From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-lf1-f41.google.com ([209.85.167.41]) by ewsd; Tue Nov 17 16:14:09 -0500 2020
Received: by mail-lf1-f41.google.com with SMTP id s30so32141485lfc.4
        for <9front@9front.org>; Tue, 17 Nov 2020 13:14:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
        bh=9nZ426E5SGA671XhZ2bjIrtyAGMapB2ZxOR2l5y9m0Y=;
        b=GksjsHr7f6T7K5+rInmcYoJ0emqxrLljLa4xoccSlwpPoVNix8VZDRN2TdhANxKjT5
         S0wsQPorNazSY6TcBO5arr3SiQYxsKFukCRgtmxSPtfPyTIgTfENnU89/Qoa2BjVQrUe
         KD8KEio6l1EuMEz0vp1bOpMSPqeWGvUdYOe3QoFExWqU0YA2M0cmsws2Zr3S1IkdK1SP
         AdEiJu7e74FNhtpyKnuYH/z35vEG6NpLe0NAM9yTJ31HKluszC5XNjyxpRt88AUSNjzI
         5TDRl6Nri8Qbksv9Xod8iGUbTmOl7AKaqrmB692ZVLKi7+EvqLZ5QxjJaIcVaNN6huXp
         93HQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to;
        bh=9nZ426E5SGA671XhZ2bjIrtyAGMapB2ZxOR2l5y9m0Y=;
        b=RVT2rJw6au+cwaop3RHfWHFkCv+rzca7ScBqgtHhnwOJwtW4EMTPKB6fqHnIh8rZhv
         DQOd3bWM31BvVkGws1JBYfkLhfzX5Maiy0H1+fLq7oG3+4vDbsuuTWZZ62khBtBz0f52
         bn3KAE4iI3gCpa9ccsOPxfS5O63hbbGrOmOTt0BD/iCPapwjpfhjQmTbR6Qw6uDai7AL
         FkIg8nUQVwf9v1RyyRAZ7TlWXyVa5xJwKWqjAjfnEYVLd6rZuusmWOkJfwIW702O54Mo
         dFzXsAYjzsDKNJ6RQfHI3CAyiJ17oz7i8jBmbUB67khpfJm+BiePp3jMkHGdC0IE89Zq
         Wv+g==
X-Gm-Message-State: AOAM532K1gpiCPrt9T1o4eUYV4FB4m0MawLYiCXOe0O0DhYu5M2UD54l
	5+TufcdtAgKzUyFLlQdL/ZmtAM4wawz0BsR7+xL2WykpmUM=
X-Google-Smtp-Source: ABdhPJx+NB7saZIgCekXb7+O6oIjdNzAkJxd43KVoq8JAvjgSV2lR3Q22UwXiwtdEGjc2E1T9OXw4qGtt+r3sdEjc5Q=
X-Received: by 2002:a19:bec6:: with SMTP id o189mr3090216lff.179.1605647638943;
 Tue, 17 Nov 2020 13:13:58 -0800 (PST)
MIME-Version: 1.0
Received: by 2002:a05:6504:3d0:0:0:0:0 with HTTP; Tue, 17 Nov 2020 13:13:57
 -0800 (PST)
In-Reply-To: <B45B9E96-B745-404D-A064-009791CE1B3D@stanleylieber.com>
References: <CAO+DOcqMn2=vUkSMz+H0yT6-p0_A6hV1cZtFNxaXP7h1KEVmdQ@mail.gmail.com>
 <B45B9E96-B745-404D-A064-009791CE1B3D@stanleylieber.com>
From: Stuart Morrow <morrow.stuart@gmail.com>
Date: Tue, 17 Nov 2020 21:13:57 +0000
Message-ID: <CABB-WO_6xfi+5bEmFXbnKuS5RDaMC6wpa=KyfOF1rG6dPB2oqA@mail.gmail.com>
Subject: Re: [9front] dc: crash on colon : operator
To: 9front@9front.org
Content-Type: text/plain; charset="UTF-8"
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: descriptor out-scaling deep-learning software-scale self-signing solution 

On 17/11/2020, Stanley Lieber <sl@stanleylieber.com> wrote:
> On November 17, 2020 3:50:29 PM EST, istvan bak <bdhpfl@gmail.com> wrote:
>>can anyone see my previous email?
>
> I see this one. what was in the previous mail?
>
> sl
>

He wrote:

Hello.

dc crashes because a Blk* sometimes ends up both in the freelist and
on the stack, and in the symbol table. It tries to free what had
already been freed.

To make it crash (each line is a separate input to dc):

1 sa 2 :a le d sa v :a
1 sa 2 :a le d sa :a
1 sa 2 :a le d sa c

This is one input:
- 1 :
1 2 3 - 1 :

@@ -707,15 +710,15 @@
                                p = sptr->val;
                                if(length(p)-PTRSZ < c*PTRSZ) {
                                        q = copy(p,(c+PTRSZ)*PTRSZ);
                                        release(p);
                                        p = q;
                                }
                        }
+                       sptr->val = p;
                        seekc(p,c*PTRSZ);
                        q = lookwd(p);
                        if(q!=0)
                                release(q);
                        s = pop();
                        EMPTY;
                        salterwd(p, s);
-                       sptr->val = p;


set sptr->val to a consistent value before EMTPY causes a jump. After
the if/else block, either sptr->val == p (old p, which is on the hfree
freelist), or sptr->val == 0. Both are bad.

Two unrelated stuff: dcgetwd() can return 0. all other uses check for
0 ptr; so should the below case. and there's a buffer overflow. I
haven't tried to crash these.

Full patch:

diff -r cbc842a5093b sys/src/cmd/dc.c
--- a/sys/src/cmd/dc.c  Sun Nov 08 14:21:14 2020 -0800
+++ b/sys/src/cmd/dc.c  Tue Nov 10 19:22:07 2020 +0100
@@ -638,8 +638,11 @@
                                p = sptr->val;
                                if(c >= ARRAYST) {
                                        rewind(p);
-                                       while(sfeof(p) == 0)
-                                               release(dcgetwd(p));
+                                       while(sfeof(p) == 0) {
+                                               q = dcgetwd(p);
+                                               if(q != 0)
+                                                       release(q);
+                                       }
                                }
                                release(p);
                        } else {
@@ -711,6 +714,7 @@
                                        p = q;
                                }
                        }
+                       sptr->val = p;
                        seekc(p,c*PTRSZ);
                        q = lookwd(p);
                        if(q!=0)
@@ -718,7 +722,6 @@
                        s = pop();
                        EMPTY;
                        salterwd(p, s);
-                       sptr->val = p;
                        continue;
                case ';':
                        p = pop();
@@ -1921,7 +1924,8 @@
                sl = line;
                *sl++ = c;
                while((c = readc()) != '\n')
-                       *sl++ = c;
+                       if(sl < line+100-1)
+                               *sl++ = c;
                *sl = 0;
                if((pid = fork()) == 0) {
                        execl("/bin/rc","rc","-c",line,nil);

------------- End Quote

In other news, I don't know if it is news, but the machine we all know
from acpi.gif has a cool history:
https://en.wikipedia.org/wiki/Useless_machine