* Re: [devel] [SCM] packages/bash3: heads/p9 @ 2020-11-02 22:18 ` Dmitry V. Levin 2020-11-03 1:32 ` Alexey Appolonov 0 siblings, 1 reply; 6+ messages in thread From: Dmitry V. Levin @ 2020-11-02 22:18 UTC (permalink / raw) To: Alexey Appolonov; +Cc: ALT Devel discussion list On Fri, Oct 30, 2020 at 09:35:43PM +0000, Alexey Appolonov wrote: > Update of /people/alexey/packages/bash3.git [...] > commit 0db3057724a11b6e9f3bdca6a831370443aaa06e > Author: Alexey Appolonov <alexey@altlinux.org> > Date: Tue Oct 27 14:36:56 2020 +0300 > > Preventing a segmentation fault in '_evalfile' func of 'evalfile.c' > > Index 'result' can be -1; The index is checked from the top also > (just in case). Prevent a potential segmentation fault ... > commit 6c6399d5a7cb51ae53c196f0bfdfd92e43711544 > Author: Alexey Appolonov <alexey@altlinux.org> > Date: Tue Oct 27 13:53:08 2020 +0300 > > Preventing a segmentation fault in 'make_redirection' func of 'make_cmd.c' > > Index 'wlen' is -1 if a length of 'w->word' C-string is 0. Likewise. [...] > diff --git a/bash/builtins/evalfile.c b/bash/builtins/evalfile.c > index d05bc7b..9eec1a5 100644 > --- a/bash/builtins/evalfile.c > +++ b/bash/builtins/evalfile.c > @@ -149,7 +149,8 @@ file_error_and_exit: > > string = (char *)xmalloc (1 + file_size); > result = read (fd, string, file_size); > - string[result] = '\0'; > + if (result >= 0 && result <= file_size) > + string[result] = '\0'; > > return_val = errno; > close (fd); Adding a check for result <= file_size? Really? Do you suppose that read (fd, string, file_size) is ever capable of returning a value greater than file_size? > diff --git a/bash/make_cmd.c b/bash/make_cmd.c > index c819b27..bb33da2 100644 > --- a/bash/make_cmd.c > +++ b/bash/make_cmd.c > @@ -731,7 +731,12 @@ make_redirection (source, instruction, dest_and_filename) > case r_duplicating_output_word: /* 1>&$foo */ > w = dest_and_filename.filename; > wlen = strlen (w->word) - 1; > - if (w->word[wlen] == '-') /* Yuck */ > + if (wlen < 0) > + { > + programming_error (_("make_redirection: redirection instruction `%d' for an empty file name"), instruction); > + abort (); > + } > + else if (w->word[wlen] == '-') /* Yuck */ > { > w->word[wlen] = '\0'; > if (all_digits (w->word) && legal_number (w->word, &lfd) && lfd == (int)lfd) A programming error? Is it ever possible to reach the code added by this hunk? > @@ -743,7 +748,6 @@ make_redirection (source, instruction, dest_and_filename) > else > temp->instruction = (instruction == r_duplicating_input_word) ? r_move_input_word : r_move_output_word; > } > - > break; > > default: Do you really need to change spacings in bash3? -- ldv ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [devel] [SCM] packages/bash3: heads/p9 2020-11-02 22:18 ` [devel] [SCM] packages/bash3: heads/p9 Dmitry V. Levin @ 2020-11-03 1:32 ` Alexey Appolonov 2020-11-03 12:11 ` Dmitry V. Levin 0 siblings, 1 reply; 6+ messages in thread From: Alexey Appolonov @ 2020-11-03 1:32 UTC (permalink / raw) To: Дмитрий Левин Cc: devel 03.11.2020 01:18, Dmitry V. Levin пишет: > On Fri, Oct 30, 2020 at 09:35:43PM +0000, Alexey Appolonov wrote: >> Update of /people/alexey/packages/bash3.git > [...] >> commit 0db3057724a11b6e9f3bdca6a831370443aaa06e >> Author: Alexey Appolonov <alexey@altlinux.org> >> Date: Tue Oct 27 14:36:56 2020 +0300 >> >> Preventing a segmentation fault in '_evalfile' func of 'evalfile.c' >> >> Index 'result' can be -1; The index is checked from the