From: Stefan Liebler <stli@linux.ibm.com>
Date: Tue, 29 Jun 2021 09:37:28 +0000 (+0200)
Subject: s390: Fix MEMCHR_Z900_G5 ifunc-variant if n>=0x80000000 [BZ #28024]
X-Git-Tag: glibc-2.34~161
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7c45df18e1c524775a88c1e6fc7eac0049b3de83;p=thirdparty%2Fglibc.git

s390: Fix MEMCHR_Z900_G5 ifunc-variant if n>=0x80000000 [BZ #28024]

On s390 (31bit), the pointer to the first byte after s always wraps
around with n >= 0x80000000 and can lead to stop searching before
end of s.

Thus this patch just use NULL as byte after s in this case and
the srst instruction stops searching with "not found" when wrapping
around from top address to zero.

This is observable with testcase string/test-memchr
starting with commit "String: Add overflow tests for strnlen, memchr,
and strncat [BZ #27974]"
https://sourceware.org/git/?p=glibc.git;a=commit;h=da5a6fba0febbfc90896ce1b2eb75c6d8a88a72d
---

diff --git a/sysdeps/s390/memchr-z900.S b/sysdeps/s390/memchr-z900.S
index 90b8a32dd66..72fd9e023f9 100644
--- a/sysdeps/s390/memchr-z900.S
+++ b/sysdeps/s390/memchr-z900.S
@@ -44,12 +44,25 @@ ENTRY(MEMCHR_Z900_G5)
 	LGHI  %r0,0xff
 	NGR   %r0,%r3
 	LGR   %r1,%r2
+# if ! defined __s390x__
+	tmlh  %r4,32768
+	jo    3f		/* Jump away if n >= 0x80000000  */
+# endif
 	la    %r2,0(%r4,%r1)
 0:	srst  %r2,%r1
 	jo    0b
 	brc   13,1f
 	SLGR  %r2,%r2
 1:	br    %r14
+# if ! defined __s390x__
+	/* On s390 (31bit), the pointer to the first byte after s (stored in
+	   r2) always wraps around with n >= 0x80000000 and can lead to stop
+	   searching before end of s.  Thus just use r2=0 in this case.
+	   If r2 < r1, the srst instruction stops searching with cc=2 "not
+	   found" when wrapping around from top address to zero.  */
+3:	SLGR  %r2,%r2
+	j     0b
+# endif
 END(MEMCHR_Z900_G5)
 
 # if ! HAVE_MEMCHR_IFUNC