Before commit 44f73c5a62 ("Cygwin: Fix segfalt when too many command
line args are specified.") we had no actual argument size limit, except
for the fact that the child process created another copy of the argv
array on the stack, which could result in a stack overflow and a
subsequent SEGV. Commit 44f73c5a62 changed that by allocating the
additional argv array via malloc, and it introduced a new SC_ARG_MAX
limit along the lines of the typical Linux limit.
However, this new limit is artificial. Cygwin allocates all argument
and environment data on the cygheap. We only run out of ARG_MAX space
if we're out of memory resources.
Change argument size handling accordingly:
- Drop the args size check from child_info_spawn::worker.
- Return -1 from sysconf (SC_ARG_MAX), i. e., the argument size limit
is undefined.
- Change argv handling in class av, so that a failing cmalloc is not
fatal. This allows the parent process to return E2BIG if it's out
of cygheap resources.
- In the child, add a check around the new malloc call, so that it
doesn't result in a SEGV if the child process gets unexpectedly into
an ENOMEM situation at this point. In this (unlikely) case, proceed
with the original __argv array instead. Add comment to explain why.
Fixes: 44f73c5a62 ("Cygwin: Fix segfalt when too many command line args are specified.")
Tested-by: Takashi Yano <takashi.yano@nifty.ne.jp>
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Previously, the number of command line args was not checked for
cygwin process. Due to this, segmentation fault was caused if too
many command line args are specified.
https://cygwin.com/pipermail/cygwin/2023-August/254333.html
Since char *argv[argc + 1] is placed on the stack in dll_crt0_1(),
STATUS_STACK_OVERFLOW occurs if the stack does not have enough
space.
With this patch, char *argv[] is placed in heap instead of stack
and ARG_MAX is increased from 32000 to 2097152 which is default
value of Linux. The argument length is also compared with ARG_MAX
and spawnve() returns E2BIG if it is too long.
Reported-by: Ed Morton
Reviewed-by: Corinna Vinschen <corinna@vinschen.de>
Signed-off-by: Takashi Yano <takashi.yano@nifty.ne.jp>
After the commit fbfea31dd9, switch_to_nat_pipe is not cleared
properly when non-cygwin app is terminated in the case where the
pseudo console is disabled. This is because get_winpid_to_hand_over()
sometimes returns PID of cygwin process even though it should return
only PID of non-cygwin process. This patch fixes the issue by adding
a new argument which requests only PID of non-cygwin process to
get_console_process_id().
Fixes: fbfea31dd9 ("Cygwin: pty: Avoid cutting the branch the pty master is sitting on.")
Signed-off-by: Takashi Yano <takashi.yano@nifty.ne.jp>
After the commit 93508e5bb8, the access permissions argument passed
to open_shared() is ignored and always replaced with (FILE_MAP_READ |
FILE_MAP_WRITE). This causes the weird behaviour that sshd service
process loses its cygwin PID. This triggers the failure in pty that
transfer_input() does not work properly.
This patch resumes the access permission settings to fix that.
Fixes: 93508e5bb8 ("Cygwin: open_shared: don't reuse shared_locations parameter as output")
Reviewed-by: Corinna Vinschen <corinna@vinschen.de>
Signedd-off-by: Takashi Yano <takashi.yano@nifty.ne.jp>
The commit 10d083c745 has a bug that lacks a check for pinfo pointer
value for master_pid. This causes segmentation fault if the process
whose pid is master_pid no longer exists. This patch fixes the issue.
Fixes: 10d083c745 ("Cygwin: pty: Inherit typeahead data between two input pipes.")
Signed-off-by: Takashi Yano <takashi.yano@nifty.ne.jp>
As described in the previous commit b5111e4642
("struct _reent: add state for unicode functions") every unicode
conversion function has to use their own state object, if the
state parameter is NULL.
Fixes: 4f258c55e8 ("Cygwin: Add ISO C11 functions c16rtomb, c32rtomb, mbrtoc16, mbrtoc32.")
Fixes: c49bc478b4 ("Cygwin: Add ISO C2X functions c8rtomb, mbrtoc8")
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
After addition of SEEK_HOLE, the whence of *4* is not an invalid
argument, causing the test to FAIL.
See ltp commit 423e636a4c8f ("lseek03: change to fix with the lseek syscall")
Avoid transient failures by adding a small delay after fork()-ing to
allow the child to get into a state where it can recieve signals.
Also add same small delay to kill03 and kill04. kill02 has a more
elaborate setup where child processes write to a pipe to indicate they
have started.
Commit 3c75fac130 fixed the __restrict definition in sys/cdefs.h,
but uncovered a problem in the definition of lio_listio in Cygwin's
aio.h. It uses the C99 extension of using the restrict keyword
to define non-overlapping arrays. However, this is not allowed in
C++.
