X-Spam-Check-By: sourceware.org
To: cygwin AT cygwin DOT com
From: Eric Blake <ebb9 AT byu DOT net>
Subject:  Re: FYI - bash crash due to asprintf bug
Date: Wed, 29 Nov 2006 18:18:25 +0000 (UTC)
Lines: 29
Message-ID:  <loom.20061129T191244-617@post.gmane.org>
References:  <456CF7D9 DOT 3090801 AT byu DOT net> <450464da0611290257i50116402m4b2d97fc303ec374 AT mail DOT gmail DOT com>
Mime-Version:  1.0
Content-Type:  text/plain; charset=us-ascii
Content-Transfer-Encoding:  7bit
User-Agent: Loom/3.14 (http://gmane.org/)
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Robbie Gates <robbie <at> m8s.org> writes:

> 
> > reduces asprintf's use of realloc from quadratic
> > to log-linear performance (ie. calling realloc every time you add a byte
> > is bad, compared to doubling the buffer size every time you call realloc).
> 
> Just out of interest, note that a size increase of 50% (i.e. new size
> = (3*oldsize)/2) has better properties for certain memory managers, as
> opposed to doubling. It has the same asymptotic complexity improvement
> as doubling. Roughly speaking, any factor less than the golden ratio
> (1+sqrt(5))/2 is good, but 1.5 is (a) cheaply obtanied on most cpu
> architectures, and (b) leaves a little space in case the memory
> manager adds some overhead. See http://tinyurl.com/yd5669 for details.

Thanks for the advice.  Here's the patch I submitted:
http://sourceware.org/ml/newlib/2006/msg00931.html

The full vulnerability is that on cygwin, any program that uses asprintf with 
cygwin 1.5.22 or earlier, where the result of asprintf is a multiple of 4 but 
not 8 and is greater than 1024, will corrupt the heap.  I'm now debating 
whether it is worth spinning another version of bash that works around this bug 
(by faking out bash's configure to not discover the broken asprintf, so that 
bash then uses its non-buggy replacement asprintf), or just waiting for the 
next cygwin version to come out.

-- 
Eric Blake



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/