From: igor@9lab.org
To: 9front@9front.org
Cc: igor@9lab.org, cinap_lenrek@felloff.net
Subject: [9front] cmd/acme: fix suicide *and* resource leak in ecmd.c (patch)
Date: Fri, 02 Apr 2021 11:30:51 +0200 [thread overview]
Message-ID: <5B3CB75646F53123B72B31FF6925FDD7@9lab.org> (raw)
In-Reply-To: <C150AF5917CAA3E0AC5EDB40CA924B01@felloff.net>
Quoth cinap_lenrek@felloff.net:
[...]
> The time to submit your unreleased bugfixes is now. :-)
Here is a patch that fixes a (1) suicide and (2) memory leak in
acme/ecmd.c (explanation with reproducible test instructions below):
<patch>
diff -r d9e940a768d1 sys/src/cmd/acme/ecmd.c
--- a/sys/src/cmd/acme/ecmd.c Mon Oct 19 01:20:29 2020 +0200
+++ b/sys/src/cmd/acme/ecmd.c Fri Feb 05 14:18:06 2021 +0100
@@ -132,11 +132,11 @@
{
File *f;
- f = w->body.file;
switch(editing){
case Inactive:
return "permission denied";
case Inserting:
+ f = w->body.file;
eloginsert(f, q, r, nr);
return nil;
case Collecting:
@@ -157,11 +157,13 @@
if(nr == 0)
return nil;
r = skipbl(r, nr, &nr);
- if(r[0] != '<')
- return runestrdup(r);
- /* use < command to collect text */
clearcollection();
- runpipe(t, '<', r+1, nr-1, Collecting);
+ if(r[0] != '<'){
+ if((collection = runestrdup(r)) != nil)
+ ncollection += runestrlen(r);
+ }else
+ /* use < command to collect text */
+ runpipe(t, '<', r+1, nr-1, Collecting);
return collection;
}
</patch>
To reproduce the suicide try running the following in acme:
• 'Edit B <ls lib'
by select and middle clicking in a window that is in your $home.
There is a very high chance acme will commit suicide like this:
<snip>
cpu% broke
echo kill>/proc/333310/ctl # acme
cpu% acid 333310
/proc/333310/text:amd64 plan 9 executable
/sys/lib/acid/port
/sys/lib/acid/amd64
acid: lstk()
edittext(nr=0x31,q=0x0,r=0x45aa10)+0x8 /sys/src/cmd/acme/ecmd.c:135
xfidwrite(x=0x461230)+0x28a /sys/src/cmd/acme/xfid.c:479
w=0x0
qid=0x5
fc=0x461390
t=0x1
nr=0x100000031
r=0x45aa10
eval=0x3100000000
a=0x405621
nb=0x500000001
err=0x419310
q0=0x100000000
tq0=0x80
tq1=0x8000000000
buf=0x41e8d800000000
xfidctl(arg=0x461230)+0x35 /sys/src/cmd/acme/xfid.c:52
x=0x461230
launcheramd64(arg=0x461230,f=0x22357e)+0x10 /sys/src/libthread/amd64.c:11
0xfefefefefefefefe ?file?:0
</snap>
The suicide issue is caused by the following chain of events:
• /sys/src/cmd/acme/ecmd.c:/^edittext is called at
/sys/src/cmd/acme/xfid.c:479 passing nil as its first parameter:
<snip>
...
case QWeditout:
r = fullrunewrite(x, &nr);
if(w)
err = edittext(w, w->wrselrange.q1, r, nr);
else
err = edittext(nil, 0, r, nr);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
...
</snap>
...and /sys/src/cmd/acme/ecmd.c:/^edittext dereferences the
first parameter that is *nil* at the first statement:
<snip>
char*
edittext(Window *w, int q, Rune *r, int nr)
{
File *f;
f = w->body.file;
^^^^^^^^^^^^^^^^^^^^^
This will crash if 'w' is *nil*
switch(editing){
...
</snap>
Moving the the derefernce of 'w' into the case where it is
needed (see above patch) fixes the suicude.
The memory leak is fixed in /sys/src/cmd/acme/ecmd.c:/^filelist. The
current implementation of filelist(...) breaks its contract with its
caller, thereby leading to a memory leak in /sys/src/cmd/acme/ecmd.c:/^B_cmd
and /sys/src/cmd/acme/ecmd.c:/^D_cmd.
The contract /sys/src/cmd/acme/ecmd.c:/^filelist seems to have with
its callers is that in case of success it fills up a 'collection' that
callers can then clear with a call to clearcollection(...).
The fix above honours this contract and thereby removes the leak.
After you apply the patch the following two tests should succeed:
• Execute by select and middle click in a Tag:
'Edit B lib/profile'
• Execute by select and middle click in a Tag:
'Edit B <ls lib'
The former lead to a resource leak that is now fixed.
The latter lead to a suicide that is now fixed by moving the statement
that dereferences the parameter to the location where it is needed,
which is not the path used in the case of 'Edit B <ls'.
Cheers,
Igor
next prev parent reply other threads:[~2021-04-02 10:35 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-01 17:02 [9front] call for patches for upcoming 9front release cinap_lenrek
2021-04-02 9:30 ` igor [this message]
2021-04-02 13:52 ` [9front] cmd/acme: fix suicide *and* resource leak in ecmd.c (patch) cinap_lenrek
2021-04-02 14:46 ` [9front] call for patches for upcoming 9front release fulton
2021-04-02 15:31 ` cinap_lenrek
-- strict thread matches above, loose matches on Subject: below --
2021-02-05 14:23 [9front] cmd/acme: fix suicide *and* resource leak in ecmd.c (patch) boehm.igor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5B3CB75646F53123B72B31FF6925FDD7@9lab.org \
--to=igor@9lab.org \
--cc=9front@9front.org \
--cc=cinap_lenrek@felloff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).