[PATCH 2/2] ash: use alloca to get rid of setjmp
Ron Yorston
rmy at frippery.org
Thu Jul 2 08:01:51 UTC 2015
Rich Felker wrote:
>In general alloca is unsafe. It's not obvious to me what the code here
>is doing, so I can't tell for sure if it's safe or not, but I think
>this needs a strong justification of safety before being acceptable.
It's a parser for a POSIXy shell, I doubt that the code is obvious to
anyone.
My understanding is that it's reading a token and has got to the point
where a command substitution has been detected. It wants to save the
bit of the token it's already processed. So if we have
echo "very long string"`date`
the code would allocate space for the very long string. (Putting a space
between the string and the substitution makes two separate tokens so no
allocation would be required. And the first part doesn't have to be a
string literal, that's just an example, it can consist of other stuff,
so long as it's all treated as making one token.)
Is this safe? In most cases it probably is, but not if the script is
malicious. If the very long string is too big for your stack you get a
seg fault or worse. With a suitably long string and small stack I can
reliably crash dash.
Ron
More information about the busybox
mailing list