From patchwork Thu Aug  6 14:32:09 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Xiaoming Ni <nixiaoming@huawei.com>
X-Patchwork-Id: 1341746
Return-Path: <libc-alpha-bounces@sourceware.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org
 (client-ip=2620:52:3:1:0:246e:9693:128c; helo=sourceware.org;
 envelope-from=libc-alpha-bounces@sourceware.org; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=none (p=none dis=none) header.from=huawei.com
Received: from sourceware.org (server2.sourceware.org
 [IPv6:2620:52:3:1:0:246e:9693:128c])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4BMrYd2ZPfz9sR4
	for <incoming@patchwork.ozlabs.org>; Fri,  7 Aug 2020 00:32:36 +1000 (AEST)
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 73DDD384640E;
	Thu,  6 Aug 2020 14:32:33 +0000 (GMT)
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from huawei.com (szxga04-in.huawei.com [45.249.212.190])
 by sourceware.org (Postfix) with ESMTPS id 2875D384C005;
 Thu,  6 Aug 2020 14:32:26 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 2875D384C005
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=huawei.com
Authentication-Results: sourceware.org;
 spf=pass smtp.mailfrom=nixiaoming@huawei.com
Received: from DGGEMS401-HUB.china.huawei.com (unknown [172.30.72.59])
 by Forcepoint Email with ESMTP id CFD9B4C5CE87F505873D;
 Thu,  6 Aug 2020 22:32:21 +0800 (CST)
Received: from use12-sp2.huawei.com (10.67.189.174) by
 DGGEMS401-HUB.china.huawei.com (10.3.19.201) with Microsoft SMTP Server id
 14.3.487.0; Thu, 6 Aug 2020 22:32:13 +0800
From: Xiaoming Ni <nixiaoming@huawei.com>
To: <libc-alpha@sourceware.org>, <glibc-bugs@sourceware.org>,
 <unassigned@sourceware.org>, <drepper.fsp@gmail.com>, <roland@gnu.org>,
 <carlos@redhat.com>
Subject: [PATCH] stdlib: realpath use malloc replace __alloca to reduce stack
 overflow risks [BZ #26341]
Date: Thu, 6 Aug 2020 22:32:09 +0800
Message-ID: <20200806143209.4044-1-nixiaoming@huawei.com>
X-Mailer: git-send-email 2.27.0
MIME-Version: 1.0
X-Originating-IP: [10.67.189.174]
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-10.0 required=5.0 tests=BAYES_00, GIT_PATCH_0,
 KAM_DMARC_STATUS, KAM_MANYTO, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,
 SPF_HELO_PASS, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Cc: yukeji@huawei.com, wangle6@huawei.com, nixiaoming@huawei.com
Errors-To: libc-alpha-bounces@sourceware.org
Sender: "Libc-alpha" <libc-alpha-bounces@sourceware.org>

Realpath() cyclically invokes __alloca() when processing soft link files,
which may consume 164 KB stack space.
Therefore, replace __alloca with malloc to reduce stack overflow risks

Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
---
 stdlib/canonicalize.c | 28 +++++++++++++++++++++++++---
 1 file changed, 25 insertions(+), 3 deletions(-)

diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c
index cbd885a3c5..d3130d81f0 100644
--- a/stdlib/canonicalize.c
+++ b/stdlib/canonicalize.c
@@ -163,27 +163,46 @@ __realpath (const char *name, char *resolved)
 
 	  if (S_ISLNK (st.st_mode))
 	    {
-	      char *buf = __alloca (path_max);
+	      char *buf = malloc (path_max);
 	      size_t len;
 
+	      if (!buf)
+	        {
+	          __set_errno (ENOMEM);
+	          goto error;
+	        }
+
 	      if (++num_links > __eloop_threshold ())
 		{
 		  __set_errno (ELOOP);
+		  free(buf);
 		  goto error;
 		}
 
 	      n = __readlink (rpath, buf, path_max - 1);
 	      if (n < 0)
-		goto error;
+	        {
+	          free(buf);
+	          goto error;
+	        }
 	      buf[n] = '\0';
 
 	      if (!extra_buf)
-		extra_buf = __alloca (path_max);
+	        {
+	          extra_buf = malloc (path_max);
+	          if (!extra_buf)
+	            {
+	              free(buf);
+	              __set_errno (ENOMEM);
+	              goto error;
+	            }
+	        }
 
 	      len = strlen (end);
 	      if (path_max - n <= len)
 		{
 		  __set_errno (ENAMETOOLONG);
+		  free(buf);
 		  goto error;
 		}
 
@@ -197,6 +216,7 @@ __realpath (const char *name, char *resolved)
 		/* Back up to previous component, ignore if at root already: */
 		if (dest > rpath + 1)
 		  while ((--dest)[-1] != '/');
+	      free(buf);
 	    }
 	  else if (!S_ISDIR (st.st_mode) && *end != '\0')
 	    {
@@ -210,12 +230,14 @@ __realpath (const char *name, char *resolved)
   *dest = '\0';
 
   assert (resolved == NULL || resolved == rpath);
+  free(extra_buf);
   return rpath;
 
 error:
   assert (resolved == NULL || resolved == rpath);
   if (resolved == NULL)
     free (rpath);
+  free(extra_buf);
   return NULL;
 }
 libc_hidden_def (__realpath)