Use the newly defined __restrict_arr from commit e66c63be6b
("sys/cdefs.h: introduce __restrict_arr, as in glibc")
Fixes: 3c75fac130 ("sys/cdefs.h: fix for use __restrict in C++"
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Previously, though readahead buffer handling in pty master was not
fully thread-safe, accept_input() was called from peek_pipe() thread
in select.cc. This caused the problem reported in:
https://cygwin.com/pipermail/cygwin/2023-July/253984.html
The mechanism of the problem is:
1) accept_input() which is called from peek_pipe() thread calls
eat_readahead(-1) before reading readahead buffer. This allows
writing to the readahead buffer from another (main) thread.
2) The main thread calls fhandler_pty_master::write() just after
eat_readahead(-1) was called and before reading the readahead
buffer by accept_input() called from peek_pipe() thread. This
overwrites the readahead buffer.
3) The read result from readahead buffer which was overwritten is
sent to the slave.
This patch makes readahead buffer handling fully thread-safe using
input_mutex to resolve this issue.
Fixes: 7b03b0d8ce ("select.cc (peek_pipe): Call flush_to_slave whenever we're checking for a pty master.")
Reported-by: Thomas Wolff <towo@towo.net>
Signed-off-by: Takashi Yano <takashi.yano@nifty.ne.jp>
Per C++11, uchar16_t and uchar32_t are defined the same as
uint_least16_t and uint_least32_t. Also, check for the C++
version to make sure that the types are not colliding with
predefined c++ types.
Fixes: 4f258c55e8 ("Cygwin: Add ISO C11 functions c16rtomb, c32rtomb, mbrtoc16, mbrtoc32.")
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
After the commit a4705d387f, printf() for floating-point values
causes a memory leak. The legacy _ldtoa_r() assumed the char pointer
returned will be free'ed by Bfree(). However, gdtoa-based _ldtoa_r()
returns the pointer returned by gdtoa() which should be free'ed by
freedtoa(). Due to this issue, the caller of _ldtoa_r() fails to free
the allocated char buffer. This is the cause of the said memory leak.
https://cygwin.com/pipermail/cygwin/2023-July/254054.html
This patch makes rv_alloc()/freedtoa() allocate/free the buffer in
a compatible way with legacy _ldtoa_r().
Fixes: a4705d387f ("ldtoa: Import gdtoa from OpenBSD.")
Reported-by: natan_b <natan_b@libero.it>
Reviewed-by: Corinna Vinschen <corinna@vinschen.de>
Signed-off-by: Takashi Yano <takashi.yano@nifty.ne.jp>
The FD_WRITE event is a false friend. It indicates ready to write
even if the next send fails with WSAEWOULDBLOCK. *After* the fact,
FD_WRITE will be cleared until sending is again possible, but that
is too late for a select/write loop.
Workaround that by using the WinSock select function when peeking
at a socket and FD_WRITE gets indicated. WinSock select fortunately
indicates writability correctly.
Fixes: 70e476d27b ("(peek_socket): Use event handling for peeking socket.")
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
This macro loads and defines a function just as usual, except
that the Windows function is exposed only with the prefix
_win32_. So Windows select (the immediate victim) is only
exposed as _win32_select. That allows to autoload the windows
function without collision with a Cygwin function of the same
name.
For a start, only define the most simple macro, setting all
extensions to 0.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Add uchar.h accordingly.
For the c32 functions, use the internal functions wirtomb and mbrtowi
as base, and convert wirtomb and mbrtowi to inline functions calling
the c32 functions.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
The changes to support GB18030 were insufficient and the underlying
Windows conversion functions just failed. Fix how the Windows functions
are called for GB18030.
Fixes: 5da71b6059 ("Cygwin: add support for GB18030 codeset")
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Commit c743751aaf ("Cygwin: Export
posix_spawn_file_actions_add{f}chdir_np")
added two new functions but we forgot to bump the API version.
Catch up.
Fixes: c743751aaf ("Cygwin: Export posix_spawn_file_actions_add{f}chdir_np")
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Commit c36064bbd0 introduced operating on character pointers
instead of operating on characters, to allow collating symbols.
This patch neglected to change the expression for range
comparison in case we're in the C locale. Thus it suddenly
compared pointers instead of characters. Fix that.
Fixes: c36064bbd0 ("Cygwin: fnmatch: support collating symbols in [. .] brackets")
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
The extended _NL_foo names were originally designed after their GLibc
counterparts. However, the OUTDIGIT macros were accidentally defined as
OUTDIGITS, plural. Fix them.
Fixes: d47d5b850b ("Extend locale support to maintain wide char values of native strings")
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
The GLIBC extension AT_EMPTY_PATH allows the functions fchownat
and fstatat to operate on dirfd alone, if the given pathname is an
empty string. This also allows to operate on any file type, not
only directories.
Commit fa84aa4dd2 broke this. It only allows dirfd to be a
directory in calls to these two functions.
Fix that by handling AT_EMPTY_PATH right in gen_full_path_at.
A valid dirfd and an empty pathname is now a valid combination
and, noticably, this returns a valid path in path_ret. That
in turn allows to remove the additional path generation code
from the callers.
Fixes: fa84aa4dd2 ("Cygwin: fix errno values set by readlinkat")
Reported-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Tested-by: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Convert gen_full_path_at to take flag values from the caller, rather
than just a bool indicating that empty paths are allowed. This is in
preparation of a better AT_EMPTY_PATH handling in a followup patch.
