Bug 10761 - busybox shell is more easily to get SEGV for processing backtick '`' command.
Summary: busybox shell is more easily to get SEGV for processing backtick '`' command.
Status: NEW
Alias: None
Product: Busybox
Classification: Unclassified
Component: Other (show other bugs)
Version: 1.28.x
Hardware: All Linux
: P5 critical
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-14 22:42 UTC by frank chen
Modified: 2018-11-14 13:23 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:

Attachments
ash: fix SEGV in parsebackq on big buffers caused by alloca (1.16 KB, patch)
2018-11-14 13:23 UTC, Martin Lewis 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description frank chen 2018-02-14 22:42:43 UTC 
The new shell(ash.c) use alloca() to allocate memory for parsebackq: (backtick '`' command). but for some scripts which use a lot of this kind of commands, the result is terrible(I thought the default stack size is 16000).

I got this since I try to configure libtool package on my new system with new busybox, and I got SEGV.

I use ckmalloc() and free() to resolve this problem.
Comment 1 Martin Lewis 2018-11-14 13:23:55 UTC 
Created attachment 7886 [details]
ash: fix SEGV in parsebackq on big buffers caused by alloca

Hi, I wrote a little patch that should fix this bug

Before fix:
# python -c "print 'echo \"' + ' ' * 3000000 + ' \`true\`' * 1000 + '\"'" > test.sh
# bash test.sh | wc
      1       0 3001001
# ./busybox ash test.sh
Segmentation fault (core dumped)

After fix:
# python -c "print 'echo \"' + ' ' * 3000000 + ' \`true\`' * 1000 + '\"'" > test.sh
# ./busybox ash test.sh | wc
      1       0 3001001