Module Name: src Committed By: rillig Date: Sat Feb 5 10:41:15 UTC 2022
Modified Files: src/usr.bin/make/unit-tests: var-scope-local.mk Log Message: tests/make: document and try to reproduce the crash in Parse_IsVar Fixed in parse.c 1.662 from today. To actually crash make, the end of the expanded dependency line must be at the end of a mapped region. There is no guaranteed crash, as this depends on the memory allocator. NetBSD's jemalloc allocates large contiguous regions, making it less likely for an allocation to end up at the end of a mapped region. The memory allocators used by FreeBSD and OpenBSD are better at detecting such bugs. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/usr.bin/make/unit-tests/var-scope-local.mk Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/usr.bin/make/unit-tests/var-scope-local.mk diff -u src/usr.bin/make/unit-tests/var-scope-local.mk:1.3 src/usr.bin/make/unit-tests/var-scope-local.mk:1.4 --- src/usr.bin/make/unit-tests/var-scope-local.mk:1.3 Sat Jan 29 00:52:53 2022 +++ src/usr.bin/make/unit-tests/var-scope-local.mk Sat Feb 5 10:41:15 2022 @@ -1,4 +1,4 @@ -# $NetBSD: var-scope-local.mk,v 1.3 2022/01/29 00:52:53 rillig Exp $ +# $NetBSD: var-scope-local.mk,v 1.4 2022/02/05 10:41:15 rillig Exp $ # # Tests for target-local variables, such as ${.TARGET} or $@. These variables # are relatively short-lived as they are created just before making the @@ -198,3 +198,32 @@ a_use: .USE VAR=use all: var-scope-local-use.o var-scope-local-use.o: a_use + + +# Since parse.c 1.656 from 2022-01-27 and before parse.c 1.662 from +# 2022-02-05, there was an out-of-bounds read in Parse_IsVar when looking for +# a variable assignment in a dependency line with trailing whitespace. Lines +# without trailing whitespace were not affected. Global variable assignments +# were guaranteed to have no trailing whitespace and were thus not affected. +# +# Try to reproduce some variants that may lead to a crash, depending on the +# memory allocator. To get a crash, the terminating '\0' of the line must be +# the last byte of a memory page. The expression '${:U}' forces this trailing +# whitespace. + +# On FreeBSD x86_64, a crash could in some cases be forced using the following +# line, which has length 47, so the terminating '\0' may end up at an address +# of the form 0xXXXX_XXXX_XXXX_Xfff: +Try_to_crash_FreeBSD.xxxxxxxxxxxxxxxxxx: 12345 ${:U} + +# The following line has length 4095, so line[4095] == '\0'. If the line is +# allocated on a page boundary and the following page is not mapped, this line +# leads to a segmentation fault. +${:U:range=511:@_@1234567@:ts.}: 12345 ${:U} + +# The following line has length 8191, so line[8191] == '\0'. If the line is +# allocated on a page boundary and the following page is not mapped, this line +# leads to a segmentation fault. +${:U:range=1023:@_@1234567@:ts.}: 12345 ${:U} + +12345: