lib/c-stack.c

   1 /* Stack overflow handling.
   2
   3    Copyright (C) 2002, 2004, 2006, 2008-2021 Free Software Foundation, Inc.
   4
   5    This program is free software: you can redistribute it and/or modify
   6    it under the terms of the GNU General Public License as published by
   7    the Free Software Foundation; either version 3 of the License, or
   8    (at your option) any later version.
   9
  10    This program is distributed in the hope that it will be useful,
  11    but WITHOUT ANY WARRANTY; without even the implied warranty of
  12    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13    GNU General Public License for more details.
  14
  15    You should have received a copy of the GNU General Public License
  16    along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
  17
  18 /* Written by Paul Eggert.  */
  19
  20 /* NOTES:
  21
  22    A program that uses alloca, dynamic arrays, or large local
  23    variables may extend the stack by more than a page at a time.  If
  24    so, when the stack overflows the operating system may not detect
  25    the overflow until the program uses the array, and this module may
  26    incorrectly report a program error instead of a stack overflow.
  27
  28    To avoid this problem, allocate only small objects on the stack; a
  29    program should be OK if it limits single allocations to a page or
  30    less.  Allocate larger arrays in static storage, or on the heap
  31    (e.g., with malloc).  Yes, this is a pain, but we don't know of any
  32    better solution that is portable.
  33
  34    No attempt has been made to deal with multithreaded applications.  */
  35
  36 #include <config.h>
  37
  38 #include "c-stack.h"
  39
  40 #include <errno.h>
  41 #include <inttypes.h>
  42
  43 #include <signal.h>
  44 #if ! HAVE_STACK_T && ! defined stack_t
  45 typedef struct sigaltstack stack_t;
  46 #endif
  47
  48 #include <stdbool.h>
  49 #include <stddef.h>
  50 #include <stdlib.h>
  51 #include <string.h>
  52
  53 /* Pre-2008 POSIX declared ucontext_t in ucontext.h instead of signal.h.  */
  54 #if HAVE_UCONTEXT_H
  55 # include <ucontext.h>
  56 #endif
  57
  58 #include <unistd.h>
  59
  60 #if DEBUG
  61 # include <stdio.h>
  62 #endif
  63
  64 #include "idx.h"
  65
  66 #include "gettext.h"
  67 #define _(msgid) gettext (msgid)
  68
  69 /* Use libsigsegv only if needed; kernels like Solaris can detect
  70    stack overflow without the overhead of an external library.  */
  71 #define USE_LIBSIGSEGV (!HAVE_XSI_STACK_OVERFLOW_HEURISTIC && HAVE_LIBSIGSEGV)
  72
  73 #if USE_LIBSIGSEGV
  74 # include <sigsegv.h>
  75 #endif
  76
  77 #include "exitfail.h"
  78 #include "ignore-value.h"
  79 #include "intprops.h"
  80 #include "getprogname.h"
  81
  82 #if defined SA_ONSTACK && defined SA_SIGINFO
  83 # define SIGINFO_WORKS 1
  84 #else
  85 # define SIGINFO_WORKS 0
  86 # ifndef SA_ONSTACK
  87 #  define SA_ONSTACK 0
  88 # endif
  89 #endif
  90
  91 /* Storage for the alternate signal stack.
  92    64 KiB is not too large for Gnulib-using apps, and is large enough
  93    for all known platforms.  Smaller sizes may run into trouble.
  94    For example, libsigsegv 2.6 through 2.8 have a bug where some
  95    architectures use more than the Linux default of an 8 KiB alternate
  96    stack when deciding if a fault was caused by stack overflow.  */
  97 static max_align_t alternate_signal_stack[(64 * 1024
  98                                            + sizeof (max_align_t) - 1)
  99                                           / sizeof (max_align_t)];
 100
 101 /* The user-specified action to take when a SEGV-related program error
 102    or stack overflow occurs.  */
 103 static _GL_ASYNC_SAFE void (* volatile segv_action) (int);
 104
 105 /* Translated messages for program errors and stack overflow.  Do not
 106    translate them in the signal handler, since gettext is not
 107    async-signal-safe.  */
 108 static char const * volatile program_error_message;
 109 static char const * volatile stack_overflow_message;
 110
 111 #if (USE_LIBSIGSEGV                                           \
 112      || (HAVE_DECL_SIGALTSTACK && HAVE_STACK_OVERFLOW_HANDLING))
 113
 114 /* Output an error message, then exit with status EXIT_FAILURE if it
 115    appears to have been a stack overflow, or with a core dump
 116    otherwise.  This function is async-signal-safe.  */
 117
 118 static char const * volatile progname;
 119
 120 static _GL_ASYNC_SAFE _Noreturn void
 121 die (int signo)
 122 {
 123 # if !SIGINFO_WORKS && !USE_LIBSIGSEGV
 124   /* We can't easily determine whether it is a stack overflow; so
 125      assume that the rest of our program is perfect (!) and that
 126      this segmentation violation is a stack overflow.  */
 127   signo = 0;
 128 # endif
 129   segv_action (signo);
 130   char const *message = signo ? program_error_message : stack_overflow_message;
