Aubrey writes:

When I mounted nfs on my target, the kernel crashed. And I found it
was caused by stack overflow. When I digged into it.
And I found not only "setgroups.c" but
"getgroups.c" have the matrix (__kernel_gid_t kernel_groups[n]) on the
stack which can be very large because "n" can be assigned to
NGROUPS_MAX.

And, NGROUPS_MAX is defined in the file "./linux-2.6.x/include/linux/limits.h"
#define NGROUPS_MAX       65536    /* supplemental group IDs are available */

I also changed it to do malloc.

diff --git a/libc/sysdeps/linux/common/getgroups.c b/libc/sysdeps/linux/common/getgroups.c
index c863489..b2918c6 100644 (file)
--- a/libc/sysdeps/linux/common/getgroups.c
+++ b/libc/sysdeps/linux/common/getgroups.c
@@ -10,6 +10,7 @@
 #define sysconf __sysconf
 
 #include "syscalls.h"
+#include <stdlib.h>
 #include <unistd.h>
 
 #define MIN(a,b) (((a)<(b))?(a):(b))
@@ -21,11 +22,17 @@ static inline _syscall2(int, __syscall_getgroups,
 int attribute_hidden __getgroups(int n, gid_t * groups)
 {
        if (unlikely(n < 0)) {
+ret_error:
                __set_errno(EINVAL);
                return -1;
        } else {
                int i, ngids;
-               __kernel_gid_t kernel_groups[n = MIN(n, sysconf(_SC_NGROUPS_MAX))];
+               __kernel_gid_t *kernel_groups;
+
+               n = MIN(n, sysconf(_SC_NGROUPS_MAX));
+               kernel_groups = (__kernel_gid_t *)malloc(sizeof(*kernel_groups) * n);
+               if (kernel_groups == NULL)
+                       goto ret_error;
 
                ngids = __syscall_getgroups(n, kernel_groups);
                if (n != 0 && ngids > 0) {
@@ -33,6 +40,7 @@ int attribute_hidden __getgroups(int n, gid_t * groups)
                                groups[i] = kernel_groups[i];
                        }
                }
+               free(kernel_groups);
                return ngids;
        }
 }

diff --git a/libc/sysdeps/linux/common/setgroups.c b/libc/sysdeps/linux/common/setgroups.c
index 96428ed..21823ad 100644 (file)
--- a/libc/sysdeps/linux/common/setgroups.c
+++ b/libc/sysdeps/linux/common/setgroups.c
@@ -10,6 +10,7 @@
 #define sysconf __sysconf
 
 #include "syscalls.h"
+#include <stdlib.h>
 #include <unistd.h>
 #include <grp.h>
 
@@ -20,20 +21,27 @@ static inline _syscall2(int, __syscall_setgroups,
 int attribute_hidden __setgroups(size_t n, const gid_t * groups)
 {
        if (n > (size_t) sysconf(_SC_NGROUPS_MAX)) {
+ret_error:
                __set_errno(EINVAL);
                return -1;
        } else {
                size_t i;
-               __kernel_gid_t kernel_groups[n];
+               __kernel_gid_t *kernel_groups;
+
+               kernel_groups = (__kernel_gid_t *)malloc(sizeof(*kernel_groups) * n);
+               if (kernel_groups == NULL)
+                       goto ret_error;
 
                for (i = 0; i < n; i++) {
                        kernel_groups[i] = (groups)[i];
                        if (groups[i] != (gid_t) ((__kernel_gid_t) groups[i])) {
-                               __set_errno(EINVAL);
-                               return -1;
+                               goto ret_error;
                        }
                }
-               return (__syscall_setgroups(n, kernel_groups));
+
+               i = __syscall_setgroups(n, kernel_groups);
+               free(kernel_groups);
+               return i;
        }
 }
 strong_alias(__setgroups,setgroups)