Fixed out of bounds read in AVX512VBMI version of fdr_exec_fat_teddy (V…

…ectorCamp#322) * Replaced the 32 byte read with a properly truncated mapped read * Added a unit test
dowgird · Dec 23, 2024 · 2eaa168 · 2eaa168
1 parent 4f09e78
commit 2eaa168
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 2 deletions.
diff --git a/src/fdr/teddy_fat.cpp b/src/fdr/teddy_fat.cpp
@@ -283,7 +283,7 @@ hwlm_error_t fdr_exec_fat_teddy_512vbmi_templ(const struct FDR *fdr,
     if (likely(ptr + loopBytes <= buf_end)) {
         u64a k0 = FAT_TEDDY_VBMI_CONF_MASK_HEAD;
         m512 p_mask0 = set_mask_m512(~((k0 << 32) | k0));
-        m512 r_0 = prep_conf_fat_teddy_512vbmi_templ<NMSK>(&lo_mask, dup_mask, sl_msk, set2x256(loadu256(ptr)));
+        m512 r_0 = prep_conf_fat_teddy_512vbmi_templ<NMSK>(&lo_mask, dup_mask, sl_msk, set2x256(loadu_maskz_m256(k0, ptr)));
 
         r_0 = or512(r_0, p_mask0);
         CONFIRM_FAT_TEDDY_512(r_0, 16, 0, VECTORING, ptr);

diff --git a/unit/hyperscan/single.cpp b/unit/hyperscan/single.cpp
@@ -34,7 +34,7 @@
 
 #include <string>
 #include <tuple>
-
+#include <sys/mman.h>
 using namespace std;
 using namespace testing;
 
@@ -631,5 +631,29 @@ const TerminateMatchData terminateCases[] = {
 
 INSTANTIATE_TEST_CASE_P(Single, HyperscanTestMatchTerminate, ValuesIn(terminateCases));
 
+TEST(OutOfBoundRead, mmap) {
+    const char* pattern = "bat|cat|mat|rat|fat|sat|pat|hat|vat";
+    const char* corpus = "VAt hat pat sat fat rat mat ca";
+
+    // Use mmap to reliably get corpus at the and of mapped memory region
+    size_t buffer_len = (128<<20);
+    char* buffer = (char*) mmap(NULL, buffer_len * 2, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+    munmap(buffer+buffer_len, buffer_len);
+    char* mmaped_corpus = strcpy(buffer + buffer_len - strlen(corpus) - 1, corpus);
+
+    hs_error_t err;
+    hs_scratch_t *scratch = nullptr;
+    hs_database_t *db = buildDBAndScratch(pattern, HS_FLAG_CASELESS, 0, HS_MODE_BLOCK, &scratch);
+
+    int count = 0;
+    err = hs_scan(db, mmaped_corpus, strlen(mmaped_corpus), 0, scratch, countHandler, &count);
+    ASSERT_EQ(HS_SUCCESS, err) << "hs_scan didn't return HS_SCAN_TERMINATED";
+
+    err = hs_free_scratch(scratch);
+    ASSERT_EQ(HS_SUCCESS, err);
+    hs_free_database(db);
+    munmap(buffer, buffer_len);
+}
+
 } // namespace