[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Environment handling broken in /bin/sh with changes to {get,set,put}env()

To: Andrey Chernov <ache_(_at_)_nagual_(_dot_)_pp_(_dot_)_ru>
Subject: Re: Environment handling broken in /bin/sh with changes to {get,set,put}env()
From: "Sean C. Farley" <scf_(_at_)_FreeBSD_(_dot_)_org>
Date: Fri, 13 Jul 2007 14:39:30 -0500 (CDT)
Cc: freebsd-current <freebsd-current_(_at_)_FreeBSD_(_dot_)_org>

On Fri, 13 Jul 2007, Andrey Chernov wrote:

On Sun, Jul 08, 2007 at 09:17:27PM +0400, Andrey Chernov wrote:


*snip*

[snip]

I found another breakage case not covered by your last getenv() fix.
Take this simple program:

-- a.c ---------------------------------------------------------------
#include <stdlib.h>
extern char **environ;

main () {

static char *nenv[2];

nenv[0] = "PATH=/bin";
nenv[1] = NULL;

/*
  environ = nenv;
  unsetenv("PATH"); or somethig like
  which touch '=' char in nenv[0]
*/

nenv[0][4] = '\0';

}
-- a.c ---------------------------------------------------------------


*snip*

As you may see, compiler puts "PATH=/bin" to the program's .rodata
section which is placed to read only memory.

If later you'll modify this single "PATH=/bin" (comes from "nenv" now)
by
*equals = '\0';
...
*equals = '=';
core dump happens, which simulated in my simple a.c example by
nenv[0][4] = '\0';

Just run it and got code dump.


FreeBSD 6 will also dump if the length of the value was less than or
equal to "/bin" since it reuses this string.  This will core dump:

nenv[0] = "PATH=/bin";
nenv[1] = NULL;
environ = nenv;
setenv("PATH", "/bin", 1);

Sean
--
scf_(_at_)_FreeBSD_(_dot_)_org
_______________________________________________
freebsd-current_(_at_)_freebsd_(_dot_)_org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe_(_at_)_freebsd_(_dot_)_org"

Follow-Ups:
- Re: Environment handling broken in /bin/sh with changes to {get,set,put}env()
  - From: Andrey Chernov

References:
- Re: Environment handling broken in /bin/sh with changes to {get,set,put}env()
  - From: Sean C. Farley
- Re: Environment handling broken in /bin/sh with changes to {get,set,put}env()
  - From: Andrey Chernov
- Re: Environment handling broken in /bin/sh with changes to {get,set,put}env()
  - From: Sean C. Farley
- Re: Environment handling broken in /bin/sh with changes to {get,set,put}env()
  - From: Andrey Chernov
- Re: Environment handling broken in /bin/sh with changes to {get,set,put}env()
  - From: Andrey Chernov
- Re: Environment handling broken in /bin/sh with changes to {get,set,put}env()
  - From: Sean C. Farley
- Re: Environment handling broken in /bin/sh with changes to {get,set,put}env()
  - From: Andrey Chernov
- Re: Environment handling broken in /bin/sh with changes to {get,set,put}env()
  - From: Sean C. Farley
- Re: Environment handling broken in /bin/sh with changes to {get,set,put}env()
  - From: Andrey Chernov
- Re: Environment handling broken in /bin/sh with changes to {get,set,put}env()
  - From: Andrey Chernov
- Re: Environment handling broken in /bin/sh with changes to {get,set,put}env()
  - From: Andrey Chernov

Prev by Date: Re: Can't build RELENG_6 from HEAD?
Next by Date: Re: kqemu crash (page fault) with -current
Previous by thread: Re: Environment handling broken in /bin/sh with changes to {get,set,put}env()
Next by thread: Re: Environment handling broken in /bin/sh with changes to {get,set,put}env()
Index(es):
- Date
- Thread

Visit your host, monkey.org