset(dst, src, count, offset);`
	`110`	`+ // We don't use 'loop_and_tail_offset' because it assumes at least one`
	`111`	`+ // iteration of the loop.`
	`112`	`+ while (offset + 32 <= count) {`
	`113`	`+ builtin::Memcpy<32>::block_offset(dst, src, offset);`
	`114`	`+ offset += 32;`
	`115`	`+ }`
	`116`	`+ return builtin::Memcpy<32>::tail(dst, src, count);`
`111`	`117`	`}`
`112`	`118`
`113`	`119`	`[[maybe_unused]] LIBC_INLINE void`
`@@ -140,6 +146,12 @@ inline_memcpy_x86_avx_ge64_sw_prefetching(Ptr __restrict dst,`
`140`	`146`	`offset += K_THREE_CACHELINES;`
`141`	`147`	`}`
`142`	`148`	`return builtin::Memcpy<64>::loop_and_tail_offset(dst, src, count, offset);`
	`149`	`+ // We don't use 'loop_and_tail_offset' because it assumes at least one`
	`150`	`+ // iteration of the loop.`
	`151`	`+ while (offset + 64 <= count) {`
	`152`	`+ builtin::Memcpy<64>::block_offset(dst, src, offset);`
	`153`	`+ offset += 64;`
	`154`	`+ }`
`143`	`155`	`}`
`144`	`156`
`145`	`157`	`[[maybe_unused]] LIBC_INLINE void`