top also >> (just in case). > Prevent a potential segmentation fault ... > >> commit 6c6399d5a7cb51ae53c196f0bfdfd92e43711544 >> Author: Alexey Appolonov <alexey@altlinux.org> >> Date: Tue Oct 27 13:53:08 2020 +0300 >> >> Preventing a segmentation fault in 'make_redirection' func of 'make_cmd.c' >> >> Index 'wlen' is -1 if a length of 'w->word' C-string is 0. > Likewise. > > [...] >> diff --git a/bash/builtins/evalfile.c b/bash/builtins/evalfile.c >> index d05bc7b..9eec1a5 100644 >> --- a/bash/builtins/evalfile.c >> +++ b/bash/builtins/evalfile.c >> @@ -149,7 +149,8 @@ file_error_and_exit: >> >> string = (char *)xmalloc (1 + file_size); >> result = read (fd, string, file_size); >> - string[result] = '\0'; >> + if (result >= 0 && result <= file_size) >> + string[result] = '\0'; >> >> return_val = errno; >> close (fd); > Adding a check for result <= file_size? Really? Do you suppose that > read (fd, string, file_size) is ever capable of returning a value > greater than file_size? I just think that the comfort of having such checks outweighs the negligible computational costs that they bring. >> diff --git a/bash/make_cmd.c b/bash/make_cmd.c >> index c819b27..bb33da2 100644 >> --- a/bash/make_cmd.c >> +++ b/bash/make_cmd.c >> @@ -731,7 +731,12 @@ make_redirection (source, instruction, dest_and_filename) >> case r_duplicating_output_word: /* 1>&$foo */ >> w = dest_and_filename.filename; >> wlen = strlen (w->word) - 1; >> - if (w->word[wlen] == '-') /* Yuck */ >> + if (wlen < 0) >> + { >> + programming_error (_("make_redirection: redirection instruction `%d' for an empty file name"), instruction); >> + abort (); >> + } >> + else if (w->word[wlen] == '-') /* Yuck */ >> { >> w->word[wlen] = '\0'; >> if (all_digits (w->word) && legal_number (w->word, &lfd) && lfd == (int)lfd) > A programming error? Is it ever possible to reach the code added by this hunk? It is if "strlen (w->word)" equals 0. The "programming_error" function is used to handle another unlikely scenario (see just below in the code). >> @@ -743,7 +748,6 @@ make_redirection (source, instruction, dest_and_filename) >> else >> temp->instruction = (instruction == r_duplicating_input_word) ? r_move_input_word : r_move_output_word; >> } >> - >> break; >> >> default: > Do you really need to change spacings in bash3? I find it quite distracting in this particular case. And it didn't match the code style anyway. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [devel] [SCM] packages/bash3: heads/p9 2020-11-03 1:32 ` Alexey Appolonov @ 2020-11-03 12:11 ` Dmitry V. Levin 2020-11-03 13:47 ` Ivan A. Melnikov 2020-11-03 14:34 ` Alexey Appolonov 0 siblings, 2 replies; 6+ messages in thread From: Dmitry V. Levin @ 2020-11-03 12:11 UTC (permalink / raw) To: Alexey Appolonov; +Cc: devel On Tue, Nov 03, 2020 at 04:32:08AM +0300, Alexey Appolonov wrote: > 03.11.2020 01:18, Dmitry V. Levin пишет: > > On Fri, Oct 30, 2020 at 09:35:43PM +0000, Alexey Appolonov wrote: > >> Update of /people/alexey/packages/bash3.git > > [...] > >> commit 0db3057724a11b6e9f3bdca6a831370443aaa06e > >> Author: Alexey Appolonov <alexey@altlinux.org> > >> Date: Tue Oct 27 14:36:56 2020 +0300 > >> > >> Preventing a segmentation fault in '_evalfile' func of 'evalfile.c' > >> > >> Index 'result' can be -1; The index is checked from the top also > >> (just in case). > > Prevent a potential segmentation fault ... > > > >> commit 6c6399d5a7cb51ae53c196f0bfdfd92e43711544 > >> Author: Alexey