lib/c-stack.c

   1 /* Stack overflow handling.
   2
   3    Copyright (C) 2002, 2004, 2006, 2008-2017 Free Software Foundation, Inc.
   4
   5    This program is free software: you can redistribute it and/or modify
   6    it under the terms of the GNU General Public License as published by
   7    the Free Software Foundation; either version 3 of the License, or
   8    (at your option) any later version.
   9
  10    This program is distributed in the hope that it will be useful,
  11    but WITHOUT ANY WARRANTY; without even the implied warranty of
  12    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13    GNU General Public License for more details.
  14
  15    You should have received a copy of the GNU General Public License
  16    along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
  17
  18 /* Written by Paul Eggert.  */
  19
  20 /* NOTES:
  21
  22    A program that uses alloca, dynamic arrays, or large local
  23    variables may extend the stack by more than a page at a time.  If
  24    so, when the stack overflows the operating system may not detect
  25    the overflow until the program uses the array, and this module may
  26    incorrectly report a program error instead of a stack overflow.
  27
  28    To avoid this problem, allocate only small objects on the stack; a
  29    program should be OK if it limits single allocations to a page or
  30    less.  Allocate larger arrays in static storage, or on the heap
  31    (e.g., with malloc).  Yes, this is a pain, but we don't know of any
  32    better solution that is portable.
  33
  34    No attempt has been made to deal with multithreaded applications.  */
  35
  36 #include <config.h>
  37
  38 #ifndef __attribute__
  39 # if __GNUC__ < 3
  40 #  define __attribute__(x)
  41 # endif
  42 #endif
  43
  44 #include "gettext.h"
  45 #define _(msgid) gettext (msgid)
  46
  47 #include <errno.h>
  48
  49 #include <signal.h>
  50 #if ! HAVE_STACK_T && ! defined stack_t
  51 typedef struct sigaltstack stack_t;
  52 #endif
  53 #ifndef SIGSTKSZ
  54 # define SIGSTKSZ 16384
  55 #elif HAVE_LIBSIGSEGV && SIGSTKSZ < 16384
  56 /* libsigsegv 2.6 through 2.8 have a bug where some architectures use
  57    more than the Linux default of an 8k alternate stack when deciding
  58    if a fault was caused by stack overflow.  */
  59 # undef SIGSTKSZ
  60 # define SIGSTKSZ 16384
  61 #endif
  62
  63 #include <stdlib.h>
  64 #include <string.h>
  65
  66 /* Posix 2001 declares ucontext_t in <ucontext.h>, Posix 200x in
  67    <signal.h>.  */
  68 #if HAVE_UCONTEXT_H
  69 # include <ucontext.h>
  70 #endif
  71
  72 #include <unistd.h>
  73
  74 #if HAVE_LIBSIGSEGV
  75 # include <sigsegv.h>
  76 #endif
  77
  78 #include "c-stack.h"
  79 #include "exitfail.h"
  80 #include "ignore-value.h"
  81 #include "getprogname.h"
  82
  83 #if defined SA_ONSTACK && defined SA_SIGINFO
  84 # define SIGINFO_WORKS 1
  85 #else
  86 # define SIGINFO_WORKS 0
  87 # ifndef SA_ONSTACK
  88 #  define SA_ONSTACK 0
  89 # endif
  90 #endif
  91
  92 /* The user-specified action to take when a SEGV-related program error
  93    or stack overflow occurs.  */
  94 static void (* volatile segv_action) (int);
  95
  96 /* Translated messages for program errors and stack overflow.  Do not
  97    translate them in the signal handler, since gettext is not
  98    async-signal-safe.  */
  99 static char const * volatile program_error_message;
 100 static char const * volatile stack_overflow_message;
 101
 102 /* Output an error message, then exit with status EXIT_FAILURE if it
 103    appears to have been a stack overflow, or with a core dump
 104    otherwise.  This function is async-signal-safe.  */
 105
 106 static _Noreturn void
 107 die (int signo)
 108 {
 109   char const *message;
 110 #if !SIGINFO_WORKS && !HAVE_LIBSIGSEGV
 111   /* We can't easily determine whether it is a stack overflow; so
 112      assume that the rest of our program is perfect (!) and that
 113      this segmentation violation is a stack overflow.  */
 114   signo = 0;
 115 #endif /* !SIGINFO_WORKS && !HAVE_LIBSIGSEGV */
 116   segv_action (signo);