Reviewed-by: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
The check if the local variable p is NULL is useless. The preceeding
code always sets p to a valid pointer, or it crashes if path_ret is
invalid (which would be a bug in Cygwin).
Fixes: c57b57e5c4 ("* cygwin.din: Sort.")
Reviewed-by: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
A more sophisticated (and modern) test harness would probably be useful,
but switching to Automake's built-in test harness gets us parallel test
execution, colourization of failures, simplifies matters, seems adequate
for the current testuite, and means we don't need to write any icky Tcl.
Signed-off-by: Jon Turney <jon.turney@dronecode.org.uk>
When creating the POSIX ACL rewrite, the code merging permissions from
everyone/group to group/user ACEs was accidentally called for newly
generated files as well.
This could result in broken permissions, if umask used unusual values
like "0100", granted permissions to everyone/group not granted to
group/user.
Make sure to skip permission merging if the file got just created and
we only want to set correct permissions for the first time.
Fixes: bc444e5aa4 ("Reapply POSIX ACL changes.")
Reported-by: Jon Turney <jon.turney@dronecode.org.uk>
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Move strace output to fix uninitalized use of fh introduced in previous commit.
../../../../src/winsup/cygwin/syscalls.cc: In function ‘int stat_worker(path_conv&, stat*)’:
../../../../src/winsup/cygwin/syscalls.cc:1971:69: error: ‘fh’ may be used uninitialized [-Werror=maybe-uninitialized]
Fixes: 42b44044b3 ("Cygwin: Fix Windows file handle leak in stat("file", -1)")
Signed-off-by: Jon Turney <jon.turney@dronecode.org.uk>
Don't leak a Windows file handle if stat() is called with a valid
filename, but invalid stat buffer pointer.
We do not destroy fh (which closes a Windows handle it has opened) if an
exception happens in the __try block.
Avoid this by re-ordering things so that we don't construct the fhandler
object until after we've attempted to use the struct stat buffer.
Fixes: 73151c54d5 ("syscalls.cc (stat_worker): Don't call build_fh_pc with invalid pc.")
Signed-off-by: Jon Turney <jon.turney@dronecode.org.uk>
Drop setting TDIRECTORY, just use /tmp in the 'test installation' now
that we have it.
This effectively reverts f3ed5f2fe0
Signed-off-by: Jon Turney <jon.turney@dronecode.org.uk>
Starting with commit 42faed4128 ("* thread.h (class pthread): Add bool
member canceled."), pthread::testcancel waits infinitely on cancel_event
after it checked if the canceled variable is set. However, this might
introduce a deadlock, if the thread calling pthread_cancel is terminated
after setting canceled to true, but before calling SetEvent on cancel_event.
In fact, it's not at all necessary to wait infinitely. By definition,
the thread is only canceled if cancel_event is set. The canceled
variable is just a helper to speed up code. We can safely assume that
the thread hasn't been canceled yet, if canceled is set, but cancel_event
isn't.
Fixes: 42faed4128 ("* thread.h (class pthread): Add bool member canceled.")
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Despite our efforts, sometimes the async cancellation gets deferred.
Notice this by calling pthread_testcancel(), and then try to work out if
async cancellation was ever successful by checking if all threads ran
for the full expected time, or if some were stopped early.
Also, increase the time we allow for the async cancellation to get
delivered to 30 seconds.
Signed-off-by: Jon Turney <jon.turney@dronecode.org.uk>
Add back the restoration of signal handlers modified during system() on
thread cancellation.
Removed in 3cb9da14 which describes it as 'ill-conceived' (additional
context doesn't appear to be available).
We use the internal implementation helpers for the pthread cleanup
chain, so we can neatly tuck it inside the object, and keep the point
when we restore the signal handlers the same. (The
pthread_cleanup_push/pop() functions are implemented as macros which
must appear in the same lexical scope.)
Fixes: 3cb9da1461 ("Put signals on hold and use system_call_cleanup
class to set and restore signals rather than doing it prior to to
running the program. Remove the ill-conceived pthread_cleanup stuff.")
Signed-off-by: Jon Turney <jon.turney@dronecode.org.uk>
Take note of schedparam in any pthread_attr_t passed to pthread_create.
postcreate() (racily, after the thread is actually created), sets the
scheduling priority if it's inherited, but precreate() doesn't store any
scheduling priority explicitly set via a non-default attr to
pthread_create, so schedparam.sched_priority has the default value of 0.
(I think this is another long-standing bug exposed by 4b51e4c1. Now we
don't lie about the actual thread priority, it's apparent it's not
really being set in this case.)
Fixes testcase priority2.
Signed-off-by: Jon Turney <jon.turney@dronecode.org.uk>
Test access05 and symlink03 expect operations to fail which succeed when
we have Adminstrator privileges.
There's perhaps a bit of incoherency here: some XFAILed tests expect to
run as root (so maybe we need the ability to selectively cygdrop?).
Signed-off-by: Jon Turney <jon.turney@dronecode.org.uk>