Appolonov <alexey@altlinux.org> > >> Date: Tue Oct 27 13:53:08 2020 +0300 > >> > >> Preventing a segmentation fault in 'make_redirection' func of 'make_cmd.c' > >> > >> Index 'wlen' is -1 if a length of 'w->word' C-string is 0. > > Likewise. > > > > [...] > >> diff --git a/bash/builtins/evalfile.c b/bash/builtins/evalfile.c > >> index d05bc7b..9eec1a5 100644 > >> --- a/bash/builtins/evalfile.c > >> +++ b/bash/builtins/evalfile.c > >> @@ -149,7 +149,8 @@ file_error_and_exit: > >> > >> string = (char *)xmalloc (1 + file_size); > >> result = read (fd, string, file_size); > >> - string[result] = '\0'; > >> + if (result >= 0 && result <= file_size) > >> + string[result] = '\0'; > >> > >> return_val = errno; > >> close (fd); > > Adding a check for result <= file_size? Really? Do you suppose that > > read (fd, string, file_size) is ever capable of returning a value > > greater than file_size? > > I just think that the comfort of having such checks outweighs > the negligible computational costs that they bring. If read(2) could write more bytes than requested, then the buffer would be overwritten before the check you're suggesting to add. The cost of proposing such checks is way too high: they make people doubt whether other proposed changes worth reviewing. > >> diff --git a/bash/make_cmd.c b/bash/make_cmd.c > >> index c819b27..bb33da2 100644 > >> --- a/bash/make_cmd.c > >> +++ b/bash/make_cmd.c > >> @@ -731,7 +731,12 @@ make_redirection (source, instruction, dest_and_filename) > >> case r_duplicating_output_word: /* 1>&$foo */ > >> w = dest_and_filename.filename; > >> wlen = strlen (w->word) - 1; > >> - if (w->word[wlen] == '-') /* Yuck */ > >> + if (wlen < 0) > >> + { > >> + programming_error (_("make_redirection: redirection instruction `%d' for an empty file name"), instruction); > >> + abort (); > >> + } > >> + else if (w->word[wlen] == '-') /* Yuck */ > >> { > >> w->word[wlen] = '\0'; > >> if (all_digits (w->word) && legal_number (w->word, &lfd) && lfd == (int)lfd) > > A programming error? Is it ever possible to reach the code added by this hunk? > > It is if "strlen (w->word)" equals 0. Is it theoretically possible that "strlen (w->word) equals 0"? In other words, is the proposed code reachable, or are you adding this just to pacify the unnamed static code analysis tool? > The "programming_error" function is used to handle another unlikely scenario > (see just below in the code). > > >> @@ -743,7 +748,6 @@ make_redirection (source, instruction, dest_and_filename) > >> else > >> temp->instruction = (instruction == r_duplicating_input_word) ? r_move_input_word : r_move_output_word; > >> } > >> - > >> break; > >> > >> default: > > Do you really need to change spacings in bash3? > > I find it quite distracting in this particular case. And it didn't match > the code style anyway. Please avoid mixing unrelated changes. -- ldv ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [devel] [SCM] packages/bash3: heads/p9 2020-11-03 12:11 ` Dmitry V. Levin @ 2020-11-03 13:47 ` Ivan A. Melnikov 2020-11-03 22:01 ` Dmitry V. Levin 2020-11-03 14:34 ` Alexey Appolonov 1 sibling, 1 reply; 6+ messages in thread From: Ivan A. Melnikov @ 2020-11-03 13:47 UTC (permalink / raw) To: ALT Linux Team development discussions; +Cc: Alexey Appolonov On Tue, Nov 03, 2020 at 03:11:05PM +0300, Dmitry V. Levin wrote: > On Tue, Nov 03, 2020 at 04:32:08AM +0300, Alexey Appolonov wrote: > > 03.11.2020 01:18, Dmitry V. Levin пишет: > > > On