Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[redbean] os.tmpname crashes redbean #1108

Closed
mterron opened this issue Feb 21, 2024 · 0 comments
Closed

[redbean] os.tmpname crashes redbean #1108

mterron opened this issue Feb 21, 2024 · 0 comments

Comments

@mterron
Copy link

mterron commented Feb 21, 2024

Trying to use os.tmpname crashes redbean. I've been able to reproduce this in both Windows (native), Windows (WSL) and mac OS.

This is a stack trace:

./redbean.com -i -vvvvv
>: GetRedbeanVersion()
131584
>: tmp = os.tmpname()

error: Uncaught SIGSEGV (SEGV_ACCERR) on CMYD03CWZW pid 12496 tid 6380
  redbean.com
  EUNKNOWN/0/No error information/0/The operation completed successfully
  Windows Windows 10.0-19045 CMYD03CWZW 10.0-19045

RAX 0000000000000001 RBX 0000000000000001 RDI 0000007373383639 ST(0) 0.0
RCX 0000000000000054 RDX 0000000000000001 RSI 000010008007d140 ST(1) 0.0
RBP 000070000003faf0 RSP 000070000003fac0 RIP 00000000004d1ec7 ST(2) 0.0
 R8 000070000003fac0  R9 0000000000000047 R10 0000000000000000 ST(3) 0.0
R11 0000000000000246 R12 0000000000000001 R13 0000007373383639 ST(4) 0.0
R14 0000000000000001 R15 000010008007d140

XMM0  7373383639685f61756c2f706d65542f XMM8  00000001c6e415960000000154442bd4
XMM1  6c61636f4c2f617461447070412f6c65 XMM9  00000000000000000000000000000000
XMM2  65542f6c61636f4c2f61746144707041 XMM10 00000000000000000000000000000000
XMM3  2f6c657567694d2f73726573552f432f XMM11 00000000000000000000000000000000
XMM4  00000000000000000000000000000000 XMM12 00000000000000000000000000000000
XMM5  00000000000000000000000000000000 XMM13 00000000000000000000000000000000
XMM6  005c006c0065007500670069004d005c XMM14 00000000000000000000000000000000
XMM7  00730072006500730055005c003a0043 XMM15 00000000000000000000000000000000

70000003e280 4d1ec7 luaD_poscall+39
70000003faf0 4d24b2 luaD_precall+418
70000003fb50 4ec6da luaV_execute+1434
70000003fc20 4d263b ccall+75
70000003fc50 4d2763 luaD_callnoyield+19
70000003fc60 4cb584 f_call+20
70000003fc70 4d1834 luaD_rawrunprotected+84
70000003fcf0 4d2a38 luaD_pcall+56
70000003fd40 4ccd3c lua_pcallk+108
70000003fd80 4dfdc4 lua_runchunk+148
70000003fe10 430057 RedBean+7575
70000003ffb0 402acd main+45
70000003ffd0 4030c9 cosmo+77
70000003ffe0 57aafe _jmpstack+22

redbean.com -i -vvvvv
mrdomino added a commit to mrdomino/cosmopolitan that referenced this issue May 18, 2024
@mrdomino
Fix jart#1108 (os.tmpname crashes redbean)
da89c8f 
At least on macOS, `strlen(getenv("TMPDIR"))` is 50. That's right, there
was a buffer overflow.
mrdomino added a commit to mrdomino/cosmopolitan that referenced this issue May 18, 2024
@mrdomino
Fix jart#1108 the right way
0fea20c 
Now we actually do a bounds check, and the function fails if the $TMPDIR
is too big.
mrdomino added a commit to mrdomino/cosmopolitan that referenced this issue May 19, 2024
@mrdomino
Fix buffer overflow in os.tmpname
5a6dbf6 
At least on macOS, `strlen(getenv("TMPDIR"))` is 50. We now allow a /tmp
that takes up to 120 or so bytes to spell. Instead of overflowing, we do
a bounds check and the function fails successfully on even longer /tmps.

Fixes jart#1108 (os.tmpname crashes redbean)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mterron