From patchwork Fri Jan 29 13:53:19 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Adhemerval Zanella <adhemerval.zanella@linaro.org>
X-Patchwork-Id: 60793
Delivered-To: patch@linaro.org
Received: by 10.112.130.2 with SMTP id oa2csp1130679lbb;
 Fri, 29 Jan 2016 05:53:41 -0800 (PST)
X-Received: by 10.66.102.8 with SMTP id fk8mr13571548pab.24.1454075621673;
 Fri, 29 Jan 2016 05:53:41 -0800 (PST)
Return-Path: <libc-alpha-return-66803-patch=linaro.org@sourceware.org>
Received: from sourceware.org (server1.sourceware.org. [209.132.180.131])
 by mx.google.com with ESMTPS id
 v16si948229pfa.129.2016.01.29.05.53.41 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Fri, 29 Jan 2016 05:53:41 -0800 (PST)
Received-SPF: pass (google.com: domain of
 libc-alpha-return-66803-patch=linaro.org@sourceware.org
 designates 209.132.180.131 as permitted sender)
 client-ip=209.132.180.131; 
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
 libc-alpha-return-66803-patch=linaro.org@sourceware.org
 designates 209.132.180.131 as permitted sender)
 smtp.mailfrom=libc-alpha-return-66803-patch=linaro.org@sourceware.org;
 dkim=pass header.i=@sourceware.org
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
 :list-unsubscribe:list-subscribe:list-archive:list-post
 :list-help:sender:from:to:subject:date:message-id; q=dns; s=
 default; b=FIAHTDTu2MKH0C/f/qwVV1eHFVkeJh0Lw4ZMtp3PFQc2LGv9EPlKI
 snumP7JD1W5Xbj9SreJxs0PCPmldx7RO/xiCZncnG8O7MEWwsZJ1MxOHgZ9YlWjK
 w1WF4IqAVQ7Slhmzga+TpjrNbUnVmlfJvAnJEdld0GqsOmrdHWTpKk=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
 :list-unsubscribe:list-subscribe:list-archive:list-post
 :list-help:sender:from:to:subject:date:message-id; s=default;
 bh=qD2/xQ20Trew42MLjUmB0DH3etE=; b=gCCKsK7cblrxBP6QGGQ7T98qAu4d
 Vbv0wMBfgdDenlFsEp1zeamdKQSxfb50ON73YLH+xmml4oZrmMlDmUK3EWZbOGj4
 XD/th78Mw3F0DxQinoH5Kf2tPSPkHpPZQ8YSux+K8ND3JxSDxYD6aCXiKjt8+OO1
 LqgBoYisCk5G2Z8=
Received: (qmail 78208 invoked by alias); 29 Jan 2016 13:53:32 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-patch=linaro.org@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
 <http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 78176 invoked by uid 89); 29 Jan 2016 13:53:31 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-2.6 required=5.0 tests=BAYES_00,
 RCVD_IN_DNSWL_LOW,
 SPF_PASS autolearn=ham version=3.3.2 spammy=17, 8, 2627,
 va_list, 2945
X-HELO: mail-yk0-f175.google.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:from:to:subject:date:message-id;
 bh=A1nG9vJz93ch1PiYbP+CPf5Rbf22Q+faw2n75PByumQ=;
 b=P5NvQnFcPZTenuI2/Pdrm7yuIcn0cCSi943ZMrh9N5lFTiRVkN0TJBvUTtHCSBPscR
 FXHR8/fWhIBZWnL+WH60PKOsUDKFqKGnTltKa7ZihKS4k8xuZeRQUrF1QzEIJ9mwJlKU
 8e4Bm9Z0aeQTrcwGe0enyePVA/puGRHhavElW40WRlKBZqUq7mtrP1amlzrY0r2w5g8n
 9bf4IS1bdIFBiFLvaH/fcw/1ldVjYRxFPSLE/SZ7dV+tFS7//LmI26WPua2kohDtZqHS
 hiDJWkTSEisYoZCrpJ90Xi1OYVODg/jcGAtkl1NoEVcnZgpmiysPDpsIxY2Y9o/wfK/Q
 zfGg==
X-Gm-Message-State: AG10YORvBl7snrzJ+WmjBxesbf7PKcNAWzkIep0Uo9oxHlpmnnSHj0cGDk/axpkq4KHZOFNT
X-Received: by 10.129.57.135 with SMTP id g129mr4349785ywa.244.1454075607384; 
 Fri, 29 Jan 2016 05:53:27 -0800 (PST)
From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
To: libc-alpha@sourceware.org
Subject: [PATCH] posix: Remove dynamic memory allocation from execl{e,p}
Date: Fri, 29 Jan 2016 11:53:19 -0200
Message-Id: <1454075599-2304-1-git-send-email-adhemerval.zanella@linaro.org>

GLIBC execl{e,p} implementation might use malloc if the total number of
arguments exceeds initial assumption size (1024).  This might lead to
issues in two situations:

1. execl/execle is stated to be async-signal-safe by POSIX [1].  However
   if it is used in a signal handler with a large argument set (that
   may call malloc internally) and the resulting call fails, it might
   lead malloc in the program in a bad state.