 131
 132   /* If the message is short, write it all at once to avoid
 133      interleaving with other messages.  Avoid writev as it is not
 134      documented to be async-signal-safe.  */
 135   size_t prognamelen = strlen (progname);
 136   size_t messagelen = strlen (message);
 137   static char const separator[] = {':', ' '};
 138   char buf[sizeof alternate_signal_stack / 16 + sizeof separator];
 139   idx_t buflen;
 140   if (prognamelen + messagelen < sizeof buf - sizeof separator)
 141     {
 142       char *p = mempcpy (buf, progname, prognamelen);
 143       p = mempcpy (p, separator, sizeof separator);
 144       p = mempcpy (p, message, messagelen);
 145       *p++ = '\n';
 146       buflen = p - buf;
 147     }
 148   else
 149     {
 150       ignore_value (write (STDERR_FILENO, progname, prognamelen));
 151       ignore_value (write (STDERR_FILENO, separator, sizeof separator));
 152       ignore_value (write (STDERR_FILENO, message, messagelen));
 153       buf[0] = '\n';
 154       buflen = 1;
 155     }
 156   ignore_value (write (STDERR_FILENO, buf, buflen));
 157
 158   if (! signo)
 159     _exit (exit_failure);
 160   raise (signo);
 161   abort ();
 162 }
 163
 164 static _GL_ASYNC_SAFE void
 165 null_action (int signo _GL_UNUSED)
 166 {
 167 }
 168
 169 #endif /* SIGALTSTACK || LIBSIGSEGV */
 170
 171 #if USE_LIBSIGSEGV
 172
 173 /* Pacify GCC 9.3.1, which otherwise would complain about segv_handler.  */
 174 # if __GNUC_PREREQ (4, 6)
 175 #  pragma GCC diagnostic ignored "-Wsuggest-attribute=pure"
 176 # endif
 177
 178 /* Nonzero if general segv handler could not be installed.  */
 179 static volatile int segv_handler_missing;
 180
 181 /* Handle a segmentation violation and exit if it cannot be stack
 182    overflow.  This function is async-signal-safe.  */
 183
 184 static _GL_ASYNC_SAFE int
 185 segv_handler (void *address _GL_UNUSED, int serious)
 186 {
 187 # if DEBUG
 188   {
 189     char buf[1024];
 190     int saved_errno = errno;
 191     ignore_value (write (STDERR_FILENO, buf,
 192                          sprintf (buf, "segv_handler serious=%d\n", serious)));
 193     errno = saved_errno;
 194   }
 195 # endif
 196
 197   /* If this fault is not serious, return 0 to let the stack overflow
 198      handler take a shot at it.  */
 199   if (!serious)
 200     return 0;
 201   die (SIGSEGV);
 202 }
 203
 204 /* Handle a segmentation violation that is likely to be a stack
 205    overflow and exit.  This function is async-signal-safe.  */
 206
 207 static _GL_ASYNC_SAFE _Noreturn void
 208 overflow_handler (int emergency, stackoverflow_context_t context _GL_UNUSED)
 209 {
 210 # if DEBUG
 211   {
 212     char buf[1024];
 213     ignore_value (write (STDERR_FILENO, buf,
 214                          sprintf (buf, ("overflow_handler emergency=%d"
 215                                         " segv_handler_missing=%d\n"),
 216                                   emergency, segv_handler_missing)));
 217   }
 218 # endif
 219
 220   die ((!emergency || segv_handler_missing) ? 0 : SIGSEGV);
 221 }
 222
 223 int
 224 c_stack_action (_GL_ASYNC_SAFE void (*action) (int))
 225 {
 226   segv_action = action ? action : null_action;
 227   program_error_message = _("program error");
 228   stack_overflow_message = _("stack overflow");
 229   progname = getprogname ();
 230
 231   /* Always install the overflow handler.  */
 232   if (stackoverflow_install_handler (overflow_handler,
 233                                      alternate_signal_stack,
 234                                      sizeof alternate_signal_stack))
 235     {
 236       errno = ENOTSUP;
 237       return -1;
 238     }
 239   /* Try installing a general handler; if it fails, then treat all
 240      segv as stack overflow.  */
 241   segv_handler_missing = sigsegv_install_handler (segv_handler);
 242   return 0;
 243 }
 244
 245 #elif HAVE_DECL_SIGALTSTACK && HAVE_STACK_OVERFLOW_HANDLING
 246
 247 # if SIGINFO_WORKS
 248
 249 static size_t volatile page_size;
 250
 251 /* Handle a segmentation violation and exit.  This function is
 252    async-signal-safe.  */
 253
 254 static _GL_ASYNC_SAFE _Noreturn void
 255 segv_handler (int signo, siginfo_t *info, void *context _GL_UNUSED)
 256 {
 257   /* Clear SIGNO if it seems to have been a stack overflow.  */
 258
 259   /* If si_code is nonpositive, something like raise (SIGSEGV) occurred
 260      so it cannot be a stack overflow.  */
 261   bool cannot_be_stack_overflow = info->si_code <= 0;
 262
 263   /* An unaligned address cannot be a stack overflow.  */
 264 #  if FAULT_YIELDS_SIGBUS
 265   cannot_be_stack_overflow |= signo == SIGBUS && info->si_code == BUS_ADRALN;
 266 #  endif
 267
 268   /* If we can't easily determine that it is not a stack overflow,
 269      assume that the rest of our program is perfect (!) and that
 270      this segmentation violation is a stack overflow.
