[libc-commits] [libc] [libc][bug] Fix out of bound write in memcpy wi software prefetching (PR #90613)
via libc-commits
libc-commits at lists.llvm.org
Tue Apr 30 06:59:34 PDT 2024
llvmbot wrote:
<!--LLVM PR SUMMARY COMMENT-->
@llvm/pr-subscribers-libc
Author: Guillaume Chatelet (gchatelet)
<details>
<summary>Changes</summary>
This bug showed up when running fuzzers newly added fuzzers https://github.com/llvm/llvm-project/pull/90591.
---
Full diff: https://github.com/llvm/llvm-project/pull/90613.diff
1 Files Affected:
- (modified) libc/src/string/memory_utils/x86_64/inline_memcpy.h (+13-1)
``````````diff
diff --git a/libc/src/string/memory_utils/x86_64/inline_memcpy.h b/libc/src/string/memory_utils/x86_64/inline_memcpy.h
index ae61b1235bd08c..150ad9536fd4dd 100644
--- a/libc/src/string/memory_utils/x86_64/inline_memcpy.h
+++ b/libc/src/string/memory_utils/x86_64/inline_memcpy.h
@@ -107,7 +107,13 @@ inline_memcpy_x86_sse2_ge64_sw_prefetching(Ptr __restrict dst,
offset += K_THREE_CACHELINES;
}
}
- return builtin::Memcpy<32>::loop_and_tail_offset(dst, src, count, offset);
+ // We don't use 'loop_and_tail_offset' because it assumes at least one
+ // iteration of the loop.
+ while (offset + 32 <= count) {
+ builtin::Memcpy<32>::block_offset(dst, src, offset);
+ offset += 32;
+ }
+ return builtin::Memcpy<32>::tail(dst, src, count);
}
[[maybe_unused]] LIBC_INLINE void
@@ -140,6 +146,12 @@ inline_memcpy_x86_avx_ge64_sw_prefetching(Ptr __restrict dst,
offset += K_THREE_CACHELINES;
}
return builtin::Memcpy<64>::loop_and_tail_offset(dst, src, count, offset);
+ // We don't use 'loop_and_tail_offset' because it assumes at least one
+ // iteration of the loop.
+ while (offset + 64 <= count) {
+ builtin::Memcpy<64>::block_offset(dst, src, offset);
+ offset += 64;
+ }
}
[[maybe_unused]] LIBC_INLINE void
``````````
</details>
https://github.com/llvm/llvm-project/pull/90613
More information about the libc-commits
mailing list