Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/usr.bin/make/unit-tests tests/make: document and try to repr...
details: https://anonhg.NetBSD.org/src/rev/1bd89370189f
branches: trunk
changeset: 359979:1bd89370189f
user: rillig <rillig%NetBSD.org@localhost>
date: Sat Feb 05 10:41:15 2022 +0000
description:
tests/make: document and try to reproduce the crash in Parse_IsVar
Fixed in parse.c 1.662 from today. To actually crash make, the end of
the expanded dependency line must be at the end of a mapped region.
There is no guaranteed crash, as this depends on the memory allocator.
NetBSD's jemalloc allocates large contiguous regions, making it less
likely for an allocation to end up at the end of a mapped region. The
memory allocators used by FreeBSD and OpenBSD are better at detecting
such bugs.
diffstat:
usr.bin/make/unit-tests/var-scope-local.mk | 31 +++++++++++++++++++++++++++++-
1 files changed, 30 insertions(+), 1 deletions(-)
diffs (42 lines):
diff -r 11530c0d9f88 -r 1bd89370189f usr.bin/make/unit-tests/var-scope-local.mk
--- a/usr.bin/make/unit-tests/var-scope-local.mk Sat Feb 05 00:37:19 2022 +0000
+++ b/usr.bin/make/unit-tests/var-scope-local.mk Sat Feb 05 10:41:15 2022 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: var-scope-local.mk,v 1.3 2022/01/29 00:52:53 rillig Exp $
+# $NetBSD: var-scope-local.mk,v 1.4 2022/02/05 10:41:15 rillig Exp $
#
# Tests for target-local variables, such as ${.TARGET} or $@. These variables
# are relatively short-lived as they are created just before making the
@@ -198,3 +198,32 @@
all: var-scope-local-use.o
var-scope-local-use.o: a_use
+
+
+# Since parse.c 1.656 from 2022-01-27 and before parse.c 1.662 from
+# 2022-02-05, there was an out-of-bounds read in Parse_IsVar when looking for
+# a variable assignment in a dependency line with trailing whitespace. Lines
+# without trailing whitespace were not affected. Global variable assignments
+# were guaranteed to have no trailing whitespace and were thus not affected.
+#
+# Try to reproduce some variants that may lead to a crash, depending on the
+# memory allocator. To get a crash, the terminating '\0' of the line must be
+# the last byte of a memory page. The expression '${:U}' forces this trailing
+# whitespace.
+
+# On FreeBSD x86_64, a crash could in some cases be forced using the following
+# line, which has length 47, so the terminating '\0' may end up at an address
+# of the form 0xXXXX_XXXX_XXXX_Xfff:
+Try_to_crash_FreeBSD.xxxxxxxxxxxxxxxxxx: 12345 ${:U}
+
+# The following line has length 4095, so line[4095] == '\0'. If the line is
+# allocated on a page boundary and the following page is not mapped, this line
+# leads to a segmentation fault.
+${:U:range=511:@_@1234567@:ts.}: 12345 ${:U}
+
+# The following line has length 8191, so line[8191] == '\0'. If the line is
+# allocated on a page boundary and the following page is not mapped, this line
+# leads to a segmentation fault.
+${:U:range=1023:@_@1234567@:ts.}: 12345 ${:U}
+
+12345:
Home |
Main Index |
Thread Index |
Old Index