From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ua1-f52.google.com ([209.85.222.52]) by ewsd; Tue Nov 10 15:28:45 -0500 2020 Received: by mail-ua1-f52.google.com with SMTP id h26so4368394uan.10 for <9front@9front.org>; Tue, 10 Nov 2020 12:28:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=60r3gWhD5TLpZMXoydn/mHq+j1fYe2+gpEnEBuDDRpw=; b=NfgrqH9wyi4hySuT9Ge+RiE8l+apMyNI0uv4E90WqKyZ0pLKxnW5WIC+33bVuCrxD/ pRcS9KP0Sre8ldoCrtzV2VQpYpub1TQvveFEG1Y27zswjv+8Yf0WAbLEj7hABEPFAqvd n3+5UvtCyQHK1t1rwEsF4F5QRZZhEu6A7d3Hv0H0hnCVpY/HzLEvKMr4tQPFQ5qzAUUP kO+cqMrkeJ+/+a5cj8AinWDF3lIUoWz9nlIJXcdkm643e6g3hoznKcfZc0buwfNtMoHA Uwm0PoNsnTAF9DUBpD6T2fIVJ596yHIkULbvjJ483SyAIIN4AeNmHp3K/rdtTN5ZLKbw TPsw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=60r3gWhD5TLpZMXoydn/mHq+j1fYe2+gpEnEBuDDRpw=; b=Scj+5KVEMZQGMiYWGKgTe1ThSopwMCzoSqCp/3x6kGZuHlEJrYkKyQMb6occs/H43U dsP2etxvOCR1K86QC1jlWi0JqCsmhUCUV/rNs9h5eWnd2NuTUOXlxTGijvzQdcUFm54n /1J8TWIW7mg1nbKgT/n+A8CZ+4TtefJLNv0VwpRg73oDEbO9m3avryRsNlfDXtCnOq4/ 5R+upU8Uw0OrOKMXWQlrICNS5xpmzeZJg4m1JV5zUkgv/pd+SiQ/JBe1vV5J8J0/mqJY hwcexLUYzEHR+ir828+/C70BFr7lbGmnyP53V8wFpBLOkHYvqXUV69VmaDfjmbsNUsri Xw9A== X-Gm-Message-State: AOAM5332NQUgKOsrKPypISHm8L1w+/QeQgMAfXw7gm6HIjVlsMIaVB1l Q8kHERXo84PTeOs0Rrvlh18T4hRkuQfDrzIxTx+WJnXPZNI= X-Google-Smtp-Source: ABdhPJwqpLfwGMvrB19gt1yrGfEAJ0cxlIVEmT17TcZEqmBMP3RB22OZXS1rufF9lxS+slHK83VHqQtG3WBuXG/DwC4= X-Received: by 2002:ab0:6f4e:: with SMTP id r14mr10711106uat.109.1605040116381; Tue, 10 Nov 2020 12:28:36 -0800 (PST) MIME-Version: 1.0 Received: by 2002:a9f:246b:0:0:0:0:0 with HTTP; Tue, 10 Nov 2020 12:28:35 -0800 (PST) From: istvan bak Date: Tue, 10 Nov 2020 20:28:35 +0000 Message-ID: Subject: dc: crash on colon : operator To: 9front@9front.org Content-Type: text/plain; charset="UTF-8" List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: agile stable session GPU layer Hello. dc crashes because a Blk* sometimes ends up both in the freelist and on the stack, and in the symbol table. It tries to free what had already been freed. To make it crash (each line is a separate input to dc): 1 sa 2 :a le d sa v :a 1 sa 2 :a le d sa :a 1 sa 2 :a le d sa c This is one input: - 1 : 1 2 3 - 1 : @@ -707,15 +710,15 @@ p = sptr->val; if(length(p)-PTRSZ < c*PTRSZ) { q = copy(p,(c+PTRSZ)*PTRSZ); release(p); p = q; } } + sptr->val = p; seekc(p,c*PTRSZ); q = lookwd(p); if(q!=0) release(q); s = pop(); EMPTY; salterwd(p, s); - sptr->val = p; set sptr->val to a consistent value before EMTPY causes a jump. After the if/else block, either sptr->val == p (old p, which is on the hfree freelist), or sptr->val == 0. Both are bad. Two unrelated stuff: dcgetwd() can return 0. all other uses check for 0 ptr; so should the below case. and there's a buffer overflow. I haven't tried to crash these. Full patch: diff -r cbc842a5093b sys/src/cmd/dc.c --- a/sys/src/cmd/dc.c Sun Nov 08 14:21:14 2020 -0800 +++ b/sys/src/cmd/dc.c Tue Nov 10 19:22:07 2020 +0100 @@ -638,8 +638,11 @@ p = sptr->val; if(c >= ARRAYST) { rewind(p); - while(sfeof(p) == 0) - release(dcgetwd(p)); + while(sfeof(p) == 0) { + q = dcgetwd(p); + if(q != 0) + release(q); + } } release(p); } else { @@ -711,6 +714,7 @@ p = q; } } + sptr->val = p; seekc(p,c*PTRSZ); q = lookwd(p); if(q!=0) @@ -718,7 +722,6 @@ s = pop(); EMPTY; salterwd(p, s); - sptr->val = p; continue; case ';': p = pop(); @@ -1921,7 +1924,8 @@ sl = line; *sl++ = c; while((c = readc()) != '\n') - *sl++ = c; + if(sl < line+100-1) + *sl++ = c; *sl = 0; if((pid = fork()) == 0) { execl("/bin/rc","rc","-c",line,nil);