From patchwork Thu Jan 5 13:42:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?b?0L3QsNCx?= X-Patchwork-Id: 13089936 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C40ADC64981 for ; Thu, 5 Jan 2023 13:42:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233136AbjAENmS (ORCPT ); Thu, 5 Jan 2023 08:42:18 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58128 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233842AbjAENmK (ORCPT ); Thu, 5 Jan 2023 08:42:10 -0500 Received: from tarta.nabijaczleweli.xyz (unknown [139.28.40.42]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id D676439F84 for ; Thu, 5 Jan 2023 05:42:07 -0800 (PST) Received: from tarta.nabijaczleweli.xyz (unknown [192.168.1.250]) by tarta.nabijaczleweli.xyz (Postfix) with ESMTPSA id DE50FBC0; Thu, 5 Jan 2023 14:42:05 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nabijaczleweli.xyz; s=202211; t=1672926125; bh=KSFRVe1ldidMj5+KF7iddP8dFns5sQCxw6kiwnPVyCc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=aWVb7tkeh7i8T6yfNpNj0cqyyBdtLDlTNty/nmZsU5T6tr0GIFw32L07PiahsUZgy QEpFJK++2bN0WQJLw29e4RcpJIEhFj6eaH9ttvxSIaaDCY/nyjyExNC6VCS71iXleY MzW7z5ToCANVPA2tXAWYxz7cymKzvMHpckwCjZHSwkuMGsC0BJ/Jlv34UTdeVHLbuw HiztERUbteQAqcA6oZuiXTCWBgyeo2m2J5yDj/LN7HhyRb90h/b8uDcTkK4Wn296iv mhCRM9tbyAmNI3dy7IEZZKXU8y5EStXpz7QKPKy9QEqtgpHXAHNwIWy4LKfYKjJoG9 0JyIVkYSx92xA== Date: Thu, 5 Jan 2023 14:42:04 +0100 From: =?utf-8?b?0L3QsNCx?= To: Herbert Xu Cc: dash@vger.kernel.org Subject: [PATCH v3] parser: don't keep alloca()ing in a loop for substitutions Message-ID: <20230105134204.e7mczfzt2vbit3oc@tarta.nabijaczleweli.xyz> References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20220429 Precedence: bulk List-ID: X-Mailing-List: dash@vger.kernel.org When encountering printf %010000d | tr 0 \` | sh -n printf %09999d | tr 0 \` | sh -n you want no output and "Syntax error: EOF in backquote substitution", respectively; instead, current dash segfaults. This is because the alloca for the save buffer is run, naturally, in the same function, so first it allocates one byte, then two, then ..., then appx. 4000 (for me, depends on the binary), then it segfaults on the memcpy (it's even worse, since due to alignment, it usually allocates much more for the early stuff). Nevertheless, the stack frame grows unboundedly, until we completely destroy the stack. Instead of squirreling the out block away, then letting subsequent allocations override the original, mark it used, and just re-copy it to the top of the dash stack. This increases peak memory usage somewhat (in the most pathological case ‒ the above but with three nines ‒ from 23.26 to 173.7KiB according to massif, in parsing a regular program (ratrun from ratrun 0c) from 28.68 to 29.19; a simpler program (ibid., rat) stays at 5.422; parsing libtoolize, debootstrap, and dkms (the biggest shell programs in my /[s]bin by size + by `/$( count) likewise stay the same at 12.02, 41.48, and 6.438) but it's barely measurable outside of truly pathological conditions that were a step away from a segfault previously. Fixes: https://bugs.debian.org/966156 --- I think this means we also need to turn the USTPUTC() into STPUTC(), since the previous code explicitly over-accounted for it in growstackto(). src/parser.c | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/src/parser.c b/src/parser.c index 8a06b9e..f5f76d5 100644 --- a/src/parser.c +++ b/src/parser.c @@ -1360,12 +1360,9 @@ parsebackq: { struct heredoc *saveheredoclist; int uninitialized_var(saveprompt); - str = NULL; + str = stackblock(); savelen = out - (char *)stackblock(); - if (savelen > 0) { - str = alloca(savelen); - memcpy(str, stackblock(), savelen); - } + grabstackblock(savelen); if (oldstyle) { /* We must read until the closing backquote, giving special treatment to some slashes, and then push the string and @@ -1445,12 +1442,8 @@ done: /* Ignore any pushed back tokens left from the backquote parsing. */ if (oldstyle) tokpushback = 0; - out = growstackto(savelen + 1); - if (str) { - memcpy(out, str, savelen); - STADJUST(savelen, out); - } - USTPUTC(CTLBACKQ, out); + out = stnputs(str, savelen, stackblock()); + STPUTC(CTLBACKQ, out); if (oldstyle) goto parsebackq_oldreturn; else