2. If the functions are used in a vfork/clone(VFORK) situation it also
   might break internal malloc state from parent.

This patch fixes it by using stack allocation instead.  It fixes
BZ#19534.

One caveat is current stack allocation allocation limit the patch is using
is based on previous posix_spawn{p}/execvpe comments to use internal
__MAX_ALLOCA_CUTOFF definition.  It is an arbitrary value that limits
total argument handlings to 8192 for 32-bits and 4096 for 64-bits.
I think it would be better to increase this value for higher threshold,
either by increasing the __MAX_ALLOCA_CUTOFF value or using a different
strategy to limit stack allocation on exec functions.

Tested on x86_64.

[1] http://pubs.opengroup.org/onlinepubs/9699919799/functions/V2_chap02.html

	[BZ #19534]
	* posix/execl.c (execl): Remove dynamic memory allocation.
	* posix/execle.c (execle): Likewise.
	* posix/execlp.c (execlp): Likewise.
---
 ChangeLog      |  5 +++++
 posix/execl.c  | 70 ++++++++++++++++++++-------------------------------------
 posix/execle.c | 71 +++++++++++++++++++++-------------------------------------
 posix/execlp.c | 69 ++++++++++++++++++++------------------------------------
 4 files changed, 78 insertions(+), 137 deletions(-)

-- 
1.9.1

diff --git a/posix/execl.c b/posix/execl.c
index 102d19d..26c28e1 100644
--- a/posix/execl.c
+++ b/posix/execl.c
@@ -16,58 +16,36 @@
    <http://www.gnu.org/licenses/>.  */
 
 #include <unistd.h>
+#include <errno.h>
 #include <stdarg.h>
-#include <stddef.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <stackinfo.h>
-
+#include <sys/param.h>
 
 /* Execute PATH with all arguments after PATH until
    a NULL pointer and environment from `environ'.  */
 int
 execl (const char *path, const char *arg, ...)
 {
-#define INITIAL_ARGV_MAX 1024
-  size_t argv_max = INITIAL_ARGV_MAX;
-  const char *initial_argv[INITIAL_ARGV_MAX];
-  const char **argv = initial_argv;
-  va_list args;
-
-  argv[0] = arg;
-
-  va_start (args, arg);
-  unsigned int i = 0;
-  while (argv[i++] != NULL)
-    {
-      if (i == argv_max)
-	{
-	  argv_max *= 2;
-	  const char **nptr = realloc (argv == initial_argv ? NULL : argv,
-				       argv_max * sizeof (const char *));
-	  if (nptr == NULL)
-	    {
-	      if (argv != initial_argv)
-		free (argv);
-	      va_end (args);
-	      return -1;
-	    }
-	  if (argv == initial_argv)
-	    /* We have to copy the already filled-in data ourselves.  */
-	    memcpy (nptr, argv, i * sizeof (const char *));
-
-	  argv = nptr;
-	}
-
-      argv[i] = va_arg (args, const char *);
-    }
-  va_end (args);
-
-  int ret = __execve (path, (char *const *) argv, __environ);
-  if (argv != initial_argv)
-    free (argv);
-
-  return ret;
+  int argc;
+  int limit = MIN (NCARGS, __MAX_ALLOCA_CUTOFF / sizeof (char *));
+  va_list ap;
+  va_start (ap, arg);
+  for (argc = 1; va_arg (ap, const char *); argc++)
+    if (argc+1 >= limit)
+      {
+	errno = E2BIG;
+	return -1;
+      }
+  va_end (ap);
+
+  int i;
+  char *argv[argc+1];
+  va_start (ap, arg);
+  argv[0] = (char*) arg;
+  for (i = 1; i < argc; i++)
+     argv[i] = va_arg (ap, char *);
+  argv[i] = NULL;
+  va_end (ap);
+
+  return __execve (path, argv, __environ);
 }
 libc_hidden_def (execl)
diff --git a/posix/execle.c b/posix/execle.c
index 8edc03a..79c13e3 100644
--- a/posix/execle.c
+++ b/posix/execle.c
@@ -17,57 +17,36 @@
 
 #include <unistd.h>
 #include <stdarg.h>
-#include <stddef.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <stackinfo.h>
+#include <errno.h>
+#include <sys/param.h>
 
