593129 – Powerpc strncmp does not handle zero length comparisons correctly

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 593129 - Powerpc strncmp does not handle zero length comparisons correctly

Summary: Powerpc strncmp does not handle zero length comparisons correctly

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	6.0
Hardware:	powerpc
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	David Howells
QA Contact:	Red Hat Kernel QE team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1020786
TreeView+	depends on / blocked

Reported:	2010-05-17 21:32 UTC by Issue Tracker
Modified:	2018-11-14 20:17 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1020786 (view as bug list)
Environment:
Last Closed:	2010-11-11 15:46:49 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Fix for strncmp() (1.53 KB, patch) 2010-05-20 09:51 UTC, David Howells	no flags	Details \| Diff
View All

Description Issue Tracker 2010-05-17 21:32:50 UTC

Escalated to Bugzilla from IssueTracker

Comment 1 Issue Tracker 2010-05-17 21:32:52 UTC

Event posted on 03-01-2010 06:52am CST by linux26port

Description of problem:

During a port of our product to a 2.6.27 kernel we found that the kernel implementation of strncmp on powerpc is buggy. The following is the implementation of strncmp in RHEL6 alpha3. The implementation has changed recently in the generic Linux kernel to use this assembler version in preference to the old 'C' version (which was used in, for example, RHEL5):

_GLOBAL(strncmp)
        PPC_LCMPI r5,0
        beqlr
        mtctr   r5
        addi    r5,r3,-1
        addi    r4,r4,-1
1:      lbzu    r3,1(r5)
        cmpwi   1,r3,0
        lbzu    r0,1(r4)
        subf.   r3,r0,r3
        beqlr   1
        bdnzt   eq,1b
        blr

The length argument is passed in r5, and the return value from strncmp is in passed back in r3. If length (r5) is zero, strncmp will return without explicitly setting r3 and the return value will be incorrect. Note that we have not confirmed/reproduced this bug on a RHEL6 release. We are raising this bug because it exists in other kernels and appears by code inspection to exist in RHEL6.

How reproducible:
Should be easy to reproduce using this simple kernel module:

----------------------------- 8< ---------------------------
#include <linux/init.h>
#include <linux/module.h>

char string1[1];
char string2[1];

size_t count_global = 0;

static int __init
strncmp_init(void)
{
        string1[0] = string2[0] = 0;

        if (strncmp(string1, string2, count_global)) printk("Strncmp Bug!\n");

        return 0;
}

module_init(strncmp_init);

static void __exit
strncmp_exit(void)
{
}

module_exit(strncmp_exit);

MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("Strncmp Bug");
----------------------------- 8< ---------------------------

Steps to Reproduce:
insmod the above module
Actual results:
Not provided
Expected results:
Additional info:
This event sent from IssueTracker by streeter  [Support Engineering Group]
 issue 581353

Comment 2 Issue Tracker 2010-05-17 21:32:53 UTC

Event posted on 03-04-2010 03:05am CST by linux26port

Hi Robin

A few bits of extra information if it will be any help. The problem is
that in the current implementation of strncmp, if r5 (length) is zero,
this code at the top of the routine:

       PPC_LCMPI r5,0
       beqlr

will simply return straight back to the caller without setting r3. So r3
is whatever it was when strncmp was called in the calling code. If you
look in the same source file, arch/powerpc/lib/string.S, at the function
memcmp, which is semantically similar to strncmp, you can see how zero
length is handled:

_GLOBAL(memcmp)
        cmpwi   0,r5,0
        ble-    2f
        mtctr   r5
        addi    r6,r3,-1
        addi    r4,r4,-1
1:      lbzu    r3,1(r6)
        lbzu    r0,1(r4)
        subf.   r3,r0,r3
        bdnzt   2,1b
        blr
2:      li      r3,0
        blr




This event sent from IssueTracker by streeter  [Support Engineering Group]
 issue 581353

Comment 3 David Howells 2010-05-20 08:57:41 UTC

This was written by Steven Rostedt:

    commit 0119536cd314ef95553604208c25bc35581f7f0a
    Author: Steven Rostedt <rostedt>
    Date:   Sat Mar 1 03:04:57 2008 +1100

    [POWERPC] Add hand-coded assembly strcmp
    
    We have an assembly version of strncmp for the bootwrapper, but not
    for the kernel, so we end up using the C version in the kernel.  This
    takes the strncmp code from the bootup and copies it to the kernel
    proper, adding two instructions so it copes correctly with len==0.
    
    Signed-off-by: Steven Rostedt <srostedt>
    Signed-off-by: Paul Mackerras <paulus>

so I'm adding him to the cc list.

Comment 4 David Howells 2010-05-20 09:51:45 UTC

Created attachment 415368 [details]
Fix for strncmp()

Untested fix for strncmp() on powerpc.  I've posted it to the public powerpc development list.

Comment 5 Steve Best 2010-05-20 10:33:07 UTC

adding Robin to cc. been exchanging email on this one with Robin

Comment 8 Steve Best 2010-05-23 13:30:23 UTC

I've talked to David and we have agreed to go with a different patch here. I've posted the new patch to rh-kernel mailing list
http://post-office.corp.redhat.com/archives/rhkernel-list/2010-May/msg02561.html

Comment 9 Aristeu Rozanski 2010-05-28 20:38:31 UTC

Patch(es) available on kernel-2.6.32-31.el6

Comment 13 releng-rhel@redhat.com 2010-11-11 15:46:49 UTC

Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.