This code only happened to work due to being started on a pristine zero-filled stack. With dynamic linking on i386/musl, I got:
Program received signal SIGSEGV, Segmentation fault. 0x08050fd1 in dlist_add_nomalloc (list=0xffffd9f0, new=0x80afef0) at lib/llist.c:90 90 (*list)->prev->next = new; (gdb) bt #0 0x08050fd1 in dlist_add_nomalloc (list=0xffffd9f0, new=0x80afef0) at lib/llist.c:90 #1 0x0806f913 in parse_line (line=line@entry=0x80a3aa0 "cd .", sp=sp@entry=0xffffd9ec) at toys/pending/sh.c:1142 #2 0x0807166d in sh_run (new=0x80a3aa0 "cd .") at toys/pending/sh.c:1693 #3 sh_main () at toys/pending/sh.c:1841 #4 0x080542ee in toy_exec_which (which=<optimized out>, argv=0xffffdba8) at main.c:175 #5 0x08054317 in toy_exec (argv=0xffffdba8) at main.c:182 #6 0x0805433f in toybox_main () at main.c:196 #7 0x080542ee in toy_exec_which (which=<optimized out>, argv=0xffffdba4) at main.c:175 #8 0x08054317 in toy_exec (argv=0xffffdba4) at main.c:182 #9 0x0805433f in toybox_main () at main.c:196 #10 0x0804c68f in main (argc=2, argv=0xffffdba4) at main.c:260 (gdb) print list $1 = (struct double_list **) 0xffffd9f0 (gdb) print *list $2 = (struct double_list *) 0xf7ffb1e0 <__stdout_FILE> This was just what happened to be on the stack from before sh_run was called, likely leftover from dynamic linker startup. With the attached patch, it now runs without crashing. Rich
>From 555871688b88dafd6d5b6f80bba7af01acfb8a7c Mon Sep 17 00:00:00 2001 From: Rich Felker <dal...@aerifal.cx> Date: Sat, 11 Jan 2020 20:16:48 -0500 Subject: [PATCH] sh.c: fix memory corruption due to uninitialized sh_function in sh_run --- toys/pending/sh.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/toys/pending/sh.c b/toys/pending/sh.c index 482639da..32e33507 100644 --- a/toys/pending/sh.c +++ b/toys/pending/sh.c @@ -1685,7 +1685,7 @@ dprintf(2, "TODO skipped running for((;;)), need math parser\n"); // Parse and run a self-contained command line with no prompt/continuation static int sh_run(char *new) { - struct sh_function scratch; + struct sh_function scratch = { 0 }; int rc; // TODO: parse with len? (End early?) -- 2.21.0
_______________________________________________ Toybox mailing list Toybox@lists.landley.net http://lists.landley.net/listinfo.cgi/toybox-landley.net