From patchwork Thu Dec 15 17:02:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?b?0L3QsNCx?= X-Patchwork-Id: 13074396 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 57759C4332F for ; Thu, 15 Dec 2022 17:02:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230418AbiLORCp (ORCPT ); Thu, 15 Dec 2022 12:02:45 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52778 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230421AbiLORCV (ORCPT ); Thu, 15 Dec 2022 12:02:21 -0500 Received: from tarta.nabijaczleweli.xyz (unknown [139.28.40.42]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 4E89E27B16 for ; Thu, 15 Dec 2022 09:02:19 -0800 (PST) Received: from tarta.nabijaczleweli.xyz (unknown [192.168.1.250]) by tarta.nabijaczleweli.xyz (Postfix) with ESMTPSA id 59857160C; Thu, 15 Dec 2022 18:02:17 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nabijaczleweli.xyz; s=202211; t=1671123737; bh=MGpScLVf9ipd13IlaJ7GQlKp7jEJmZtgNxrL6cWLLuc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=A3VpRiC6Y3ZDEPOb7ChmOjBEo96/rjibA1O/RE5s4rhxnnW79NZoZCPsfYtABChvn Dz7Gs/zSXpgBqzoP4J8vkhnGmCmOU+B0VVDUiA1dliwSx2quY//jWdTAd8ESGigToa Vb7+TyApsTtc0fM5rDaAtge7gk8XT7Rvpx0C+9oLaGndpE5xqgV50WOEN1u9skJloO wUir/HR1lCfYx99hse7LL1Q9YBIXNANhdbxHAnA9+fV999FxIMjAPmFGFpzOTve/3a LBr/YwzkXrynXS8WGCPI9blRmJnY03VKG+sGDbLKGGEHGgw/5tfNZVKxe0jHG1NVan vPYuhSpcFKiDw== Date: Thu, 15 Dec 2022 18:02:16 +0100 From: =?utf-8?b?0L3QsNCx?= To: Herbert Xu Cc: dash@vger.kernel.org Subject: [PATCH v2] parser: don't keep alloca()ing in a loop for substitutions Message-ID: <20221215170216.hm6i5akmxbz6u62j@tarta.nabijaczleweli.xyz> References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20220429 Precedence: bulk List-ID: X-Mailing-List: dash@vger.kernel.org When encountering printf %010000d | tr 0 \` | sh -n printf %09999d | tr 0 \` | sh -n you want no output and "Syntax error: EOF in backquote substitution", respectively; instead, current dash segfaults. This is because the alloca for the save buffer is run, naturally, in the same function, so first it allocates one byte, then two, then ..., then appx. 4000 (for me, depends on the binary), then it segfaults on the memcpy (it's even worse, since due to alignment, it usually allocates much more for the early stuff). Nevertheless, the stack frame grows unboundedly, until we completely destroy the stack. Instead of squirreling the out block away, then letting subsequent allocations override the original, mark it used, and just re-copy it to the top of the dash stack. This increases peak memory usage somewhat (in the most pathological case ‒ the above but with three nines ‒ from 23.26 to 173.7KiB according to massif, in parsing a regular program (ratrun from ratrun 0c) from 28.68 to 29.19; a simpler program (ibid., rat) stays at 5.422; parsing libtoolize, debootstrap, and dkms (the biggest shell programs in my /[s]bin by size + by `/$( count) likewise stay the same at 12.02, 41.48, and 6.438) but it's barely measurable outside of truly pathological conditions that were a step away from a segfault previously. Fixes: https://bugs.debian.org/966156 --- Naturally, I hadn't considered that. This version I've run through valgrind in a good few configurations and am happy to conclude there are no leaks (and the memory usage bump is imperceptible unless you were almost-crashing anyway). src/parser.c | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/src/parser.c b/src/parser.c index a552c47..89698cb 100644 --- a/src/parser.c +++ b/src/parser.c @@ -1360,12 +1360,9 @@ parsebackq: { struct heredoc *saveheredoclist; int uninitialized_var(saveprompt); - str = NULL; + str = stackblock(); savelen = out - (char *)stackblock(); - if (savelen > 0) { - str = alloca(savelen); - memcpy(str, stackblock(), savelen); - } + grabstackblock(savelen); if (oldstyle) { /* We must read until the closing backquote, giving special treatment to some slashes, and then push the string and @@ -1446,10 +1443,8 @@ done: if (oldstyle) tokpushback = 0; out = growstackto(savelen + 1); - if (str) { - memcpy(out, str, savelen); - STADJUST(savelen, out); - } + memcpy(out, str, savelen); + STADJUST(savelen, out); USTPUTC(CTLBACKQ, out); if (oldstyle) goto parsebackq_oldreturn;