Backport ksh93v- bugfix for the crash in types.sh #812
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit backports a bugfix from ksh93v- 2012-08-24 for a possible crash at the first strncmp in create_type(). This crash will occur if the size and/or alignment of Namval struct is changed (i.e., if np->nvsize or np->nvflag is upgraded to a larger data type). Thus far I can't reproduce this bug on the dev branch without changing the size of the Namval_t struct, but the root cause of the bug should be fixed nonetheless for correctness. I encountered this bug while experimenting with changing the size of Namval_t, which at the moment is primarily relevant to the unfinished local builtin (which needs to store a new NV_DYNAMIC flag in the variable node's nvflag set). Non-upstreamed commits for reference: 3ca5470 (local-builtin branch) 798d463 (expand-nvflags branch) e390adf (earlier iteration of this commit) Crash trace from ASan (unlike the one in the earlier expand-nvflags commit, this was retested against 0510264 with np->nvsize changed to uint64_t; it can also be reproduced if np->nvflags is enlargened instead): ================================================================= ==186087==ERROR: AddressSanitizer: SEGV on unknown address 0x000000001340 (pc 0x79c3ece88110 bp 0x7ffe576bd670 sp 0x7ffe576bcde0 T0) ==186087==The signal is caused by a READ memory access. #0 0x79c3ece88110 in strncmp /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:491 ksh93#1 0x79c3ec3460d0 in create_type /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/nvtype.c:486 ksh93#2 0x79c3ec4e2301 in create_tree /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/nvtree.c:74 ksh93#3 0x79c3ec4bb610 in nv_create /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/name.c:1238 ksh93#4 0x79c3ec4bf531 in nv_open /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/name.c:1451 ksh93#5 0x79c3ec4b0202 in nv_setlist /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/name.c:608 ksh93#6 0x79c3ec5819db in sh_exec /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/xec.c:1076 ksh93#7 0x79c3ec2ca5ee in b_dot_cmd /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/bltins/misc.c:324 src/cmd/ksh93/sh/nvtype.c: - Account for NV_MINSZ when setting the 'base' string to ensure no invalid reads occur because of changes in the size of Namval_t. - Additionally, store the return value from strlen in a size_t variable.
|
Fix confirmed. Thanks! |
McDutchie
pushed a commit
that referenced
this pull request
Jan 5, 2025
This commit backports a bugfix from ksh93v- 2012-08-24 for a possible crash at the first strncmp in create_type(). This crash will occur if the size and/or alignment of Namval struct is changed (i.e., if np->nvsize or np->nvflag is upgraded to a larger data type). src/cmd/ksh93/sh/nvtype.c: - Account for NV_MINSZ when setting the 'base' string to ensure no invalid reads occur because of changes in the size of Namval_t. - Additionally, store the return value from strlen in a size_t variable.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit backports a bugfix from ksh93v- 2012-08-24 for a possible crash at the first
strncmpincreate_type(). This crash will occur if the size and/or alignment of theNamval_tstruct is changed (i.e., ifnp->nvsizeornp->nvflagis upgraded to a larger data type). Thus far I can't reproduce this bug on the dev branch without changing the size of theNamval_tstruct, but the root cause of the bug should be fixed nonetheless for correctness.I encountered this bug while experimenting with changing the size of
Namval_t, which at the moment is primarily relevant to the unfinished local builtin (which needs to store a newNV_DYNAMICflag in the variable node'snvflagset). Non-upstreamed commits for reference:JohnoKing@3ca5470 (local-builtin branch)
JohnoKing@798d463 (expand-nvflags branch)
JohnoKing@e390adf (earlier iteration of this commit)
Stacktrace from ASan (unlike the old one in the earlier expand-nvflags commit, this was retested against 0510264 with
np->nvsizechanged touint64_t; it can also be reproduced ifnp->nvflagsis enlargened instead):src/cmd/ksh93/sh/nvtype.c:
NV_MINSZwhen setting thebasestring to ensure no invalid reads occur because of changes in the size ofNamval_t.strlenin asize_tvariable.