From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-Status: No, score=-3.9 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 9DAC21F4B4 for ; Tue, 29 Dec 2020 19:36:57 +0000 (UTC) Received: from localhost ([::1]:35942 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kuKng-0001YD-RU for normalperson@yhbt.net; Tue, 29 Dec 2020 14:36:56 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:45962) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kuKmG-0000MM-My for bug-gnulib@gnu.org; Tue, 29 Dec 2020 14:35:29 -0500 Received: from mail-qk1-x732.google.com ([2607:f8b0:4864:20::732]:38239) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kuKlz-00021l-OD for bug-gnulib@gnu.org; Tue, 29 Dec 2020 14:35:21 -0500 Received: by mail-qk1-x732.google.com with SMTP id w79so12252081qkb.5 for ; Tue, 29 Dec 2020 11:35:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=oxlCNy330HAbW5MCqV+B28MDobXK5dKQ5vlfBjblcOg=; b=bnGfDYd4aOR4Sxt+0+loxAteglHQ8shYUp6W3l35CQUuvdZqA64RTWlthlGfLlV3fc zilYsD9DENBQl0b8szskSRzbELZufWH57afnInvVauG0xrsBYWpPW46Vwb9QdyREgRT1 7fZLhTQ/P7K6HF1Sbfg0iWCOThXZyQN5XXgSmAhp/K5WGmNKRRWLtv3XeQQSxN7qrT6h m2FqQpwyPCRQvUm5oGrMoC/co3lcHVEG/83ygsPDaBGMZbI7kCOIAsEkMd1aIN+VsCHv 97Z2t9u4q3lqkITcXRVb6kv0g2p60XLVHqDxxhxKEtXgI7K9oYSOTCA3RvWtnUBagk4k nKTg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=oxlCNy330HAbW5MCqV+B28MDobXK5dKQ5vlfBjblcOg=; b=L55d9RkiOkIrNefaXXi6Y6rw5n+UtIgaixXdcQcvlscEGGKxNR3fjfvBsM0U4ujeE7 el6ggHxnKJ4LGOyZcvVHy6nUVAQh7zih/3U6o6bwwTIDJ8igeYxNk23Ii6GpWfiRkuUO 92VPqeK1mayYqVdpTEQf6dsGZGbbpYuF2q6P0nbByyTi8sWDj9mwrlhgwD0Gz8EAK+54 WG1j1hTRjxX7hLFpPb4v9eq4EOAiWGBvKLiGOTL/0bEYpjC667xZNstzvk1d5REHVu6a HszjHeOltcwHmlPl8gTRZzoKo+68Z1+5NLszTk092qec0uwQ4PaaKkn8QrgHx6WbdEbl 28hw== X-Gm-Message-State: AOAM530t4Pk1qWLNrcesMzBlykTn3MdIJM3yO25Mv8ljq/pS232LZGfl /s1O5lnE5RHh5A0s8WJpy1hq9UHdzUFazw== X-Google-Smtp-Source: ABdhPJxqLCWrLn1sp2I3ywFA34B0ux0XaRaCVRzIqdtrgTIdWbzuIZxZ+h813Ltacr1MRCNzwk61BQ== X-Received: by 2002:a37:a707:: with SMTP id q7mr52581179qke.284.1609270510179; Tue, 29 Dec 2020 11:35:10 -0800 (PST) Received: from localhost.localdomain ([177.194.48.209]) by smtp.googlemail.com with ESMTPSA id b14sm25383428qtx.36.2020.12.29.11.35.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Dec 2020 11:35:09 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org, Paul Eggert Subject: [PATCH v3 6/6] stdlib: Add testcase fro BZ #26241 Date: Tue, 29 Dec 2020 16:34:54 -0300 Message-Id: <20201229193454.34558-7-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20201229193454.34558-1-adhemerval.zanella@linaro.org> References: <20201229193454.34558-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::732; envelope-from=adhemerval.zanella@linaro.org; helo=mail-qk1-x732.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: bug-gnulib@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Gnulib discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: bug-gnulib@gnu.org Errors-To: bug-gnulib-bounces+normalperson=yhbt.net@gnu.org Sender: "bug-gnulib" Old implementation of realpath allocates a PATH_MAX using alloca for each symlink in the path, leading to MAXSYMLINKS times PATH_MAX maximum stack usage. The test create a symlink with __eloop_threshold() loops and creates a thread with minimum stack size (obtained through support_small_stack_thread_attribute). The thread issues a stack allocations that fill the thread allocated stack minus some slack plus and the realpath usage (which assumes a bounded stack usage). If realpath uses more than aboud 2 * PATH_MAX plus some slack it trigger a stackoverflow. Checked on x86_64-linux-gnu and i686-linux-gnu. --- stdlib/Makefile | 3 +- stdlib/tst-canon-bz26341.c | 99 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 101 insertions(+), 1 deletion(-) create mode 100644 stdlib/tst-canon-bz26341.c diff --git a/stdlib/Makefile b/stdlib/Makefile index 29b7cd7071..6518d8993b 100644 --- a/stdlib/Makefile +++ b/stdlib/Makefile @@ -86,7 +86,7 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ tst-makecontext-align test-bz22786 tst-strtod-nan-sign \ tst-swapcontext1 tst-setcontext4 tst-setcontext5 \ tst-setcontext6 tst-setcontext7 tst-setcontext8 \ - tst-setcontext9 tst-bz20544 + tst-setcontext9 tst-bz20544 tst-canon-bz26341 tests-internal := tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \ tst-tls-atexit tst-tls-atexit-nodelete @@ -101,6 +101,7 @@ LDLIBS-test-atexit-race = $(shared-thread-library) LDLIBS-test-at_quick_exit-race = $(shared-thread-library) LDLIBS-test-cxa_atexit-race = $(shared-thread-library) LDLIBS-test-on_exit-race = $(shared-thread-library) +LDLIBS-tst-canon-bz26341 = $(shared-thread-library) LDLIBS-test-dlclose-exit-race = $(shared-thread-library) $(libdl) LDFLAGS-test-dlclose-exit-race = $(LDFLAGS-rdynamic) diff --git a/stdlib/tst-canon-bz26341.c b/stdlib/tst-canon-bz26341.c new file mode 100644 index 0000000000..e0426ab306 --- /dev/null +++ b/stdlib/tst-canon-bz26341.c @@ -0,0 +1,99 @@ +/* Check if realpath does not consume extra stack space based on symlink + existance in the path (BZ #26341) + Copyright (C) 2020 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include + +#define __sysconf sysconf +#include +#include +#include +#include +#include +#include + +static char *filename; +static size_t filenamelen; +static char *linkname; + +#ifndef PATH_MAX +# define PATH_MAX 1024 +#endif + +static void +create_link (void) +{ + int fd = create_temp_file ("tst-canon-bz26341", &filename); + TEST_VERIFY_EXIT (fd != -1); + xclose (fd); + + char *prevlink = filename; + int maxlinks = __eloop_threshold (); + for (int i = 0; i < maxlinks; i++) + { + linkname = xasprintf ("%s%d", filename, i); + xsymlink (prevlink, linkname); + add_temp_file (linkname); + prevlink = linkname; + } + + filenamelen = strlen (filename); +} + +static void * +do_realpath (void *arg) +{ + /* Old implementation of realpath allocates a PATH_MAX using alloca + for each symlink in the path, leading to MAXSYMLINKS times PATH_MAX + maximum stack usage. + This stack allocations tries fill the thread allocated stack minus + both the resolved path (plus some slack) and the realpath (plus some + slack). + If realpath uses more than 2 * PATH_MAX plus some slack it will trigger + a stackoverflow. */ + + const size_t realpath_usage = 2 * PATH_MAX + 1024; + const size_t thread_usage = 1 * PATH_MAX + 1024; + size_t stack_size = support_small_thread_stack_size () + - realpath_usage - thread_usage; + char stack[stack_size]; + char *resolved = stack + stack_size - thread_usage + 1024; + + char *p = realpath (linkname, resolved); + TEST_VERIFY (p != NULL); + TEST_COMPARE_BLOB (resolved, filenamelen, filename, filenamelen); + + return NULL; +} + +static int +do_test (void) +{ + create_link (); + + pthread_t th = xpthread_create (support_small_stack_thread_attribute (), + do_realpath, NULL); + xpthread_join (th); + + return 0; +} + +#include -- 2.25.1