Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/bin/sh Deal with ref after free found by ASAN when a functio...
details: https://anonhg.NetBSD.org/src/rev/1d3afce12f45
branches: trunk
changeset: 320077:1d3afce12f45
user: kre <kre%NetBSD.org@localhost>
date: Fri Jun 22 11:04:55 2018 +0000
description:
Deal with ref after free found by ASAN when a function redefines
itself, or some other function which is still active.
This was a long known bug (fixed ages ago in the FreeBSD sh) which
hadn't been fixed as in practice, the situation that causes the
problem simply doesn't arise .. ASAN found it in the sh dotcmd
tests which do have this odd "feature" in the way they are written
(but where it never caused a problem, as the tests are so simple
that no mem is ever allocated between when the old version of the
function was deleted, and when it finished executing, so its code
all remained intact, despite having been freed.)
The fix is taken from the FreeBSD sh.
XXX -- pullup-8 (after a while to ensure no other problems arise).
diffstat:
bin/sh/eval.c | 13 +++--
bin/sh/exec.c | 14 +++---
bin/sh/exec.h | 5 +-
bin/sh/mknodes.sh | 22 +++++---
bin/sh/nodes.c.pat | 121 +++++++++++++++++++++++++++++++++++++---------------
5 files changed, 117 insertions(+), 58 deletions(-)
diffs (truncated from 412 to 300 lines):
diff -r 10c7eb668241 -r 1d3afce12f45 bin/sh/eval.c
--- a/bin/sh/eval.c Fri Jun 22 10:17:04 2018 +0000
+++ b/bin/sh/eval.c Fri Jun 22 11:04:55 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: eval.c,v 1.154 2018/06/17 17:19:06 kre Exp $ */
+/* $NetBSD: eval.c,v 1.155 2018/06/22 11:04:55 kre Exp $ */
/*-
* Copyright (c) 1993
@@ -37,7 +37,7 @@
#if 0
static char sccsid[] = "@(#)eval.c 8.9 (Berkeley) 6/8/95";
#else
-__RCSID("$NetBSD: eval.c,v 1.154 2018/06/17 17:19:06 kre Exp $");
+__RCSID("$NetBSD: eval.c,v 1.155 2018/06/22 11:04:55 kre Exp $");
#endif
#endif /* not lint */
@@ -1069,6 +1069,7 @@
INTOFF;
savelocalvars = localvars;
localvars = NULL;
+ reffunc(cmdentry.u.func);
INTON;
if (setjmp(jmploc.loc)) {
if (exception == EXSHELLPROC) {
@@ -1078,6 +1079,7 @@
freeparam(&shellparam);
shellparam = saveparam;
}
+ unreffunc(cmdentry.u.func);
poplocalvars();
localvars = savelocalvars;
funclinebase = savefuncline;
@@ -1096,8 +1098,8 @@
VTRACE(DBG_EVAL,
("function: node: %d '%s' # %d%s; funclinebase=%d\n",
- cmdentry.u.func->type,
- NODETYPENAME(cmdentry.u.func->type),
+ getfuncnode(cmdentry.u.func)->type,
