[libc-commits] [libc] [libc][bug] Fix out of bound write in memcpy w/ software prefetching (PR #90613)

[Guillaume Chatelet via libc-commits]

https://github.com/gchatelet updated https://github.com/llvm/llvm-project/pull/90613

>From b41ea8ede9d26b57617207af11d8a413b8902eb4 Mon Sep 17 00:00:00 2001
From: Guillaume Chatelet <gchatelet at google.com>
Date: Tue, 30 Apr 2024 13:58:41 +0000
Subject: [PATCH 1/2] [libc][bug] Fix out of bound write in memcpy wi software
 prefetching

This bug showed up when running fuzzers newly added fuzzers https://github.com/llvm/llvm-project/pull/90591.
---
 .../src/string/memory_utils/x86_64/inline_memcpy.h | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/libc/src/string/memory_utils/x86_64/inline_memcpy.h b/libc/src/string/memory_utils/x86_64/inline_memcpy.h
index ae61b1235bd08..150ad9536fd4d 100644
--- a/libc/src/string/memory_utils/x86_64/inline_memcpy.h
+++ b/libc/src/string/memory_utils/x86_64/inline_memcpy.h
@@ -107,7 +107,13 @@ inline_memcpy_x86_sse2_ge64_sw_prefetching(Ptr __restrict dst,
       offset += K_THREE_CACHELINES;
     }
   }
-  return builtin::Memcpy<32>::loop_and_tail_offset(dst, src, count, offset);
+  // We don't use 'loop_and_tail_offset' because it assumes at least one
+  // iteration of the loop.
+  while (offset + 32 <= count) {
+    builtin::Memcpy<32>::block_offset(dst, src, offset);
+    offset += 32;
+  }
+  return builtin::Memcpy<32>::tail(dst, src, count);
 }
 
 [[maybe_unused]] LIBC_INLINE void
@@ -140,6 +146,12 @@ inline_memcpy_x86_avx_ge64_sw_prefetching(Ptr __restrict dst,
     offset += K_THREE_CACHELINES;
   }
   return builtin::Memcpy<64>::loop_and_tail_offset(dst, src, count, offset);
+  // We don't use 'loop_and_tail_offset' because it assumes at least one
+  // iteration of the loop.
+  while (offset + 64 <= count) {
+    builtin::Memcpy<64>::block_offset(dst, src, offset);
+    offset += 64;
+  }
 }
 
 [[maybe_unused]] LIBC_INLINE void

>From 2f7a53cf2495e0c1c83752ec2afd42ddd207de4f Mon Sep 17 00:00:00 2001
From: Guillaume Chatelet <gchatelet at google.com>
Date: Tue, 14 May 2024 09:06:14 +0000
Subject: [PATCH 2/2] Fix code.

---
 libc/src/string/memory_utils/x86_64/inline_memcpy.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libc/src/string/memory_utils/x86_64/inline_memcpy.h b/libc/src/string/memory_utils/x86_64/inline_memcpy.h
index 150ad9536fd4d..507b3e25199ed 100644
--- a/libc/src/string/memory_utils/x86_64/inline_memcpy.h
+++ b/libc/src/string/memory_utils/x86_64/inline_memcpy.h
@@ -145,13 +145,13 @@ inline_memcpy_x86_avx_ge64_sw_prefetching(Ptr __restrict dst,
     builtin::Memcpy<K_THREE_CACHELINES>::block_offset(dst, src, offset);
     offset += K_THREE_CACHELINES;
   }
-  return builtin::Memcpy<64>::loop_and_tail_offset(dst, src, count, offset);
   // We don't use 'loop_and_tail_offset' because it assumes at least one
   // iteration of the loop.
   while (offset + 64 <= count) {
     builtin::Memcpy<64>::block_offset(dst, src, offset);
     offset += 64;
   }
+  return builtin::Memcpy<64>::tail(dst, src, count);
 }
 
 [[maybe_unused]] LIBC_INLINE void