 117   message = signo ? program_error_message : stack_overflow_message;
 118   ignore_value (write (STDERR_FILENO, getprogname (), strlen (getprogname ())));
 119   ignore_value (write (STDERR_FILENO, ": ", 2));
 120   ignore_value (write (STDERR_FILENO, message, strlen (message)));
 121   ignore_value (write (STDERR_FILENO, "\n", 1));
 122   if (! signo)
 123     _exit (exit_failure);
 124   raise (signo);
 125   abort ();
 126 }
 127
 128 #if (HAVE_SIGALTSTACK && HAVE_DECL_SIGALTSTACK \
 129      && HAVE_STACK_OVERFLOW_HANDLING) || HAVE_LIBSIGSEGV
 130
 131 /* Storage for the alternate signal stack.  */
 132 static union
 133 {
 134   char buffer[SIGSTKSZ];
 135
 136   /* These other members are for proper alignment.  There's no
 137      standard way to guarantee stack alignment, but this seems enough
 138      in practice.  */
 139   long double ld;
 140   long l;
 141   void *p;
 142 } alternate_signal_stack;
 143
 144 static void
 145 null_action (int signo __attribute__ ((unused)))
 146 {
 147 }
 148
 149 #endif /* SIGALTSTACK || LIBSIGSEGV */
 150
 151 /* Only use libsigsegv if we need it; platforms like Solaris can
 152    detect stack overflow without the overhead of an external
 153    library.  */
 154 #if HAVE_LIBSIGSEGV && ! HAVE_XSI_STACK_OVERFLOW_HEURISTIC
 155
 156 /* Nonzero if general segv handler could not be installed.  */
 157 static volatile int segv_handler_missing;
 158
 159 /* Handle a segmentation violation and exit if it cannot be stack
 160    overflow.  This function is async-signal-safe.  */
 161
 162 static int segv_handler (void *address __attribute__ ((unused)),
 163                          int serious)
 164 {
 165 # if DEBUG
 166   {
 167     char buf[1024];
 168     sprintf (buf, "segv_handler serious=%d\n", serious);
 169     write (STDERR_FILENO, buf, strlen (buf));
 170   }
 171 # endif
 172
 173   /* If this fault is not serious, return 0 to let the stack overflow
 174      handler take a shot at it.  */
 175   if (!serious)
 176     return 0;
 177   die (SIGSEGV);
 178 }
 179
 180 /* Handle a segmentation violation that is likely to be a stack
 181    overflow and exit.  This function is async-signal-safe.  */
 182
 183 static _Noreturn void
 184 overflow_handler (int emergency,
 185                   stackoverflow_context_t context __attribute__ ((unused)))
 186 {
 187 # if DEBUG
 188   {
 189     char buf[1024];
 190     sprintf (buf, "overflow_handler emergency=%d segv_handler_missing=%d\n",
 191              emergency, segv_handler_missing);
 192     write (STDERR_FILENO, buf, strlen (buf));
 193   }
 194 # endif
 195
 196   die ((!emergency || segv_handler_missing) ? 0 : SIGSEGV);
 197 }
 198
 199 int
 200 c_stack_action (void (*action) (int))
 201 {
 202   segv_action = action ? action : null_action;
 203   program_error_message = _("program error");
 204   stack_overflow_message = _("stack overflow");
 205
 206   /* Always install the overflow handler.  */
 207   if (stackoverflow_install_handler (overflow_handler,
 208                                      alternate_signal_stack.buffer,
 209                                      sizeof alternate_signal_stack.buffer))
 210     {
 211       errno = ENOTSUP;
 212       return -1;
 213     }
 214   /* Try installing a general handler; if it fails, then treat all
 215      segv as stack overflow.  */
 216   segv_handler_missing = sigsegv_install_handler (segv_handler);
 217   return 0;
 218 }
 219
 220 #elif HAVE_SIGALTSTACK && HAVE_DECL_SIGALTSTACK && HAVE_STACK_OVERFLOW_HANDLING
 221
 222 # if SIGINFO_WORKS
 223
 224 /* Handle a segmentation violation and exit.  This function is
 225    async-signal-safe.  */
 226
 227 static _Noreturn void
 228 segv_handler (int signo, siginfo_t *info,
 229               void *context __attribute__ ((unused)))
 230 {
 231   /* Clear SIGNO if it seems to have been a stack overflow.  */
 232 #  if ! HAVE_XSI_STACK_OVERFLOW_HEURISTIC
 233   /* We can't easily determine whether it is a stack overflow; so
 234      assume that the rest of our program is perfect (!) and that
 235      this segmentation violation is a stack overflow.