 /* Execute PATH with all arguments after PATH until a NULL pointer,
    and the argument after that for environment.  */
 int
 execle (const char *path, const char *arg, ...)
 {
-#define INITIAL_ARGV_MAX 1024
-  size_t argv_max = INITIAL_ARGV_MAX;
-  const char *initial_argv[INITIAL_ARGV_MAX];
-  const char **argv = initial_argv;
-  va_list args;
-  argv[0] = arg;
-
-  va_start (args, arg);
-  unsigned int i = 0;
-  while (argv[i++] != NULL)
-    {
-      if (i == argv_max)
-	{
-	  argv_max *= 2;
-	  const char **nptr = realloc (argv == initial_argv ? NULL : argv,
-				       argv_max * sizeof (const char *));
-	  if (nptr == NULL)
-	    {
-	      if (argv != initial_argv)
-		free (argv);
-	      va_end (args);
-	      return -1;
-	    }
-	  if (argv == initial_argv)
-	    /* We have to copy the already filled-in data ourselves.  */
-	    memcpy (nptr, argv, i * sizeof (const char *));
-
-	  argv = nptr;
-	}
-
-      argv[i] = va_arg (args, const char *);
-    }
-
-  const char *const *envp = va_arg (args, const char *const *);
-  va_end (args);
-
-  int ret = __execve (path, (char *const *) argv, (char *const *) envp);
-  if (argv != initial_argv)
-    free (argv);
-
-  return ret;
+  int argc;
+  int limit = MIN (NCARGS, __MAX_ALLOCA_CUTOFF / sizeof (char *));
+  va_list ap;
+  va_start (ap, arg);
+  for (argc = 1; va_arg (ap, const char *); argc++)
+    if (argc+1 >= limit)
+      {
+	errno = E2BIG;
+	return -1;
+      }
+  va_end (ap);
+
+  int i;
+  char *argv[argc+1];
+  char **envp;
+  va_start (ap, arg);
+  argv[0] = (char*) arg;
+  for (i = 1; i < argc; i++)
+     argv[i] = va_arg (ap, char *);
+  envp = va_arg (ap, char **);
+  va_end (ap);
+
+  return __execve (path, argv, envp);
 }
 libc_hidden_def (execle)
diff --git a/posix/execlp.c b/posix/execlp.c
index 6700994..a4b603c 100644
--- a/posix/execlp.c
+++ b/posix/execlp.c
@@ -17,11 +17,8 @@
 
 #include <unistd.h>
 #include <stdarg.h>
-#include <stddef.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <stackinfo.h>
+#include <errno.h>
+#include <sys/param.h>
 
 /* Execute FILE, searching in the `PATH' environment variable if
    it contains no slashes, with all arguments after FILE until a
@@ -29,45 +26,27 @@
 int
 execlp (const char *file, const char *arg, ...)
 {
-#define INITIAL_ARGV_MAX 1024
-  size_t argv_max = INITIAL_ARGV_MAX;
-  const char *initial_argv[INITIAL_ARGV_MAX];
-  const char **argv = initial_argv;
-  va_list args;
-
-  argv[0] = arg;
-
-  va_start (args, arg);
-  unsigned int i = 0;
-  while (argv[i++] != NULL)
-    {
-      if (i == argv_max)
-	{
-	  argv_max *= 2;
-	  const char **nptr = realloc (argv == initial_argv ? NULL : argv,
-				       argv_max * sizeof (const char *));
-	  if (nptr == NULL)
-	    {
-	      if (argv != initial_argv)
-		free (argv);
-	      va_end (args);
-	      return -1;
-	    }
-	  if (argv == initial_argv)
-	    /* We have to copy the already filled-in data ourselves.  */
-	    memcpy (nptr, argv, i * sizeof (const char *));
-
-	  argv = nptr;
-	}
-
-      argv[i] = va_arg (args, const char *);
-    }
-  va_end (args);
-
-  int ret = execvp (file, (char *const *) argv);
-  if (argv != initial_argv)
-    free (argv);
-
-  return ret;
+  int argc;
+  int limit = MIN (NCARGS, __MAX_ALLOCA_CUTOFF / sizeof (char *));
+  va_list ap;
+  va_start (ap, arg);
+  for (argc = 1; va_arg (ap, const char *); argc++)
+    if (argc+1 >= limit)
+      {
+	errno = E2BIG;
+	return -1;
+      }
+  va_end (ap);
+
+  int i;
+  char *argv[argc+1];
+  va_start (ap, arg);
+  argv[0] = (char*) arg;
+  for (i = 1; i < argc; i++)
+     argv[i] = va_arg (ap, char *);
+  argv[i] = NULL;
+  va_end (ap);
+
+  return __execvpe (file, argv, __environ);
 }
 libc_hidden_def (execlp)