Re: [bug #64551] Possible null pointer dereference on the function get_buffer

[Martin Dorey]

• once the second invocation of `xrealloc` ... returns zero
  

But it doesn't, it just recurses, calls get_buffer again, again likely fails and recurses still further until the stack is blown.  Or it did until https://git.savannah.gnu.org/cgit/make.git/commit/?id=68be4f74fce91b76e5915449268d6b5eb687aab9.

---

From: bug-make-bounces+martin.dorey=hds.com@gnu.org <bug-make-bounces+martin.dorey=hds.com@gnu.org> on behalf of Haoxin Tu <haoxintu@gmail.com>
Sent: Saturday, January 20, 2024 06:17
To: Paul D. Smith <INVALID.NOREPLY@gnu.org>
Cc: Paul D. Smith <psmith@gnu.org>; boris@kolpackov.net <boris@kolpackov.net>; bug-make@gnu.org <bug-make@gnu.org>
Subject: Re: [bug #64551] Possible null pointer dereference on the function get_buffer

 

***** EXTERNAL EMAIL *****

Hi,

Thank you so much for your time and reply.

We understand that the entire point of `xrealloc` is never returning 0 to client users/developers who use this function. However, the issue we reported here happens when the `xrealloc` internally handles the returned 0 from `realloc` or `malloc` functions. 

In general, the key point is that the function `OUT_OF_MEM()` (invoked when the `result` gets a 0 in the implementation of `xrealloc`) does not immediately terminate the program execution, and the function `OUT_OF_MEM()` will continue to allocate buffers via `xrealloc` for printing purposes in the following and then terminate. Specifically, the continuous execution of function `OUT_OF_MEM()` calls the `xrealloc` again through the `get_buffer` function (`OUT_OF_MEM()` is a macro definition that will call the function `fatal`, which finally invocates the function `get_buffer`). As we mentioned in the initial report, once the second invocation of `xrealloc` (i.e., the one called inside `OUT_OF_MEM()`) returns zero and calls `OUT_OF_MEM()` again, a null pointer dereference is occurred in `fmtbuf.buffer[need-1] = '\0';` in the function `get_buffer`.

Please kindly check my explanation above and correct me if I am wrong. Thank you so much again and looking forward to hearing from you back again.

Best regards,

Haoxin

Paul D. Smith <INVALID.NOREPLY@gnu.org> 于2024年1月7日周日 01:49写道：

Update of bug#64551 (group make):

                  Status:                    None => Duplicate             
             Assigned to:                    None => psmith                 
             Open/Closed:                    Open => Closed                 

    _______________________________________________________

Follow-up Comment #1:

I don't see how the "second" xrealloc() would return 0; the entire point of
xrealloc is that it never returns 0.

However, I can see where the behavior of the code might lead to an infinite
loop.

This issue was already addressed in GNU Make 4.3 via bug #13651
The version you're testing (4.2) was released in 2016.

It's certainly helpful to check for errors in tools like GNU Make but please
check either the most recent published version or, even better, the current
Git HEAD version.

Thanks!


    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?64551>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/