 236
 237      Note that although both Linux and Solaris provide
 238      sigaltstack, SA_ONSTACK, and SA_SIGINFO, currently only
 239      Solaris satisfies the XSI heuristic.  This is because
 240      Solaris populates uc_stack with the details of the
 241      interrupted stack, while Linux populates it with the details
 242      of the current stack.  */
 243   signo = 0;
 244 #  else
 245   if (0 < info->si_code)
 246     {
 247       /* If the faulting address is within the stack, or within one
 248          page of the stack, assume that it is a stack overflow.  */
 249       ucontext_t const *user_context = context;
 250       char const *stack_base = user_context->uc_stack.ss_sp;
 251       size_t stack_size = user_context->uc_stack.ss_size;
 252       char const *faulting_address = info->si_addr;
 253       size_t page_size = sysconf (_SC_PAGESIZE);
 254       size_t s = faulting_address - stack_base + page_size;
 255       if (s < stack_size + 2 * page_size)
 256         signo = 0;
 257
 258 #   if DEBUG
 259       {
 260         char buf[1024];
 261         sprintf (buf,
 262                  "segv_handler fault=%p base=%p size=%lx page=%lx signo=%d\n",
 263                  faulting_address, stack_base, (unsigned long) stack_size,
 264                  (unsigned long) page_size, signo);
 265         write (STDERR_FILENO, buf, strlen (buf));
 266       }
 267 #   endif
 268     }
 269 #  endif
 270
 271   die (signo);
 272 }
 273 # endif
 274
 275 int
 276 c_stack_action (void (*action) (int))
 277 {
 278   int r;
 279   stack_t st;
 280   struct sigaction act;
 281   st.ss_flags = 0;
 282 # if SIGALTSTACK_SS_REVERSED
 283   /* Irix mistakenly treats ss_sp as the upper bound, rather than
 284      lower bound, of the alternate stack.  */
 285   st.ss_sp = alternate_signal_stack.buffer + SIGSTKSZ - sizeof (void *);
 286   st.ss_size = sizeof alternate_signal_stack.buffer - sizeof (void *);
 287 # else
 288   st.ss_sp = alternate_signal_stack.buffer;
 289   st.ss_size = sizeof alternate_signal_stack.buffer;
 290 # endif
 291   r = sigaltstack (&st, NULL);
 292   if (r != 0)
 293     return r;
 294
 295   segv_action = action ? action : null_action;
 296   program_error_message = _("program error");
 297   stack_overflow_message = _("stack overflow");
 298
 299   sigemptyset (&act.sa_mask);
 300
 301 # if SIGINFO_WORKS
 302   /* POSIX 1003.1-2001 says SA_RESETHAND implies SA_NODEFER, but
 303      this is not true on Solaris 8 at least.  It doesn't hurt to use
 304      SA_NODEFER here, so leave it in.  */
 305   act.sa_flags = SA_NODEFER | SA_ONSTACK | SA_RESETHAND | SA_SIGINFO;
 306   act.sa_sigaction = segv_handler;
 307 # else
 308   act.sa_flags = SA_NODEFER | SA_ONSTACK | SA_RESETHAND;
 309   act.sa_handler = die;
 310 # endif
 311
 312 # if FAULT_YIELDS_SIGBUS
 313   if (sigaction (SIGBUS, &act, NULL) < 0)
 314     return -1;
 315 # endif
 316   return sigaction (SIGSEGV, &act, NULL);
 317 }
 318
 319 #else /* ! ((HAVE_SIGALTSTACK && HAVE_DECL_SIGALTSTACK
 320              && HAVE_STACK_OVERFLOW_HANDLING) || HAVE_LIBSIGSEGV) */
 321
 322 int
 323 c_stack_action (void (*action) (int)  __attribute__ ((unused)))
 324 {
 325   errno = ENOTSUP;
 326   return -1;
 327 }
 328
 329 #endif