From e8466b091ae1b86f1fb5ce5028ea2eb5ec3ee465 Mon Sep 17 00:00:00 2001 From: Vedant Ravindra Dhoke <66007382+vedant713@users.noreply.github.com> Date: Sat, 17 May 2025 14:24:30 -0400 Subject: [PATCH 1/7] Fix: Prevent out-of-bounds read in mi_clz32 and mi_ctz32 (#134070) --- Include/internal/mimalloc/mimalloc/internal.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Include/internal/mimalloc/mimalloc/internal.h b/Include/internal/mimalloc/mimalloc/internal.h index d97f51b8eefbe5..107d3be1c2b820 100644 --- a/Include/internal/mimalloc/mimalloc/internal.h +++ b/Include/internal/mimalloc/mimalloc/internal.h @@ -851,7 +851,8 @@ static inline size_t mi_ctz32(uint32_t x) { 31, 27, 13, 23, 21, 19, 16, 7, 26, 12, 18, 6, 11, 5, 10, 9 }; if (x==0) return 32; - return debruijn[((x & -(int32_t)x) * 0x077CB531UL) >> 27]; + return debruijn[(uint32_t)(((x & -(int32_t)x) * 0x077CB531UL) >> 27) & 31]; + } static inline size_t mi_clz32(uint32_t x) { // de Bruijn multiplication, see @@ -865,7 +866,8 @@ static inline size_t mi_clz32(uint32_t x) { x |= x >> 4; x |= x >> 8; x |= x >> 16; - return debruijn[(uint32_t)(x * 0x07C4ACDDUL) >> 27]; + return debruijn[(uint32_t)(x * 0x07C4ACDDUL >> 27) & 31]; + } static inline size_t mi_clz(uintptr_t x) { From 64e971888fb4ca81feac9597b24c91a2b0710047 Mon Sep 17 00:00:00 2001 From: vedant713 <66007382+vedant713@users.noreply.github.com> Date: Sat, 17 May 2025 17:15:23 -0400 Subject: [PATCH 2/7] gh-134070: Add news entry for mimalloc out-of-bounds fix --- .../2025-05-17-16-45-00.gh-issue-134070.vdhoke.rst | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 Misc/NEWS.d/next/Core_and_Builtins/2025-05-17-16-45-00.gh-issue-134070.vdhoke.rst diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2025-05-17-16-45-00.gh-issue-134070.vdhoke.rst b/Misc/NEWS.d/next/Core_and_Builtins/2025-05-17-16-45-00.gh-issue-134070.vdhoke.rst new file mode 100644 index 00000000000000..267bcef668f339 --- /dev/null +++ b/Misc/NEWS.d/next/Core_and_Builtins/2025-05-17-16-45-00.gh-issue-134070.vdhoke.rst @@ -0,0 +1,4 @@ +.. gh-issue: 134070 +.. section: Core and Builtins + +Fixed an out-of-bounds read in the generic implementation of `mi_clz32` and `mi_ctz32` in the integrated mimalloc allocator. This bug could occur on platforms with 64-bit `unsigned long` values. Based on upstream fix from microsoft/mimalloc. From c961fa0786daaaabac51b5afb511ce68845a46d6 Mon Sep 17 00:00:00 2001 From: vedant713 <66007382+vedant713@users.noreply.github.com> Date: Sat, 17 May 2025 17:18:08 -0400 Subject: [PATCH 3/7] gh-134070: Add news entry for mimalloc out-of-bounds fix --- .../2025-05-17-16-45-00.gh-issue-134070.vdhoke.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2025-05-17-16-45-00.gh-issue-134070.vdhoke.rst b/Misc/NEWS.d/next/Core_and_Builtins/2025-05-17-16-45-00.gh-issue-134070.vdhoke.rst index 267bcef668f339..03c5c0a0e5f05a 100644 --- a/Misc/NEWS.d/next/Core_and_Builtins/2025-05-17-16-45-00.gh-issue-134070.vdhoke.rst +++ b/Misc/NEWS.d/next/Core_and_Builtins/2025-05-17-16-45-00.gh-issue-134070.vdhoke.rst @@ -1,4 +1,4 @@ .. gh-issue: 134070 .. section: Core and Builtins -Fixed an out-of-bounds read in the generic implementation of `mi_clz32` and `mi_ctz32` in the integrated