+ NODETYPENAME(getfuncnode(cmdentry.u.func)->type),
cmdentry.lineno, cmdentry.lno_frel?" (=1)":"",
funclinebase));
}
@@ -1105,9 +1107,10 @@
/* stop shell blowing its stack */
if (++funcnest > 1000)
error("too many nested function calls");
- evaltree(cmdentry.u.func, flags & EV_TESTED);
+ evaltree(getfuncnode(cmdentry.u.func), flags & EV_TESTED);
funcnest--;
INTOFF;
+ unreffunc(cmdentry.u.func);
poplocalvars();
localvars = savelocalvars;
funclinebase = savefuncline;
diff -r 10c7eb668241 -r 1d3afce12f45 bin/sh/exec.c
--- a/bin/sh/exec.c Fri Jun 22 10:17:04 2018 +0000
+++ b/bin/sh/exec.c Fri Jun 22 11:04:55 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: exec.c,v 1.51 2017/07/05 19:58:10 kre Exp $ */
+/* $NetBSD: exec.c,v 1.52 2018/06/22 11:04:55 kre Exp $ */
/*-
* Copyright (c) 1991, 1993
@@ -37,7 +37,7 @@
#if 0
static char sccsid[] = "@(#)exec.c 8.4 (Berkeley) 6/8/95";
#else
-__RCSID("$NetBSD: exec.c,v 1.51 2017/07/05 19:58:10 kre Exp $");
+__RCSID("$NetBSD: exec.c,v 1.52 2018/06/22 11:04:55 kre Exp $");
#endif
#endif /* not lint */
@@ -481,8 +481,9 @@
out1fmt("%s", cmdp->cmdname);
if (verbose) {
struct procstat ps;
+
INTOFF;
- commandtext(&ps, cmdp->param.func);
+ commandtext(&ps, getfuncnode(cmdp->param.func));
INTON;
out1str("() { ");
out1str(ps.cmd);
@@ -989,9 +990,8 @@
INTOFF;
cmdp = cmdlookup(name, 1);
if (cmdp->cmdtype != CMDSPLBLTIN) {
- if (cmdp->cmdtype == CMDFUNCTION) {
- freefunc(cmdp->param.func);
- }
+ if (cmdp->cmdtype == CMDFUNCTION)
+ unreffunc(cmdp->param.func);
cmdp->cmdtype = entry->cmdtype;
cmdp->lineno = entry->lineno;
cmdp->fn_ln1 = entry->lno_frel;
@@ -1031,7 +1031,7 @@
if ((cmdp = cmdlookup(name, 0)) != NULL &&
cmdp->cmdtype == CMDFUNCTION) {
- freefunc(cmdp->param.func);
+ unreffunc(cmdp->param.func);
delete_cmd_entry();
}
return 0;
diff -r 10c7eb668241 -r 1d3afce12f45 bin/sh/exec.h
--- a/bin/sh/exec.h Fri Jun 22 10:17:04 2018 +0000
+++ b/bin/sh/exec.h Fri Jun 22 11:04:55 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: exec.h,v 1.26 2017/06/07 05:08:32 kre Exp $ */
+/* $NetBSD: exec.h,v 1.27 2018/06/22 11:04:55 kre Exp $ */
/*-
* Copyright (c) 1991, 1993
@@ -49,7 +49,7 @@
union param {
int index;
int (*bltin)(int, char**);
- union node *func;
+ struct funcdef *func;
} u;
};
@@ -72,6 +72,7 @@
void changepath(const char *);
void deletefuncs(void);
void getcmdentry(char *, struct cmdentry *);
+union node;
void defun(char *, union node *, int);
int unsetfunc(char *);
void hash_special_builtins(void);
