[libc][bug] Fix out of bound write in memcpy w/ software prefetching #90613
Conversation
This bug showed up when running fuzzers newly added fuzzers llvm#90591.
|
@llvm/pr-subscribers-libc Author: Guillaume Chatelet (gchatelet) ChangesThis bug showed up when running fuzzers newly added fuzzers #90591. Full diff: https://github.com/llvm/llvm-project/pull/90613.diff 1 Files Affected:
diff --git a/libc/src/string/memory_utils/x86_64/inline_memcpy.h b/libc/src/string/memory_utils/x86_64/inline_memcpy.h
index ae61b1235bd08c..150ad9536fd4dd 100644
--- a/libc/src/string/memory_utils/x86_64/inline_memcpy.h
+++ b/libc/src/string/memory_utils/x86_64/inline_memcpy.h
@@ -107,7 +107,13 @@ inline_memcpy_x86_sse2_ge64_sw_prefetching(Ptr __restrict dst,
offset += K_THREE_CACHELINES;
}
}
- return builtin::Memcpy<32>::loop_and_tail_offset(dst, src, count, offset);
+ // We don't use 'loop_and_tail_offset' because it assumes at least one
+ // iteration of the loop.
+ while (offset + 32 <= count) {
+ builtin::Memcpy<32>::block_offset(dst, src, offset);
+ offset += 32;
+ }
+ return builtin::Memcpy<32>::tail(dst, src, count);
}
[[maybe_unused]] LIBC_INLINE void
@@ -140,6 +146,12 @@ inline_memcpy_x86_avx_ge64_sw_prefetching(Ptr __restrict dst,
offset += K_THREE_CACHELINES;
}
return builtin::Memcpy<64>::loop_and_tail_offset(dst, src, count, offset);
+ // We don't use 'loop_and_tail_offset' because it assumes at least one
+ // iteration of the loop.
+ while (offset + 64 <= count) {
+ builtin::Memcpy<64>::block_offset(dst, src, offset);
+ offset += 64;
+ }
}
[[maybe_unused]] LIBC_INLINE void
|
| @@ -140,6 +146,12 @@ inline_memcpy_x86_avx_ge64_sw_prefetching(Ptr __restrict dst, | |||
| offset += K_THREE_CACHELINES; | |||
| } | |||
| return builtin::Memcpy<64>::loop_and_tail_offset(dst, src, count, offset); | |||
| // We don't use 'loop_and_tail_offset' because it assumes at least one | |||
There was a problem hiding this comment.
This is dead code. (return above). I'm surprised this was not caught by tests ?
There was a problem hiding this comment.
The code is obvioulsy wrong here. It's actually not fixing the out-of-bound write with software prefetchers for AVX. This code path is not tested because it depends on the LIBC_COPT_MEMCPY_X86_USE_SOFTWARE_PREFETCHING flag that is not activated for tests. We should be testing it but it depends on host runner hardware capabilities and so requires some more scaffolding.
Created #92089 to track this.
gchatelet
changed the title
|
As discussed offline, I'm closing this issue, the tests and fix will be done in #90591. |
This bug showed up when running fuzzers newly added fuzzers #90591.