mimalloc allocator. This bug could occur on platforms with 64-bit `unsigned long` values. Based on upstream fix from microsoft/mimalloc. +Fixed an out-of-bounds read in the generic implementation of ``mi_clz32`` and ``mi_ctz32`` in the integrated mimalloc allocator. This bug could occur on platforms with 64-bit `unsigned long` values. Based on upstream fix from microsoft/mimalloc. From 911c128a510940518982881d175c0aad1019bea5 Mon Sep 17 00:00:00 2001 From: vedant713 <66007382+vedant713@users.noreply.github.com> Date: Sat, 17 May 2025 17:20:15 -0400 Subject: [PATCH 4/7] gh-134070: Add news entry for mimalloc out-of-bounds fix --- .../2025-05-17-16-45-00.gh-issue-134070.vdhoke.rst | 3 --- 1 file changed, 3 deletions(-) diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2025-05-17-16-45-00.gh-issue-134070.vdhoke.rst b/Misc/NEWS.d/next/Core_and_Builtins/2025-05-17-16-45-00.gh-issue-134070.vdhoke.rst index 03c5c0a0e5f05a..18c3732f626b22 100644 --- a/Misc/NEWS.d/next/Core_and_Builtins/2025-05-17-16-45-00.gh-issue-134070.vdhoke.rst +++ b/Misc/NEWS.d/next/Core_and_Builtins/2025-05-17-16-45-00.gh-issue-134070.vdhoke.rst @@ -1,4 +1 @@ -.. gh-issue: 134070 -.. section: Core and Builtins - Fixed an out-of-bounds read in the generic implementation of ``mi_clz32`` and ``mi_ctz32`` in the integrated mimalloc allocator. This bug could occur on platforms with 64-bit `unsigned long` values. Based on upstream fix from microsoft/mimalloc. From bce07b258c07fac78e52392729b1c111cfb35f68 Mon Sep 17 00:00:00 2001 From: vedant713 <66007382+vedant713@users.noreply.github.com> Date: Sat, 17 May 2025 17:22:40 -0400 Subject: [PATCH 5/7] gh-134070: Add news entry for mimalloc out-of-bounds fix --- .../2025-05-17-16-45-00.gh-issue-134070.vdhoke.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2025-05-17-16-45-00.gh-issue-134070.vdhoke.rst b/Misc/NEWS.d/next/Core_and_Builtins/2025-05-17-16-45-00.gh-issue-134070.vdhoke.rst index 18c3732f626b22..9fc40d2020215c 100644 --- a/Misc/NEWS.d/next/Core_and_Builtins/2025-05-17-16-45-00.gh-issue-134070.vdhoke.rst +++ b/Misc/NEWS.d/next/Core_and_Builtins/2025-05-17-16-45-00.gh-issue-134070.vdhoke.rst @@ -1 +1 @@ -Fixed an out-of-bounds read in the generic implementation of ``mi_clz32`` and ``mi_ctz32`` in the integrated mimalloc allocator. This bug could occur on platforms with 64-bit `unsigned long` values. Based on upstream fix from microsoft/mimalloc. +Fixed an out-of-bounds read in the generic implementation of ``mi_clz32`` and ``mi_ctz32`` in the integrated mimalloc allocator. This bug could occur on platforms with 64-bit ``unsigned long`` values. Based on upstream fix from microsoft/mimalloc. From bd186c9452409b8776f9629577033eb4db609e17 Mon Sep 17 00:00:00 2001 From: Vedant Ravindra Dhoke <66007382+vedant713@users.noreply.github.com> Date: Sun, 13 Jul 2025 19:33:40 -0400 Subject: [PATCH 6/7] Update internal.h --- Include/internal/mimalloc/mimalloc/internal.h | 46 +++++++++++++++---- 1 file changed, 36 insertions(+), 10 deletions(-) diff --git a/Include/internal/mimalloc/mimalloc/internal.h b/Include/internal/mimalloc/mimalloc/internal.h index 107d3be1c2b820..2de1892c34c360 100644 --- a/Include/internal/mimalloc/mimalloc/internal.h +++ b/Include/internal/mimalloc/mimalloc/internal.h @@ -844,32 +844,58 @@ static inline size_t mi_ctz(uintptr_t x) { } #else -static inline size_t mi_ctz32(uint32_t x) { - // de Bruijn multiplication, see - static const unsigned char debruijn[32] = { +static inline size_t mi_ctz_generic32(uint32_t x) { + static const uint8_t debruijn[32] = { 0, 1, 28, 2, 29, 14, 24, 3, 30, 22, 20, 15, 25, 17, 4, 8, 31, 27, 13, 23, 21, 19, 16, 7, 26, 12, 18, 6, 11, 5, 10, 9 }; - if (x==0) return 32; - return debruijn[(uint32_t)(((x & -(int32_t)x) * 0x077CB531UL) >> 27) & 31]; - + if (x == 0) return 32; + return debruijn[(uint32_t)((x & -(int32_t)x) * (uint32_t)(0x077CB531U)) >> 27]; } -static inline size_t mi_clz32(uint32_t x) { - // de Bruijn multiplication, see + +static inline size_t mi_clz_generic32(uint32_t x) { static const uint8_t debruijn[32] = { 31, 22, 30, 21, 18, 10, 29, 2, 20, 17, 15, 13, 9, 6, 28, 1, 23, 19, 11, 3, 16, 14, 7, 24, 12, 4, 8, 25, 5, 26, 27, 0 }; - if (x==0) return 32; + if (x == 0) return 32; x |= x >> 1; x |= x >> 2; x |= x >> 4; x |= x >> 8; x |= x >> 16; - return debruijn[(uint32_t)(x * 0x07C4ACDDUL >> 27) & 31]; + return debruijn[(uint32_t)(x * (uint32_t)(0x07C4ACDDU)) >> 27]; +} +static inline size_t mi_ctz(size_t x) { + if (x == 0) return MI_SIZE_BITS; +#if (MI_SIZE_BITS <= 32) + return mi_ctz_generic32((uint32_t)x); +#else + const uint32_t lo = (uint32_t)x; + if (lo != 0) { + return mi_ctz_generic32(lo); + } else { + return 32 + mi_ctz_generic32((uint32_t)(x >> 32)); + } +#endif } +static inline size_t mi_clz(size_t x) { + if (x == 0) return MI_SIZE_BITS; +#if (MI_SIZE_BITS <= 32) + return mi_clz_generic32((uint32_t)x); +#else + const uint32_t hi = (uint32_t)(x >> 32); + if (hi != 0) { + return mi_clz_generic32(hi); + } else { + return 32 + mi_clz_generic32((uint32_t)x); + } +#endif +} + + static inline size_t mi_clz(uintptr_t x) { if (x==0) return MI_INTPTR_BITS; #if (MI_INTPTR_BITS <= 32) From 796a17637ef4efc60865461c8415e76144fa016e Mon Sep 17 00:00:00 2001 From: Vedant Ravindra Dhoke <66007382+vedant713@users.noreply.github.com> Date: Sun, 13 Jul 2025 19:42:51 -0400 Subject: [PATCH 7/7] Update internal.h --- Include/internal/mimalloc/mimalloc/internal.h | 22 ------------------- 1 file changed, 22 deletions(-) diff --git a/Include/internal/mimalloc/mimalloc/internal.h b/Include/internal/mimalloc/mimalloc/internal.h index 2de1892c34c360..f3581570c29a6d 100644 --- a/Include/internal/mimalloc/mimalloc/internal.h +++ b/Include/internal/mimalloc/mimalloc/internal.h @@ -895,28 +895,6 @@ static inline size_t mi_clz(size_t x) { #endif } - -static inline size_t mi_clz(uintptr_t x) { - if (x==0) return MI_INTPTR_BITS; -#if (MI_INTPTR_BITS <= 32) - return mi_clz32((uint32_t)x); -#else - size_t count = mi_clz32((uint32_t)(x >> 32)); - if (count < 32) return count; - return (32 + mi_clz32((uint32_t)x)); -#endif -} -static inline size_t mi_ctz(uintptr_t x) { - if (x==0) return MI_INTPTR_BITS; -#if (MI_INTPTR_BITS <= 32) - return mi_ctz32((uint32_t)x); -#else - size_t count = mi_ctz32((uint32_t)x); - if (count < 32) return count; - return (32 + mi_ctz32((uint32_t)(x>>32))); -#endif -} - #endif // "bit scan reverse": Return index of the highest bit (or MI_INTPTR_BITS if `x` is zero)