ping // [PATCH] io:nftw/ftw:fix stack overflow when large nopenfd [BZ #26353]
Xiaoming Ni
nixiaoming@huawei.com
Thu Aug 13 03:26:52 GMT 2020
ping
On 2020/8/8 16:46, Xiaoming Ni wrote:
> In ftw_startup(), call alloca to apply for a large amount of stack space.
> When descriptors is very large, stack overflow is triggered. BZ #26353
>
> To fix the problem:
> 1. Set the upper limit of descriptors to getdtablesize().
> 2. Replace alloca() in ftw_startup() with malloc().
> ---
> io/Makefile | 3 ++-
> io/ftw.c | 19 +++++++++++++++++--
> io/tst-bz26353.c | 20 ++++++++++++++++++++
> 3 files changed, 39 insertions(+), 3 deletions(-)
> create mode 100644 io/tst-bz26353.c
>
> diff --git a/io/Makefile b/io/Makefile
> index cf380f3516..0f674c317f 100644
> --- a/io/Makefile
> +++ b/io/Makefile
> @@ -74,7 +74,8 @@ tests := test-utime test-stat test-stat2 test-lfs tst-getcwd \
> tst-posix_fallocate tst-posix_fallocate64 \
> tst-fts tst-fts-lfs tst-open-tmpfile \
> tst-copy_file_range tst-getcwd-abspath tst-lockf \
> - tst-ftw-lnk tst-file_change_detection tst-lchmod
> + tst-ftw-lnk tst-file_change_detection tst-lchmod \
> + tst-bz26353
>
> # Likewise for statx, but we do not need static linking here.
> tests-internal += tst-statx
> diff --git a/io/ftw.c b/io/ftw.c
> index 8c79d29a9e..094aada50c 100644
> --- a/io/ftw.c
> +++ b/io/ftw.c
> @@ -643,18 +643,32 @@ ftw_startup (const char *dir, int is_nftw, void *func, int descriptors,
> __set_errno (ENOENT);
> return -1;
> }
> + if (descriptors > getdtablesize())
> + {
> + __set_errno (EINVAL);
> + return -1;
> + }
>
> data.maxdir = descriptors < 1 ? 1 : descriptors;
> data.actdir = 0;
> - data.dirstreams = (struct dir_data **) alloca (data.maxdir
> + data.dirstreams = (struct dir_data **) malloc (data.maxdir
> * sizeof (struct dir_data *));
> + if (data.dirstreams == NULL)
> + {
> + __set_errno (ENOMEM);
> + return -1;
> + }
> memset (data.dirstreams, '\0', data.maxdir * sizeof (struct dir_data *));
>
> /* PATH_MAX is always defined when we get here. */
> data.dirbufsize = MAX (2 * strlen (dir), PATH_MAX);
> data.dirbuf = (char *) malloc (data.dirbufsize);
> if (data.dirbuf == NULL)
> - return -1;
> + {
> + free (data.dirstreams);
> + __set_errno (ENOMEM);
> + return -1;
> + }
> cp = __stpcpy (data.dirbuf, dir);
> /* Strip trailing slashes. */
> while (cp > data.dirbuf + 1 && cp[-1] == '/')
> @@ -805,6 +819,7 @@ ftw_startup (const char *dir, int is_nftw, void *func, int descriptors,
> __tdestroy (data.known_objects, free);
> free (data.dirbuf);
> __set_errno (save_err);
> + free (data.dirstreams);
>
> return result;
> }
> diff --git a/io/tst-bz26353.c b/io/tst-bz26353.c
> new file mode 100644
> index 0000000000..4ab3d4b61f
> --- /dev/null
> +++ b/io/tst-bz26353.c
> @@ -0,0 +1,20 @@
> +#include <stdlib.h>
> +#include <stdio.h>
> +#include <unistd.h>
> +#include <ftw.h>
> +#include <sys/stat.h>
> +
> +int my_func(const char *file , const struct stat *sb ,int flag)
> +{
> + printf("%s\n", file);
> + return 0;
> +}
> +
> +int main(int argc, char *argv[])
> +{
> + mkdir("./tst-bz26353", 0755);
> + /*Check whether stack overflow occurs*/
> + ftw("./tst-bz26353", my_func, 8192*1024);
> + rmdir("./tst-bz26353");
> + return 0;
> +}
>
More information about the Libc-alpha
mailing list