From 330b2aaf86d2c3e39c276381f9024a070a18e058 Mon Sep 17 00:00:00 2001
From: liqingqing_1229 <liqingqing3@huawei.com>
Date: Fri, 28 Jan 2022 10:08:24 +0800
Subject: [PATCH] Fix __wcsncmp_evex in strcmp-evex.S [BZ #28755]

---
 glibc.spec                                    |  7 +++-
 ...sncmp_avx2-in-strcmp-avx2.S-BZ-28755.patch | 40 +++++++++++++++++++
 ...sncmp_evex-in-strcmp-evex.S-BZ-28755.patch | 40 +++++++++++++++++++
 3 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 x86-Fix-__wcsncmp_avx2-in-strcmp-avx2.S-BZ-28755.patch
 create mode 100644 x86-Fix-__wcsncmp_evex-in-strcmp-evex.S-BZ-28755.patch

diff --git a/glibc.spec b/glibc.spec
index eb533f7..1ae7a20 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -66,7 +66,7 @@
 ##############################################################################
 Name: 	 	glibc
 Version: 	2.34
-Release: 	47
+Release: 	48
 Summary: 	The GNU libc libraries
 License:	%{all_license}
 URL: 		http://www.gnu.org/software/glibc/
@@ -174,6 +174,8 @@ Patch86: Linux-Detect-user-namespace-support-in-io-tst-getcwd.patch
 Patch87: Disable-debuginfod-in-printer-tests-BZ-28757.patch
 Patch88: i386-Remove-broken-CAN_USE_REGISTER_ASM_EBP-bug-2877.patch
 Patch89: x86-use-default-cache-size-if-it-cannot-be-determine.patch
+Patch90: x86-Fix-__wcsncmp_avx2-in-strcmp-avx2.S-BZ-28755.patch
+Patch91: x86-Fix-__wcsncmp_evex-in-strcmp-evex.S-BZ-28755.patch
 
 Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch
 Patch9001: delete-no-hard-link-to-avoid-all_language-package-to.patch 
@@ -1377,6 +1379,9 @@ fi
 %endif
 
 %changelog
+* Fri Jan 28 2022 Qingqing Li <liqingqing3@huawei.com> - 2.34-48
+- Fix __wcsncmp_evex in strcmp-evex.S [BZ #28755]
+
 * Tue Jan 25 2022 Chuang Fang <fangchuangchuang@huawei.com> - 2.34-47
 - Disable debuginfod in printer tests [BZ #28757]
 - i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bug 28771)
diff --git a/x86-Fix-__wcsncmp_avx2-in-strcmp-avx2.S-BZ-28755.patch b/x86-Fix-__wcsncmp_avx2-in-strcmp-avx2.S-BZ-28755.patch
new file mode 100644
index 0000000..7b8597b
--- /dev/null
+++ b/x86-Fix-__wcsncmp_avx2-in-strcmp-avx2.S-BZ-28755.patch
@@ -0,0 +1,40 @@
+From ddf0992cf57a93200e0c782e2a94d0733a5a0b87 Mon Sep 17 00:00:00 2001
+From: Noah Goldstein <goldstein.w.n@gmail.com>
+Date: Sun, 9 Jan 2022 16:02:21 -0600
+Subject: [PATCH] x86: Fix __wcsncmp_avx2 in strcmp-avx2.S [BZ# 28755]
+
+Fixes [BZ# 28755] for wcsncmp by redirecting length >= 2^56 to
+__wcscmp_avx2. For x86_64 this covers the entire address range so any
+length larger could not possibly be used to bound `s1` or `s2`.
+
+test-strcmp, test-strncmp, test-wcscmp, and test-wcsncmp all pass.
+
+Signed-off-by: Noah Goldstein <goldstein.w.n@gmail.com>
+---
+ sysdeps/x86_64/multiarch/strcmp-avx2.S | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/sysdeps/x86_64/multiarch/strcmp-avx2.S b/sysdeps/x86_64/multiarch/strcmp-avx2.S
+index a45f9d2..9c73b58 100644
+--- a/sysdeps/x86_64/multiarch/strcmp-avx2.S
++++ b/sysdeps/x86_64/multiarch/strcmp-avx2.S
+@@ -87,6 +87,16 @@ ENTRY (STRCMP)
+ 	je	L(char0)
+ 	jb	L(zero)
+ #  ifdef USE_AS_WCSCMP
++#  ifndef __ILP32__
++	movq	%rdx, %rcx
++	/* Check if length could overflow when multiplied by
++	   sizeof(wchar_t). Checking top 8 bits will cover all potential
++	   overflow cases as well as redirect cases where its impossible to
++	   length to bound a valid memory region. In these cases just use
++	   'wcscmp'.  */
++	shrq	$56, %rcx
++	jnz	__wcscmp_avx2
++#  endif
+ 	/* Convert units: from wide to byte char.  */
+ 	shl	$2, %RDX_LP
+ #  endif
+-- 
+1.8.3.1
+
diff --git a/x86-Fix-__wcsncmp_evex-in-strcmp-evex.S-BZ-28755.patch b/x86-Fix-__wcsncmp_evex-in-strcmp-evex.S-BZ-28755.patch
new file mode 100644
index 0000000..2b5227e
--- /dev/null
+++ b/x86-Fix-__wcsncmp_evex-in-strcmp-evex.S-BZ-28755.patch
@@ -0,0 +1,40 @@
+From 7e08db3359c86c94918feb33a1182cd0ff3bb10b Mon Sep 17 00:00:00 2001
+From: Noah Goldstein <goldstein.w.n@gmail.com>
+Date: Sun, 9 Jan 2022 16:02:28 -0600
+Subject: [PATCH] x86: Fix __wcsncmp_evex in strcmp-evex.S [BZ# 28755]
+
+Fixes [BZ# 28755] for wcsncmp by redirecting length >= 2^56 to
+__wcscmp_evex. For x86_64 this covers the entire address range so any
+length larger could not possibly be used to bound `s1` or `s2`.
+
+test-strcmp, test-strncmp, test-wcscmp, and test-wcsncmp all pass.
+
+Signed-off-by: Noah Goldstein <goldstein.w.n@gmail.com>
+---
+ sysdeps/x86_64/multiarch/strcmp-evex.S | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/sysdeps/x86_64/multiarch/strcmp-evex.S b/sysdeps/x86_64/multiarch/strcmp-evex.S
+index 1d971f3..0cd939d 100644
+--- a/sysdeps/x86_64/multiarch/strcmp-evex.S
++++ b/sysdeps/x86_64/multiarch/strcmp-evex.S
+@@ -104,6 +104,16 @@ ENTRY (STRCMP)
+ 	je	L(char0)
+ 	jb	L(zero)
+ #  ifdef USE_AS_WCSCMP
++#  ifndef __ILP32__
++	movq	%rdx, %rcx
++	/* Check if length could overflow when multiplied by
++	   sizeof(wchar_t). Checking top 8 bits will cover all potential
++	   overflow cases as well as redirect cases where its impossible to
++	   length to bound a valid memory region. In these cases just use
++	   'wcscmp'.  */
++	shrq	$56, %rcx
++	jnz	__wcscmp_evex
++#  endif
+ 	/* Convert units: from wide to byte char.  */
+ 	shl	$2, %RDX_LP
+ #  endif
+-- 
+1.8.3.1
+
-- 
Gitee