 271
 272      Note that although both Linux and Solaris provide
 273      sigaltstack, SA_ONSTACK, and SA_SIGINFO, currently only
 274      Solaris satisfies the XSI heuristic.  This is because
 275      Solaris populates uc_stack with the details of the
 276      interrupted stack, while Linux populates it with the details
 277      of the current stack.  */
 278   if (!cannot_be_stack_overflow)
 279     {
 280       /* If the faulting address is within the stack, or within one
 281          page of the stack, assume that it is a stack overflow.  */
 282       uintptr_t faulting_address = (uintptr_t) info->si_addr;
 283
 284       /* On all platforms we know of, the first page is not in the
 285          stack to catch null pointer dereferening.  However, all other
 286          pages might be in the stack.  */
 287       void *stack_base = (void *) (uintptr_t) page_size;
 288       uintptr_t stack_size = 0; stack_size -= page_size;
 289 #  if HAVE_XSI_STACK_OVERFLOW_HEURISTIC
 290       /* Tighten the stack bounds via the XSI heuristic.  */
 291       ucontext_t const *user_context = context;
 292       stack_base = user_context->uc_stack.ss_sp;
 293       stack_size = user_context->uc_stack.ss_size;
 294 #  endif
 295       uintptr_t base = (uintptr_t) stack_base,
 296         lo = (INT_SUBTRACT_WRAPV (base, page_size, &lo) || lo < page_size
 297               ? page_size : lo),
 298         hi = ((INT_ADD_WRAPV (base, stack_size, &hi)
 299                || INT_ADD_WRAPV (hi, page_size - 1, &hi))
 300               ? UINTPTR_MAX : hi);
 301       if (lo <= faulting_address && faulting_address <= hi)
 302         signo = 0;
 303
 304 #   if DEBUG
 305       {
 306         char buf[1024];
 307         ignore_value (write (STDERR_FILENO, buf,
 308                              sprintf (buf,
 309                                       ("segv_handler code=%d fault=%p base=%p"
 310                                        " size=0x%zx page=0x%zx signo=%d\n"),
 311                                       info->si_code, info->si_addr, stack_base,
 312                                       stack_size, page_size, signo)));
 313       }
 314 #  endif
 315     }
 316
 317   die (signo);
 318 }
 319 # endif
 320
 321 int
 322 c_stack_action (_GL_ASYNC_SAFE void (*action) (int))
 323 {
 324   stack_t st;
 325   st.ss_flags = 0;
 326   st.ss_sp = alternate_signal_stack;
 327   st.ss_size = sizeof alternate_signal_stack;
 328 # if SIGALTSTACK_SS_REVERSED
 329   /* Irix mistakenly treats ss_sp as the upper bound, rather than
 330      lower bound, of the alternate stack.  */
 331   st.ss_size -= sizeof (void *);
 332   char *ss_sp = st.ss_sp;
 333   st.ss_sp = ss_sp + st.ss_size;
 334 # endif
 335   int r = sigaltstack (&st, NULL);
 336   if (r != 0)
 337     return r;
 338
 339   segv_action = action ? action : null_action;
 340   program_error_message = _("program error");
 341   stack_overflow_message = _("stack overflow");
 342   progname = getprogname ();
 343
 344 # if SIGINFO_WORKS
 345   page_size = sysconf (_SC_PAGESIZE);
 346 # endif
 347
 348   struct sigaction act;
 349   sigemptyset (&act.sa_mask);
 350
 351 # if SIGINFO_WORKS
 352   /* POSIX 1003.1-2001 says SA_RESETHAND implies SA_NODEFER, but
 353      this is not true on Solaris 8 at least.  It doesn't hurt to use
 354      SA_NODEFER here, so leave it in.  */
 355   act.sa_flags = SA_NODEFER | SA_ONSTACK | SA_RESETHAND | SA_SIGINFO;
 356   act.sa_sigaction = segv_handler;
 357 # else
 358   act.sa_flags = SA_NODEFER | SA_ONSTACK | SA_RESETHAND;
 359   act.sa_handler = die;
 360 # endif
 361
 362 # if FAULT_YIELDS_SIGBUS
 363   if (sigaction (SIGBUS, &act, NULL) < 0)
 364     return -1;
 365 # endif
 366   return sigaction (SIGSEGV, &act, NULL);
 367 }
 368
 369 #else /* ! (USE_LIBSIGSEGV
 370             || (HAVE_DECL_SIGALTSTACK && HAVE_STACK_OVERFLOW_HANDLING)) */
 371
 372 int
 373 c_stack_action (_GL_ASYNC_SAFE void (*action) (int)  _GL_UNUSED)
 374 {
 375   errno = ENOTSUP;
 376   return -1;
 377 }
 378
 379 #endif