Fix regressions in arch_cpu_user_strlcpy().

- repnz movsb turns out to not actually be a legal instruction,
  resulting in various strings being copied incorrectly, leading to
  random crashes in various places. Rework to use loop instead.
  Thanks to Alex Smith for helping review changes and offering
  improvements.
- Minor cleanups.
- Fixes #8650 properly.
This commit is contained in:
Rene Gollent 2012-07-02 14:41:31 -04:00
parent fb8447d595
commit 8695be5049

View File

@ -276,19 +276,32 @@ FUNCTION(arch_cpu_user_strlcpy):
/* Copy at most count - 1 bytes */ /* Copy at most count - 1 bytes */
dec %ecx dec %ecx
/* move data by bytes */ /* If count is now 0, skip straight to null terminating
cld as our loop will otherwise overflow */
repnz cmp $0,%ecx
movsb jne .L_user_strlcpy_copy_begin
/* null terminate string */
movb $0,(%edi) movb $0,(%edi)
dec %esi jmp .L_user_strlcpy_source_count
.L_user_strlcpy_copy_begin:
cld
.L_user_strlcpy_copy_loop:
/* move data by bytes */
movsb
cmpb $0,-1(%esi)
je .L_user_strlcpy_copy_loop_done
loop .L_user_strlcpy_copy_loop
.L_user_strlcpy_copy_loop_done:
/* check if we copied the entire source string */ /* check if we copied the entire source string */
cmp $0,%ecx cmp $0,%ecx
jne .L_user_strlcpy_source_done jne .L_user_strlcpy_source_done
.L_user_strlcpy_zero_terminate:
/* null terminate string */
movb $0,(%edi)
dec %esi
/* count remaining bytes in src */ /* count remaining bytes in src */
.L_user_strlcpy_source_count: .L_user_strlcpy_source_count:
not %ecx not %ecx
@ -297,11 +310,9 @@ FUNCTION(arch_cpu_user_strlcpy):
scasb scasb
.L_user_strlcpy_source_done: .L_user_strlcpy_source_done:
movl %esi,%eax movl %esi,%eax
subl 20(%esp),%eax subl 20(%esp),%eax
subl $1,%eax subl $1,%eax
/* restore the old fault handler */ /* restore the old fault handler */
movl %ebx,(%edx) movl %ebx,(%edx)