Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: [PATCH] Fortify zrealloc append to arrays

X-seq: zsh-workers 43038
From: Sebastian Gniazdowski <sgniazdowski@xxxxxxxxx>
To: Zsh hackers list <zsh-workers@xxxxxxx>
Subject: Re: [PATCH] Fortify zrealloc append to arrays
Date: Sun, 17 Jun 2018 20:26:07 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=K3fYXrio0m7ju38Uig/OB8t72zf4XHCuLQ9G+0j/d9E=; b=lbu/c8VyAwg45bytmdh3K1ozCvNhlKT97IRnXfEsZdGEA+NV71HR8IW+Ehvn3Av0mD JPeZSDRjpD7Pmt9JCPjPXL91asSn+RfS2Ivtsk8Pgc/k6zaUc1VZyRp75+MLF/7+9L4k Lt8QCqHF39w6X3G1c8Z+TyOZcLB0GH6/dGMFmDsuWFXCELwR40/hs5we1E8nFe/uPhiu D5zxcrQnP384TJyzrZqX7TNRqK09jPiTr5FWCYot/X5YVJ6WWv9wBu23xmdPxzFUMbV3 AC+9l9UOa0hdFRpvymTYzsUuNtXuUbWAZ7Egam9ZbngVdPZISszNpf4MVzhvRTifM0n3 5q5g==
In-reply-to: <CAKc7PVC1EeRoAD366Qeb2BGua4LmUrqEZ-9wT2SLLGevPiE3Ew@mail.gmail.com>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
List-unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <CAKc7PVC1EeRoAD366Qeb2BGua4LmUrqEZ-9wT2SLLGevPiE3Ew@mail.gmail.com>

I luckily obtained segfaults and coredumps. Ran -O0 zsh, waited for
segfault, and here is backtrace:

(lldb) bt
* thread #1, stop reason = signal SIGSTOP
  * frame #0: 0x0000000103f81e18 zle.so`getkeybuf(w=0) at zle_keymap.c:1679
    frame #1: 0x0000000103f81b26
zle.so`getkeymapcmd(km=0x00007faa2801d800, funcp=0x00007ffeebdeaab0,
strp=0x00007ffeebdeaa98) at zle_keymap.c:1587
    frame #2: 0x0000000103f81f73 zle.so`getkeycmd at zle_keymap.c:1705
    frame #3: 0x0000000103f84b7c zle.so`zlecore at zle_main.c:1129
    frame #4: 0x0000000103f85575 zle.so`zleread(lp=0x0000000103ee2bf8,
rp=0x0000000103ee2c38, flags=3, context=0, init="zle-line-init",
finish="zle-line-finish") at zle_main.c:1352
    frame #5: 0x0000000103f863c3 zle.so`zle_main_entry(cmd=1,
ap=0x00007ffeebdeb090) at zle_main.c:2109
    frame #6: 0x0000000103e60f67 zsh`zleentry(cmd=1) at init.c:1602
    frame #7: 0x0000000103e6265d zsh`inputline at input.c:295
    frame #8: 0x0000000103e62255 zsh`ingetc at input.c:228
    frame #9: 0x0000000103e541bd zsh`ihgetc at hist.c:407
    frame #10: 0x0000000103e6bd36 zsh`gettok at lex.c:611

I've listed source and obtained:

frame #0: 0x0000000103f81e18 zle.so`getkeybuf(w=0) at zle_keymap.c:1679
   1676        int c = getbyte((long)w, NULL);
   1677
   1678        if(c < 0)
-> 1679        return EOF;
   1680        addkeybuf(c);
   1681        return c;
   1682    }

Where could be segfault hiding? I know one thing. If I comment out
following line with <():

                         exec {PCFD}< <(echo ${sysparams[pid]})

I get no segfault nor other (Ctrl-C) problems. Interior of <( ) can be
different from above, the same happens.

On 17 June 2018 at 16:39, Sebastian Gniazdowski <sgniazdowski@xxxxxxxxx> wrote:
> Hello,
> one user of my project reports crash with message about realloc(), when pasting:
>
> $ openssl req -new -newkey rsa:4096 > regisrealloc(): invalid old size
> Connection to localhost closed.
>
> I looked at my code that introduced realloc() to array appends. It
> seems that its correctness is guarded by this: before patch, old
> pointer (old array) was subject to arrsetfn, which does freearray().
> So if string can be freed, it for sure can be realloc()-ed.
>
> That said I have a patch that checks if old pointer isn't nullarray
> (static variable) and has the standard getter. A fortification, to
> sleep better.
>
> --
> Best regards,
> Sebastian Gniazdowski

References:
- [PATCH] Fortify zrealloc append to arrays
  - From: Sebastian Gniazdowski

Messages sorted by: Reverse Date, Date, Thread, Author