This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/20847] tst-vfork3 failure
- From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 22 Nov 2016 12:25:09 +0000
- Subject: [Bug libc/20847] tst-vfork3 failure
- Auto-submitted: auto-generated
- References: <bug-20847-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=20847
--- Comment #3 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via 6c9e1be87a37bfac0bf6c80a38171383ac3527e6 (commit)
from 5ee1a4443a3eb0868cef1fe506ae6fb6af33d4ad (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6c9e1be87a37bfac0bf6c80a38171383ac3527e6
commit 6c9e1be87a37bfac0bf6c80a38171383ac3527e6
Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date: Mon Nov 21 11:06:15 2016 -0200
Fix writes past the allocated array bounds in execvpe (BZ#20847)
This patch fixes an invalid write out or stack allocated buffer in
2 places at execvpe implementation:
1. On 'maybe_script_execute' function where it allocates the new
argument list and it does not account that a minimum of argc
plus 3 elements (default shell path, script name, arguments,
and ending null pointer) should be considered. The straightforward
fix is just to take account of the correct list size on argument
copy.
2. On '__execvpe' where the executable file name lenght may not
account for ending '\0' and thus subsequent path creation may
write past array bounds because it requires to add the terminating
null. The fix is to change how to calculate the executable name
size to add the final '\0' and adjust the rest of the code
accordingly.
As described in GCC bug report 78433 [1], these issues were masked off by
GCC because it allocated several bytes more than necessary so that many
off-by-one bugs went unnoticed.
Checked on x86_64 with a latest GCC (7.0.0 20161121) with -O3 on CFLAGS.
[BZ #20847]
* posix/execvpe.c (maybe_script_execute): Remove write past allocated
array bounds.
(__execvpe): Likewise.
[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78433
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 7 +++++++
posix/execvpe.c | 15 ++++++++++-----
2 files changed, 17 insertions(+), 5 deletions(-)
--
You are receiving this mail because:
You are on the CC list for the bug.