[PATCH] Fortify zrealloc append to arrays

zsh-workers
 help / color / mirror / code / Atom feed

* [PATCH] Fortify zrealloc append to arrays
@ 2018-06-17 14:39 Sebastian Gniazdowski
  2018-06-17 18:26 ` Sebastian Gniazdowski
  0 siblings, 1 reply; 2+ messages in thread
From: Sebastian Gniazdowski @ 2018-06-17 14:39 UTC (permalink / raw)
  To: Zsh hackers list

[-- Attachment #1: Type: text/plain, Size: 645 bytes --]

Hello,
one user of my project reports crash with message about realloc(), when pasting:

$ openssl req -new -newkey rsa:4096 > regisrealloc(): invalid old size
Connection to localhost closed.

I looked at my code that introduced realloc() to array appends. It
seems that its correctness is guarded by this: before patch, old
pointer (old array) was subject to arrsetfn, which does freearray().
So if string can be freed, it for sure can be realloc()-ed.

That said I have a patch that checks if old pointer isn't nullarray
(static variable) and has the standard getter. A fortification, to
sleep better.

-- 
Best regards,
Sebastian Gniazdowski

[-- Attachment #2: append_nular_fortify.diff.txt --]
[-- Type: text/plain, Size: 1117 bytes --]

diff --git a/Src/params.c b/Src/params.c
index f130934..95272b7 100644
--- a/Src/params.c
+++ b/Src/params.c
@@ -150,6 +150,8 @@ rprompt_indent_unsetfn(Param pm, int exp);
 
 /* Standard methods for get/set/unset pointers in parameters */
 
+static char *nullarray = NULL;
+
 /**/
 mod_export const struct gsu_scalar stdscalar_gsu =
 { strgetfn, strsetfn, stdunsetfn };
@@ -2803,7 +2805,8 @@ setarrvalue(Value v, char **val)
             if (post_assignment_length > pre_assignment_length &&
                     pre_assignment_length <= v->start &&
                     pre_assignment_length > 0 &&
-                    v->pm->gsu.a->setfn == arrsetfn)
+                    v->pm->gsu.a->setfn == arrsetfn && v->pm->gsu.a->getfn == arrgetfn &&
+                    old != &nullarray)
             {
                 p = new = (char **) zrealloc(old, sizeof(char *)
                                            * (post_assignment_length + 1));
@@ -3788,8 +3791,6 @@ strsetfn(Param pm, char *x)
 
 /* Function to get value of an array parameter */
 
-static char *nullarray = NULL;
-
 /**/
 char **
 arrgetfn(Param pm)

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] Fortify zrealloc append to arrays
  2018-06-17 14:39 [PATCH] Fortify zrealloc append to arrays Sebastian Gniazdowski
@ 2018-06-17 18:26 ` Sebastian Gniazdowski
  0 siblings, 0 replies; 2+ messages in thread
From: Sebastian Gniazdowski @ 2018-06-17 18:26 UTC (permalink / raw)
  To: Zsh hackers list

I luckily obtained segfaults and coredumps. Ran -O0 zsh, waited for
segfault, and here is backtrace:

(lldb) bt
* thread #1, stop reason = signal SIGSTOP
  * frame #0: 0x0000000103f81e18 zle.so`getkeybuf(w=0) at zle_keymap.c:1679
    frame #1: 0x0000000103f81b26
zle.so`getkeymapcmd(km=0x00007faa2801d800, funcp=0x00007ffeebdeaab0,
strp=0x00007ffeebdeaa98) at zle_keymap.c:1587
    frame #2: 0x0000000103f81f73 zle.so`getkeycmd at zle_keymap.c:1705
    frame #3: 0x0000000103f84b7c zle.so`zlecore at zle_main.c:1129
    frame #4: 0x0000000103f85575 zle.so`zleread(lp=0x0000000103ee2bf8,
rp=0x0000000103ee2c38, flags=3, context=0, init="zle-line-init",
finish="zle-line-finish") at zle_main.c:1352
    frame #5: 0x0000000103f863c3 zle.so`zle_main_entry(cmd=1,
ap=0x00007ffeebdeb090) at zle_main.c:2109
    frame #6: 0x0000000103e60f67 zsh`zleentry(cmd=1) at init.c:1602
    frame #7: 0x0000000103e6265d zsh`inputline at input.c:295
    frame #8: 0x0000000103e62255 zsh`ingetc at input.c:228
    frame #9: 0x0000000103e541bd zsh`ihgetc at hist.c:407
    frame #10: 0x0000000103e6bd36 zsh`gettok at lex.c:611

I've listed source and obtained:

frame #0: 0x0000000103f81e18 zle.so`getkeybuf(w=0) at zle_keymap.c:1679
   1676        int c = getbyte((long)w, NULL);
   1677
   1678        if(c < 0)
-> 1679        return EOF;
   1680        addkeybuf(c);
   1681        return c;
   1682    }

Where could be segfault hiding? I know one thing. If I comment out
following line with <():

                         exec {PCFD}< <(echo ${sysparams[pid]})

I get no segfault nor other (Ctrl-C) problems. Interior of <( ) can be
different from above, the same happens.

On 17 June 2018 at 16:39, Sebastian Gniazdowski <sgniazdowski@gmail.com> wrote:
> Hello,
> one user of my project reports crash with message about realloc(), when pasting:
>
> $ openssl req -new -newkey rsa:4096 > regisrealloc(): invalid old size
> Connection to localhost closed.
>
> I looked at my code that introduced realloc() to array appends. It
> seems that its correctness is guarded by this: before patch, old
> pointer (old array) was subject to arrsetfn, which does freearray().
> So if string can be freed, it for sure can be realloc()-ed.
>
> That said I have a patch that checks if old pointer isn't nullarray
> (static variable) and has the standard getter. A fortification, to
> sleep better.
>
> --
> Best regards,
> Sebastian Gniazdowski


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2018-06-17 18:26 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-17 14:39 [PATCH] Fortify zrealloc append to arrays Sebastian Gniazdowski
2018-06-17 18:26 ` Sebastian Gniazdowski

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/zsh/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).