Re: [Tinycc-devel] mksh fails to build with bound check

[Kirill Smelkov]

Hi Thomas,

On Thu, Mar 20, 2014 at 10:20:21PM +0800, Thomas Preud'homme wrote:
> Le dimanche 19 janvier 2014, 17:03:32 Kirill Smelkov a écrit :
> 
> Hi Kirill,
> 
> > 
> > Sorry for being silent for so long. I've started looking into the
> > problem today, but before I've ever got to mksh, I've found one new bug
> > wrt bcheck which is now fixed. Could you please see, does it maybe fixes
> > mksh? If not, I'm willing to continue digging, only it will be very
> > slow, as my time is very tight this days...
> 
> I've looked into it this week and managed to fix one bug with regards to 
> relocation of __bound_init (see commit 
> ec1c83081dd741bd18ca1821bf52535c444dc111) but there is still at least one 
> other bug. As I understand it the problem is that mksh loop over argv entries 
> in main with something like "while (!*argv)". This triggers a segfault by 
> bound_ptr_indir returning INVALID_POINTER. So I guess there is nothing right 
> now to add argv[] and environ[] among the ok zones. I was thinking about 
> doing 
> it in __bound_init but there is some difficulty. From the environ variable 
> it's 
> easy to find the beginning and end of environ array by browsing it. 
> Alternatively setenv of a new variable could do it in a faster way but there 
> is the risk of the array to be already full so the browsing seems more 
> reliable. The problem is to find the beginning and end of argv[]. For 
> instance, 
> I don't know if with address space randomization the environ follows 
> immediately the end of argv (it seems to be the case on my machine). As to 
> the 
> beginning of argv, I can only think of taking the address of a local variable 
> but that's only an approximation.
> 
> Alternatively, a different prologue could be generated for the main function 
> that calls a __bound_new_argument_region that would take as parameter argv 
> and 
> then environ. What do you think about it? Do you feel like trying?
> 
> Best regards,
> 
> Thomas

Just a quick note, that I've got your message and was able to reproduce
mksh 0.38-3 breakage with `tcc -b`, and also, as I hope, found a small
test-case for argv v.s. bcheck crash which is below.

When I have my next free time, I'll try to analyze it, but that should
not be soon as I'm currently very busy...

Thanks,
Kirill

---- 8< ----
/* то работает - то выпадает
address@hidden:~/src/tools/tinycc$ ./a.out
stack:  0xffceb3f4
argv:   0xffceb494
        e:  .start: 0  .size: ffffffff  invalid: 0
region dump:
0804b400: 0804b43b:0804b449 0804b430:0804b43a 0804b424:0804b42f
argv[0]:        0xffced297
address@hidden:~/src/tools/tinycc$ ./a.out
stack:  0xfffbfee4
argv:   0xfffbff84
        e:  .start: 0  .size: 0  invalid: 1
region dump:
0804b400: 0804b43b:0804b449 0804b430:0804b43a 0804b424:0804b42f
E: __bound_ptr_indir4(0xfffbff84, 0x0)
Ошибка сегментирования (core dumped)
*/

#include <stdio.h>

int main(int argc, const char *argv[])
{
    int i;

    printf("stack:\t%p\n", &i);
    printf("argv:\t%p\n", argv);
    for (i = 0; i<argc; ++i)
        printf("argv[%i]:\t%p\n", i, argv[i]);

    return 0;
}