Fri, Oct 30, 2020 at 09:35:43PM +0000, Alexey Appolonov wrote: > > >> Update of /people/alexey/packages/bash3.git > > > [...] > > >> commit 0db3057724a11b6e9f3bdca6a831370443aaa06e > > >> Author: Alexey Appolonov <alexey@altlinux.org> > > >> Date: Tue Oct 27 14:36:56 2020 +0300 > > >> > > >> Preventing a segmentation fault in '_evalfile' func of 'evalfile.c' > > >> > > >> Index 'result' can be -1; The index is checked from the top also > > >> (just in case). > > > Prevent a potential segmentation fault ... > > > > > >> commit 6c6399d5a7cb51ae53c196f0bfdfd92e43711544 > > >> Author: Alexey Appolonov <alexey@altlinux.org> > > >> Date: Tue Oct 27 13:53:08 2020 +0300 > > >> > > >> Preventing a segmentation fault in 'make_redirection' func of 'make_cmd.c' > > >> > > >> Index 'wlen' is -1 if a length of 'w->word' C-string is 0. > > > Likewise. > > > > > > [...] > > >> diff --git a/bash/builtins/evalfile.c b/bash/builtins/evalfile.c > > >> index d05bc7b..9eec1a5 100644 > > >> --- a/bash/builtins/evalfile.c > > >> +++ b/bash/builtins/evalfile.c > > >> @@ -149,7 +149,8 @@ file_error_and_exit: > > >> > > >> string = (char *)xmalloc (1 + file_size); > > >> result = read (fd, string, file_size); > > >> - string[result] = '\0'; > > >> + if (result >= 0 && result <= file_size) > > >> + string[result] = '\0'; > > >> > > >> return_val = errno; > > >> close (fd); > > > Adding a check for result <= file_size? Really? Do you suppose that > > > read (fd, string, file_size) is ever capable of returning a value > > > greater than file_size? > > > > I just think that the comfort of having such checks outweighs > > the negligible computational costs that they bring. > > If read(2) could write more bytes than requested, then the buffer > would be overwritten before the check you're suggesting to add. [...] IMO the interesting part here is not in read syscall semantics, but in the types involved. As far as I understand, result is int here, and read returs ssize_t. If sizeof(ssize_t) > sizeof(int) (e.g. on x86_64), given large enough input file and enough memory, read can read more than 2^31 bytes and overflow result variable; this may lead to such result value that (result <= file_size) will evaluate to false (file_size is size_t, so result will be promoted to usigned long before comparison). It seems to me that this is possible only when result is negative, so the first check (result >= 0) makes the second one unnecessary, but I would not dare to call this obvious. -- wbr, iv m. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [devel] [SCM] packages/bash3: heads/p9 2020-11-03 13:47 ` Ivan A. Melnikov @ 2020-11-03 22:01 ` Dmitry V. Levin 0 siblings, 0 replies; 6+ messages in thread From: Dmitry V. Levin @ 2020-11-03 22:01 UTC (permalink / raw) To: ALT Linux Team development discussions; +Cc: Ivan A. Melnikov, Alexey Appolonov On Tue, Nov 03, 2020 at 05:47:00PM +0400, Ivan A. Melnikov wrote: > On Tue, Nov 03, 2020 at 03:11:05PM +0300, Dmitry V. Levin wrote: > > On Tue, Nov 03, 2020 at 04:32:08AM +0300, Alexey Appolonov wrote: > > > 03.11.2020 01:18, Dmitry V. Levin пишет: > > > > On Fri, Oct 30, 2020 at 09:35:43PM +0000, Alexey Appolonov wrote: > > > >> Update of /people/alexey/packages/bash3.git > > > > [...] > > > >> commit 0db3057724a11b6e9f3bdca6a831370443aaa06e > > > >> Author: Alexey Appolonov <alexey@altlinux.org> > > > >> Date: Tue Oct 27 14:36:56 2020 +0300 > > > >> > > > >> Preventing a segmentation fault in '_evalfile' func of 'evalfile.c' > > > >> > > > >> Index 'result' can be -1; The index is checked from the top also > > > >> (just in case). > > > > Prevent a potential segmentation fault ... > > > > > > > >> commit 6c6399d5a7cb51ae53c196f0bfdfd92e43711544 > > > >> Author: Alexey Appolonov <alexey@altlinux.org> > > > >> Date: Tue Oct 27 13:53:08 2020 +0300 > > > >> > > > >> Preventing a segmentation fault in 'make_redirection' func of 'make_cmd.c' > > > >> > > > >> Index 'wlen' is -1 if a length of 'w->word' C-string is 0. > > > > Likewise. > > > > > > > > [...] > > > >> diff --git a/bash/builtins/evalfile.c b/bash/builtins/evalfile.c > > > >> index d05bc7b..9eec1a5 100644 > > > >> --- a/bash/builtins/evalfile.c > > > >> +++ b/bash/builtins/evalfile.c > > > >> @@ -149,7 +149,8 @@ file_error_and_exit: > > > >> > > > >> string = (char *)xmalloc (1 + file_size); > > > >> result = read (fd, string, file_size); > > > >> - string[result] = '\0'; > > > >> + if (result >= 0 && result <= file_size) > > > >> + string[result] = '\0'; > > > >> > > > >> return_val = errno; > > > >> close (fd); > > > > Adding a check for result <= file_size? Really? Do you suppose that > > > > read (fd, string, file_size) is ever capable of returning a value > > > > greater than file_size? > > > > > > I just think that the comfort of having such checks outweighs > > > the negligible computational costs that they bring. > > > > If read(2) could write more bytes than requested, then the buffer > > would be overwritten before the check you're suggesting to add. > [...] > > IMO the interesting part here is not in read syscall semantics, > but in the types involved. > > As far as I understand, result is int here, and read returs ssize_t. > If sizeof(ssize_t) > sizeof(int) (e.g. on x86_64), > given large enough input file and enough memory, read can > read more than 2^31 bytes and overflow result variable; this may lead > to such result value that (result <= file_size) will evaluate > to false (file_size is size_t, so result will be promoted to > usigned long before comparison). > > It seems to me that this is possible only when result is negative, > so the first check (result >= 0) makes the second one unnecessary, > but I would not dare to call this obvious. Yes, this is obvious: since the type of file_size is size_t, the condition "(int) file_size > file_size" can be true iff "(int) file_size < 0 && file_size < ~ (size_t) -1U" FWIW, the upstream fix in bash-4.0-rc1 was to introduce "ssize_t nr" and use it instead of "int result" with proper checking, see https://git.savannah.gnu.org/cgit/bash.git/diff/builtins/evalfile.c?id=3185942a5234e26ab13fa02f9c51d340cec514f8 -- ldv ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [devel] [SCM] packages/bash3: heads/p9 2020-11-03 12:11 ` Dmitry V. Levin 2020-11-03 13:47 ` Ivan A. Melnikov @ 2020-11-03 14:34 ` Alexey Appolonov 1 sibling, 0 replies; 6+ messages in thread From: Alexey Appolonov @ 2020-11-03 14:34 UTC (permalink / raw) To: Dmitry V. Levin, Ivan A. Melnikov; +Cc: devel 03.11.2020 15:11, Dmitry V. Levin пишет: >>>> diff --git a/bash/make_cmd.c b/bash/make_cmd.c >>>> index c819b27..bb33da2 100644 >>>> --- a/bash/make_cmd.c >>>> +++ b/bash/make_cmd.c >>>> @@ -731,7 +731,12 @@ make_redirection (source, instruction, dest_and_filename) >>>> case r_duplicating_output_word: /* 1>&$foo */ >>>> w = dest_and_filename.filename; >>>> wlen = strlen (w->word) - 1; >>>> - if (w->word[wlen] == '-') /* Yuck */ >>>> + if (wlen < 0) >>>> + { >>>> + programming_error (_("make_redirection: redirection instruction `%d' for an empty file name"), instruction); >>>> + abort (); >>>> + } >>>> + else if (w->word[wlen] == '-') /* Yuck */ >>>> { >>>> w->word[wlen] = '\0'; >>>> if (all_digits (w->word) && legal_number (w->word, &lfd) && lfd == (int)lfd) >>> A programming error? Is it ever possible to reach the code added by this hunk? >> It is if "strlen (w->word)" equals 0. > Is it theoretically possible that "strlen (w->word) equals 0"? In other > words, is the proposed code reachable, or are you adding this just to > pacify the unnamed static code analysis tool? It is possible to reach that code by calling the "make_redirection" function with a "dest_and_filename" parameter assigned to a REDIRECTEE var that has a "filename" field (of type WORD_DESC) that has a "word" field that is a pointer to a C-string "\0". I didn't investigate further than that. >> The "programming_error" function is used to handle another unlikely scenario >> (see just below in the code). >> >>>> @@ -743,7 +748,6 @@ make_redirection (source, instruction, dest_and_filename) >>>> else >>>> temp->instruction = (instruction == r_duplicating_input_word) ? r_move_input_word : r_move_output_word; >>>> } >>>> - >>>> break; >>>> >>>> default: >>> Do you really need to change spacings in bash3? >> I find it quite distracting in this particular case. And it didn't match >> the code style anyway. > Please avoid mixing unrelated changes. OK, will split them. 03.11.2020 16:47, Ivan A. Melnikov пишет: > On Tue, Nov 03, 2020 at 03:11:05PM +0300, Dmitry V. Levin wrote: >> If read(2) could write more bytes than requested, then the buffer >> would be overwritten before the check you're suggesting to add. > [...] > > IMO the interesting part here is not in read syscall semantics, > but in the types involved. > > As far as I understand, result is int here, and read returs ssize_t. > If sizeof(ssize_t) > sizeof(int) (e.g. on x86_64), > given large enough input file and enough memory, read can > read more than 2^31 bytes and overflow result variable; this may lead > to such result value that (result <= file_size) will evaluate > to false (file_size is size_t, so result will be promoted to > usigned long before comparison). > > It seems to me that this is possible only when result is negative, > so the first check (result >= 0) makes the second one unnecessary, > but I would not dare to call this obvious. Well, yeah, that's the type of thing I was thinking about. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-11-03 22:01 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-11-02 22:18 ` [devel] [SCM] packages/bash3: heads/p9 Dmitry V. Levin 2020-11-03 1:32 ` Alexey Appolonov 2020-11-03 12:11 ` Dmitry V. Levin 2020-11-03 13:47 ` Ivan A. Melnikov 2020-11-03 22:01 ` Dmitry V. Levin 2020-11-03 14:34 ` Alexey Appolonov
ALT Linux Team development discussions This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/devel/0 devel/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 devel devel/ http://lore.altlinux.org/devel \ devel@altlinux.org devel@altlinux.ru devel@lists.altlinux.org devel@lists.altlinux.ru devel@linux.iplabs.ru mandrake-russian@linuxteam.iplabs.ru sisyphus@linuxteam.iplabs.ru public-inbox-index devel Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.devel AGPL code for this site: git clone https://public-inbox.org/public-inbox.git