Possible Bug

Possible Bug

[Brian Millar]

[-- Attachment #1: Type: text/plain, Size: 872 bytes --]

Hi, I think I may have discovered a bug in ZSH.

I was trying to install a prompt theme and I mixed things up moved things and named things wrong.

This resulted in the file wanted by the set_prompt actually being a directory.

ZSH would crash on start, if I ran it on top of another shell I could see the error was "set_prompt:100: fatal error: out of memory".

I traced it and found that the open() syscall ran on the directory, the result was passed to lseek() with argument SEEK_END which I don't think makes any sense for a directory.

lseek() returned an astronomically huge value which was passed to mmap() as bytes to allocate. Thats when the crash happens.

I talked to some kernel folks who say you should check that the file coming from open() is not anything other than a normal file.

If this is not a ZSH  bug I'm sorry for wasting your time.

Re: Possible Bug

[Bart Schaefer]

On Aug 31,  9:30pm, Brian Millar wrote:
}
} This resulted in the file wanted by the set_prompt actually being a
} directory.
} 
} ZSH would crash on start, if I ran it on top of another shell I could
} see the error was "set_prompt:100: fatal error: out of memory".
}
} I traced it and found that the open() syscall ran on the directory,
} the result was passed to lseek() with argument SEEK_END which I don't
} think makes any sense for a directory.

Confirmed this.  Autoloading calls access(..., R_OK) but does not stat()
for plain-file-ness before attempting to open() and load into memory.

On what operating system is this occurring?  lseek() on a directory in
my straces always returns zero.

Re: Possible Bug

[Brian Millar]

>On what operating system is this occurring?
I'm running Gentoo with linux-4.1.3-gentoo-gnu, that means it has the Gentoo patches and is deblobed/libre.

________________________________________
From: Bart Schaefer <schaefer@brasslantern.com>
Sent: Tuesday, September 1, 2015 6:53 AM
To: Brian Millar; zsh-workers@zsh.org
Subject: Re: Possible Bug

On Aug 31,  9:30pm, Brian Millar wrote:
}
} This resulted in the file wanted by the set_prompt actually being a
} directory.
}
} ZSH would crash on start, if I ran it on top of another shell I could
} see the error was "set_prompt:100: fatal error: out of memory".
}
} I traced it and found that the open() syscall ran on the directory,
} the result was passed to lseek() with argument SEEK_END which I don't
} think makes any sense for a directory.

Confirmed this.  Autoloading calls access(..., R_OK) but does not stat()
for plain-file-ness before attempting to open() and load into memory.

On what operating system is this occurring?  lseek() on a directory in
my straces always returns zero.

Re: Possible Bug

[Peter Stephenson]

On Mon, 31 Aug 2015 22:53:04 -0700
Bart Schaefer <schaefer@brasslantern.com> wrote:
> Confirmed this.  Autoloading calls access(..., R_OK) but does not stat()
> for plain-file-ness before attempting to open() and load into memory.

The tests we usually use for this kind of thing look like this.

This means we'll skip the directory silently and find a regular file
within another directory if there is one, and only report an error if there isn't --- I presume that's correct.

pws

diff --git a/Src/exec.c b/Src/exec.c
index 45f1c66..109a04a 100644
--- a/Src/exec.c
+++ b/Src/exec.c
@@ -5392,7 +5392,9 @@ getfpfunc(char *s, int *ksh, char **fname)
 	}
 	unmetafy(buf, NULL);
 	if (!access(buf, R_OK) && (fd = open(buf, O_RDONLY | O_NOCTTY)) != -1) {
-	    if ((len = lseek(fd, 0, 2)) != -1) {
+	    struct stat st;
+	    if (!fstat(fd, &st) && S_ISREG(st.st_mode) &&
+		(len = lseek(fd, 0, 2)) != -1) {
 		d = (char *) zalloc(len + 1);
 		lseek(fd, 0, 0);
 		if ((rlen = read(fd, d, len)) >= 0) {