public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/26341] New: realpath cyclically call __alloca(path_max) to consume too much stack space
@ 2020-08-06 14:16 nixiaoming at huawei dot com
2020-08-06 14:23 ` [Bug libc/26341] " nixiaoming at huawei dot com
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: nixiaoming at huawei dot com @ 2020-08-06 14:16 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=26341
Bug ID: 26341
Summary: realpath cyclically call __alloca(path_max) to consume
too much stack space
Product: glibc
Version: 2.31
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: nixiaoming at huawei dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
realpath() call __alloca() cyclically when processing soft link files, which
may consume 164 KB stack space and increase the stack overflow risk.
test_realpath.c
-------------------
#include <stdlib.h>
#include <stdio.h>
int main(int argc, char *argv[])
{
char *p = realpath(argv[1], NULL);
printf("%p\n", p);
if (p != NULL)
printf("%s\n", p);
return 0;
}
--------------------
test_realpath.sh
--------------------
#!/bin/bash
touch f1
for i in $(seq 1 42); do j=$(($i+1)); ln -s f$i f$j; done
ulimit -c unlimited
ulimit -s 8192
./test_realpath f40
ulimit -s 160
./test_realpath f40
----------------
gdb -c core-test_realpath-1863 test_realpath
---------
#0 0x0000007f7a98a540 in free () from /lib64/libc.so.6
(gdb) bt
#0 0x0000007f7a98a540 in free () from /lib64/libc.so.6
#1 0x0000007f7a94fe40 in realpath () from /lib64/libc.so.6
#2 0x0000005559fb4934 in main (argc=2, argv=0x7fc65e4da8) at test_realpath.c:5
(gdb) p $sp
$1 = (void *) 0x7fc65bd8b0
(gdb) shell readelf -e b/core-test_realpath-1863 |tail
LOAD 0x0000000000026000 0x0000007f7aabd000 0x0000000000000000
0x0000000000001000 0x0000000000001000 R 0x1000
LOAD 0x0000000000027000 0x0000007f7aabe000 0x0000000000000000
0x0000000000001000 0x0000000000001000 R E 0x1000
LOAD 0x0000000000028000 0x0000007f7aabf000 0x0000000000000000
0x0000000000001000 0x0000000000001000 R 0x1000
LOAD 0x0000000000029000 0x0000007f7aac0000 0x0000000000000000
0x0000000000002000 0x0000000000002000 RW 0x1000
LOAD 0x000000000002b000 0x0000007fc65be000 0x0000000000000000
0x0000000000028000 0x0000000000028000 RW 0x1000
(gdb) p 0x7fc65bd8b0-0x7fc65be000
$2 = -1872
(gdb) disassemble
Dump of assembler code for function free:
0x0000007f7a98a530 <+0>: adrp x2, 0x7f7aa88000
0x0000007f7a98a534 <+4>: ldr x2, [x2, #3768]
0x0000007f7a98a538 <+8>: ldr x2, [x2]
0x0000007f7a98a53c <+12>: cbnz x2, 0x7f7a98a620 <free+240>
=> 0x0000007f7a98a540 <+16>: stp x29, x30, [sp, #-48]!
0x0000007f7a98a544 <+20>: mov x29, sp
0x0000007f7a98a548 <+24>: str x19, [sp, #16]
--------
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug libc/26341] realpath cyclically call __alloca(path_max) to consume too much stack space
2020-08-06 14:16 [Bug libc/26341] New: realpath cyclically call __alloca(path_max) to consume too much stack space nixiaoming at huawei dot com
@ 2020-08-06 14:23 ` nixiaoming at huawei dot com
2020-08-06 14:26 ` nixiaoming at huawei dot com
2021-01-05 16:36 ` adhemerval.zanella at linaro dot org
2 siblings, 0 replies; 4+ messages in thread
From: nixiaoming at huawei dot com @ 2020-08-06 14:23 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=26341
--- Comment #1 from nixiaoming <nixiaoming at huawei dot com> ---
42 char *
43 __realpath (const char *name, char *resolved)
44 {
45 char *rpath, *dest, *extra_buf = NULL;
46 const char *start, *end, *rpath_limit;
47 long int path_max;
48 int num_links = 0;
49
...
100
101 for (start = end = name; *start; start = end)
102 {
103 struct stat64 st;
104 int n;
105
...
164 if (S_ISLNK (st.st_mode))
165 {
166 char *buf = __alloca (path_max); /* path_max 4k */
167 size_t len;
168
169 if (++num_links > __eloop_threshold ()) /* SYMLOOP_MAX 40 */
170 {
171 __set_errno (ELOOP);
172 goto error;
173 }
174
175 n = __readlink (rpath, buf, path_max - 1);
176 if (n < 0)
177 goto error;
178 buf[n] = '\0';
179
180 if (!extra_buf)
181 extra_buf = __alloca (path_max);
182
40 * 4k + 4k
consume 164 KB stack space
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug libc/26341] realpath cyclically call __alloca(path_max) to consume too much stack space
2020-08-06 14:16 [Bug libc/26341] New: realpath cyclically call __alloca(path_max) to consume too much stack space nixiaoming at huawei dot com
2020-08-06 14:23 ` [Bug libc/26341] " nixiaoming at huawei dot com
@ 2020-08-06 14:26 ` nixiaoming at huawei dot com
2021-01-05 16:36 ` adhemerval.zanella at linaro dot org
2 siblings, 0 replies; 4+ messages in thread
From: nixiaoming at huawei dot com @ 2020-08-06 14:26 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=26341
--- Comment #2 from nixiaoming <nixiaoming at huawei dot com> ---
Created attachment 12751
--> https://sourceware.org/bugzilla/attachment.cgi?id=12751&action=edit
replace __alloca with malloc to reduce stack overflow risks
replace __alloca with malloc to reduce stack overflow risks
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug libc/26341] realpath cyclically call __alloca(path_max) to consume too much stack space
2020-08-06 14:16 [Bug libc/26341] New: realpath cyclically call __alloca(path_max) to consume too much stack space nixiaoming at huawei dot com
2020-08-06 14:23 ` [Bug libc/26341] " nixiaoming at huawei dot com
2020-08-06 14:26 ` nixiaoming at huawei dot com
@ 2021-01-05 16:36 ` adhemerval.zanella at linaro dot org
2 siblings, 0 replies; 4+ messages in thread
From: adhemerval.zanella at linaro dot org @ 2021-01-05 16:36 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=26341
Adhemerval Zanella <adhemerval.zanella at linaro dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|unassigned at sourceware dot org |adhemerval.zanella at linaro dot o
| |rg
CC| |adhemerval.zanella at linaro dot o
| |rg
Resolution|--- |FIXED
Target Milestone|--- |2.33
Status|UNCONFIRMED |RESOLVED
--- Comment #3 from Adhemerval Zanella <adhemerval.zanella at linaro dot org> ---
Fixed on 2.33.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-01-05 16:36 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-06 14:16 [Bug libc/26341] New: realpath cyclically call __alloca(path_max) to consume too much stack space nixiaoming at huawei dot com
2020-08-06 14:23 ` [Bug libc/26341] " nixiaoming at huawei dot com
2020-08-06 14:26 ` nixiaoming at huawei dot com
2021-01-05 16:36 ` adhemerval.zanella at linaro dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).