This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Fix writes past the allocated array bounds in execvpe (BZ# 20847)
- From: Andreas Schwab <schwab at suse dot de>
- To: Adhemerval Zanella <adhemerval dot zanella at linaro dot org>
- Cc: libc-alpha at sourceware dot org
- Date: Mon, 21 Nov 2016 14:33:03 +0100
- Subject: Re: [PATCH] Fix writes past the allocated array bounds in execvpe (BZ# 20847)
- Authentication-results: sourceware.org; auth=none
- References: <1479734322-28206-1-git-send-email-adhemerval.zanella@linaro.org>
On Nov 21 2016, Adhemerval Zanella <adhemerval.zanella@linaro.org> wrote:
> This patch fixes an invalid write out or stack allocated buffer in
> 2 places at execvpe implementation:
>
> 1. On 'maybe_script_execute' function where it allocates the new
> argument list and it does not account that a minimum of argc
> plus 3 elements (default shell path, script name, arguments,
> and ending null pointer) should be considered. The straightforward
> fix is just to take account of the correct list size.
>
> 2. On '__execvpe' where the executable file name lenght may not
> account for ending '\0' and thus subsequent path creation may
> write past array bounds because it requires to add the terminating
> null. The fix is to change how to calculate the executable name
> size to add the final '\0' and adjust the rest of the code
> accordingly.
>
> As described in GCC bug report 78433 [1], these issues were masked off by
> GCC because it allocated several bytes more than necessary so that many
> off-by-one bugs went unnoticed.
Did the bugs already exist before commit 1eb8930608?
> + if (((file_len-1) > NAME_MAX)
Spaces around operator and remove the redundant parens.
Andreas.
--
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."