From: Takashi Yano <takashi.yano@nifty.ne.jp>
To: cygwin-patches@cygwin.com
Subject: Re: [PATCH v2] Cygwin: spawn: Fix segfalt when too many command line args are specified.
Date: Mon, 28 Aug 2023 21:27:09 +0900 [thread overview]
Message-ID: <20230828212709.0d1f2703dbc10c8ae96da3ac@nifty.ne.jp> (raw)
In-Reply-To: <ZOx9j/YRr3UX88wV@calimero.vinschen.de>
On Mon, 28 Aug 2023 12:57:19 +0200
Corinna Vinschen wrote:
> On Aug 28 18:46, Takashi Yano wrote:
> > Previously, the number of command line args was not checked for
> > cygwin process. Due to this, segmentation fault was caused if too
> > many command line args are specified.
> > https://cygwin.com/pipermail/cygwin/2023-August/254333.html
> >
> > Since char *argv[argc + 1] is placed on the stack in dll_crt0_1(),
> > STATUS_STACK_OVERFLOW occurs if the stack does not have enough
> > space.
> >
> > With this patch, the total length of the arguments and the size of
> > argv[] is restricted to 1/4 of total stack size for the process, and
> > spawnve() returns E2BIG if the size exceeds the limit.
> > [...]
> > +static size_t
> > +get_stack_size (const WCHAR *filename)
> > +{
> > + HANDLE h;
> > + h = CreateFileW (filename, GENERIC_READ, FILE_SHARE_READ,
> > + NULL, OPEN_EXISTING, 0, NULL);
> > + char buf[1024];
> > + DWORD n;
> > + ReadFile (h, buf, sizeof (buf), &n, 0);
> > + CloseHandle (h);
> > + IMAGE_NT_HEADERS32 *p = (IMAGE_NT_HEADERS32 *) memmem (buf, n, "PE\0\0", 4);
> > + if (!p)
> > + return 0;
> > + if ((char *) &p->OptionalHeader.SizeOfStackCommit > buf + n)
> > + return 0; /* buf[] is not enough */
> > + if (p->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
> > + return p->OptionalHeader.SizeOfStackReserve;
> > + IMAGE_NT_HEADERS64 *p64 = (IMAGE_NT_HEADERS64 *) p;
> > + if ((char *) &p64->OptionalHeader.SizeOfStackCommit > buf + n)
> > + return 0; /* buf[] is not enough */
> > + return p64->OptionalHeader.SizeOfStackReserve;
> > +}
>
> Sorry, but this proposal is too complicated, IMHO.
>
> Checking the stacksize in the file header for each single execve
> is quite a bit time consuming, isn't it?
>
> The question is rather, why storing argv on the stack at all? I guess
> the original idea was that argv is always a rather overseeable number.
> But it doesn't have to stay on the stack.
>
> I tried this simple patch:
>
> diff --git a/winsup/cygwin/dcrt0.cc b/winsup/cygwin/dcrt0.cc
> index 49b7a44aeb15..961dea4ab993 100644
> --- a/winsup/cygwin/dcrt0.cc
> +++ b/winsup/cygwin/dcrt0.cc
> @@ -978,11 +978,8 @@ dll_crt0_1 (void *)
> a change to an element of argv[] it does not affect Cygwin's argv.
> Changing the the contents of what argv[n] points to will still
> affect Cygwin. This is similar (but not exactly like) Linux. */
> - char *newargv[__argc + 1];
> - char **nav = newargv;
> - char **oav = __argv;
> - while ((*nav++ = *oav++) != NULL)
> - continue;
> + char **newargv = (char **) malloc ((__argc + 1) * sizeof (char **));
> + memcpy (newargv, __argv, (__argc + 1) * sizeof (char **));
> /* Handle any signals which may have arrived */
> sig_dispatch_pending (false);
> _my_tls.call_signal_handler ();
>
> and the testcase `LC_ALL=C sed 's/x/y/' $(seq 1000000)' simply ran
> as desired. Combined with a bit of error checking...
>
> > diff --git a/winsup/cygwin/sysconf.cc b/winsup/cygwin/sysconf.cc
> > index 2db92e4de..6cb2aecd0 100644
> > --- a/winsup/cygwin/sysconf.cc
> > +++ b/winsup/cygwin/sysconf.cc
> > @@ -21,6 +21,13 @@ details. */
> > #include "cpuid.h"
> > #include "clock.h"
> >
> > +#define DEFAULT_STACKGUARD (wincap.def_guard_page_size() + wincap.page_size ())
> > +static long
> > +get_arg_max (int in)
> > +{
> > + return (long) (get_rlimit_stack () + DEFAULT_STACKGUARD) / 4;
> > +}
> > +
> > static long
> > get_page_size (int in)
> > {
> > @@ -485,7 +492,7 @@ static struct
> > };
> > } sca[] =
> > {
> > - {cons, {c:ARG_MAX}}, /* 0, _SC_ARG_MAX */
> > + {func, {f:get_arg_max}}, /* 0, _SC_ARG_MAX */
> > {cons, {c:CHILD_MAX}}, /* 1, _SC_CHILD_MAX */
> > {cons, {c:CLOCKS_PER_SEC}}, /* 2, _SC_CLK_TCK */
> > {cons, {c:NGROUPS_MAX}}, /* 3, _SC_NGROUPS_MAX */
> > --
> > 2.39.0
>
> Along these lines, there's no reason to couple SC_ARG_MAX to the
> size of the stack. I'd propose to return the value 2097152. It's
> the default value returned by getconf ARG_MAX on LInx as well.
What happens if user allocate stack whose size is not enough for
2097152?
--
Takashi Yano <takashi.yano@nifty.ne.jp>
next prev parent reply other threads:[~2023-08-28 12:27 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-28 9:46 Takashi Yano
2023-08-28 10:57 ` Corinna Vinschen
2023-08-28 11:09 ` Corinna Vinschen
2023-08-28 11:18 ` Corinna Vinschen
2023-08-28 12:14 ` Takashi Yano
2023-08-28 12:09 ` Takashi Yano
2023-08-28 12:20 ` Takashi Yano
2023-08-28 12:27 ` Takashi Yano [this message]
2023-08-28 13:23 ` Takashi Yano
2023-08-28 12:51 ` Takashi Yano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230828212709.0d1f2703dbc10c8ae96da3ac@nifty.ne.jp \
--to=takashi.yano@nifty.ne.jp \
--cc=cygwin-patches@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).