[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Environment handling broken in /bin/sh with changes to {get,set,put}env()



On Fri, 13 Jul 2007, Andrey Chernov wrote:

On Sun, Jul 08, 2007 at 09:17:27PM +0400, Andrey Chernov wrote:

*snip*

[snip]

I found another breakage case not covered by your last getenv() fix.
Take this simple program:

-- a.c ---------------------------------------------------------------
#include <stdlib.h>
extern char **environ;

main () {

static char *nenv[2];

nenv[0] = "PATH=/bin";
nenv[1] = NULL;

/*
  environ = nenv;
  unsetenv("PATH"); or somethig like
  which touch '=' char in nenv[0]
*/

nenv[0][4] = '\0';

}
-- a.c ---------------------------------------------------------------

*snip*

As you may see, compiler puts "PATH=/bin" to the program's .rodata
section which is placed to read only memory.

If later you'll modify this single "PATH=/bin" (comes from "nenv" now)
by
*equals = '\0';
...
*equals = '=';
core dump happens, which simulated in my simple a.c example by
nenv[0][4] = '\0';

Just run it and got code dump.

FreeBSD 6 will also dump if the length of the value was less than or
equal to "/bin" since it reuses this string.  This will core dump:

nenv[0] = "PATH=/bin";
nenv[1] = NULL;
environ = nenv;
setenv("PATH", "/bin", 1);

Sean
--
scf_(_at_)_FreeBSD_(_dot_)_org
_______________________________________________
freebsd-current_(_at_)_freebsd_(_dot_)_org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe_(_at_)_freebsd_(_dot_)_org"


Visit your host, monkey.org