diff -r 10c7eb668241 -r 1d3afce12f45 bin/sh/mknodes.sh
--- a/bin/sh/mknodes.sh Fri Jun 22 10:17:04 2018 +0000
+++ b/bin/sh/mknodes.sh Fri Jun 22 11:04:55 2018 +0000
@@ -1,5 +1,5 @@
#! /bin/sh
-# $NetBSD: mknodes.sh,v 1.2 2008/04/29 06:53:00 martin Exp $
+# $NetBSD: mknodes.sh,v 1.3 2018/06/22 11:04:55 kre Exp $
# Copyright (c) 2003 The NetBSD Foundation, Inc.
# All rights reserved.
@@ -111,8 +111,12 @@
echo "};"
echo
echo
-echo "union node *copyfunc(union node *);"
-echo "void freefunc(union node *);"
+echo 'struct funcdef;'
+echo 'struct funcdef *copyfunc(union node *);'
+echo 'union node *getfuncnode(struct funcdef *);'
+echo 'void reffunc(struct funcdef *);'
+echo 'void unreffunc(struct funcdef *);'
+echo 'void freefunc(struct funcdef *);'
mv $objdir/nodes.h.tmp $objdir/nodes.h || exit 1
@@ -140,7 +144,7 @@
'%CALCSIZE' )
echo " if (n == NULL)"
echo " return;"
- echo " funcblocksize += nodesize[n->type];"
+ echo " res->bsize += nodesize[n->type];"
echo " switch (n->type) {"
IFS=' '
for struct in $struct_list; do
@@ -157,11 +161,11 @@
IFS=' '
set -- $line
name=$1
- cl=")"
+ cl=", res)"
case $2 in
nodeptr ) fn=calcsize;;
nodelist ) fn=sizenodelist;;
- string ) fn="funcstringsize += strlen"
+ string ) fn="res->ssize += strlen"
cl=") + 1";;
* ) continue;;
esac
@@ -174,8 +178,8 @@
'%COPY' )
echo " if (n == NULL)"
echo " return NULL;"
- echo " new = funcblock;"
- echo " funcblock = (char *) funcblock + nodesize[n->type];"
+ echo " new = st->block;"
+ echo " st->block = (char *) st->block + nodesize[n->type];"
echo " switch (n->type) {"
IFS=' '
for struct in $struct_list; do
@@ -200,7 +204,7 @@
* ) continue;;
esac
f="$struct.$name"
- echo " new->$f = ${fn}n->$f${fn:+)};"
+ echo " new->$f = ${fn}n->$f${fn:+, st)};"
done
echo " break;"
done
diff -r 10c7eb668241 -r 1d3afce12f45 bin/sh/nodes.c.pat
--- a/bin/sh/nodes.c.pat Fri Jun 22 10:17:04 2018 +0000
+++ b/bin/sh/nodes.c.pat Fri Jun 22 11:04:55 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: nodes.c.pat,v 1.13 2012/03/20 18:42:29 matt Exp $ */
+/* $NetBSD: nodes.c.pat,v 1.14 2018/06/22 11:04:55 kre Exp $ */
/*-
* Copyright (c) 1991, 1993
@@ -35,6 +35,8 @@
*/
#include <stdlib.h>
+#include <stddef.h>
+
/*
* Routine for dealing with parsed shell commands.
*/
@@ -46,43 +48,70 @@
#include "mystring.h"
-int funcblocksize; /* size of structures in function */
-int funcstringsize; /* size of strings in node */
-pointer funcblock; /* block to allocate function from */
-char *funcstring; /* block to allocate strings from */
+/* used to accumulate sizes of nodes */
+struct nodesize {
+ int bsize; /* size of structures in function */
+ int ssize; /* size of strings in node */
+};
+
+/* provides resources for node copies */
+struct nodecopystate {
+ pointer block; /* block to allocate function from */
+ char *string; /* block to allocate strings from */
+};
+
%SIZES
-STATIC void calcsize(union node *);
-STATIC void sizenodelist(struct nodelist *);
-STATIC union node *copynode(union node *);
-STATIC struct nodelist *copynodelist(struct nodelist *);
-STATIC char *nodesavestr(char *);
+STATIC void calcsize(union node *, struct nodesize *);
+STATIC void sizenodelist(struct nodelist *, struct nodesize *);
+STATIC union node *copynode(union node *, struct nodecopystate *);
+STATIC struct nodelist *copynodelist(struct nodelist *, struct nodecopystate *);
+STATIC char *nodesavestr(char *, struct nodecopystate *);
+
+struct funcdef {
+ unsigned int refcount;
+ union node n; /* must be last */
+};
/*
* Make a copy of a parse tree.
*/
-union node *
+struct funcdef *
copyfunc(union node *n)
{
+ struct nodesize sz;
+ struct nodecopystate st;
+ struct funcdef *fn;
+
if (n == NULL)
return NULL;
- funcblocksize = 0;
- funcstringsize = 0;
- calcsize(n);
- funcblock = ckmalloc(funcblocksize + funcstringsize);
- funcstring = (char *) funcblock + funcblocksize;
- return copynode(n);
+ sz.bsize = offsetof(struct funcdef, n);
+ sz.ssize = 0;
+ calcsize(n, &sz);
+ fn = ckmalloc(sz.bsize + sz.ssize);
+ fn->refcount = 1;
+ st.block = (char *)fn + offsetof(struct funcdef, n);
+ st.string = (char *)fn + sz.bsize;
+ copynode(n, &st);
+ return fn;
+}
+
+union node *
+getfuncnode(struct funcdef *fn)
+{
+ if (fn == NULL)
+ return NULL;
+ return &fn->n;
}
Home |
Main Index |
Thread Index |
Old Index