This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.
Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]
Re: [PATCH v3] Fix writes past the allocated array bounds in execvpe (BZ#20847)

From: Adhemerval Zanella <adhemerval dot zanella at linaro dot org>
To: libc-alpha at sourceware dot org
Date: Tue, 6 Dec 2016 11:16:35 -0200
Subject: Re: [PATCH v3] Fix writes past the allocated array bounds in execvpe (BZ#20847)
Authentication-results: sourceware.org; auth=none
References: <1479908285-7461-1-git-send-email-adhemerval.zanella@linaro.org> <136a4a3d-d570-4c19-c98b-1d35fa662dd9@linaro.org> <deb9a714-5fbf-f2e8-4cd7-98227a41e434@linaro.org>
If no one opposes it I will commit it shortly.

On 02/12/2016 16:01, Adhemerval Zanella wrote:
> Ping, I think it should be safe to commit this revision since it is what
> Dominik has suggested also [1].  I would just like some ack for the test
> changes.
> 
> [1] https://sourceware.org/ml/libc-alpha/2016-11/msg00887.html
> 
> On 28/11/2016 15:56, Adhemerval Zanella wrote:
>> Ping.
>>
>> On 23/11/2016 11:38, Adhemerval Zanella wrote:
>>> Commit 6c9e1be87a37bf wrongly fixes BZ#20847 by lefting the else branch
>>> on maybe_script_execute to still being able to invalid write on stack
>>> allocated buffer.  It happens if execvp{e} is executed with an empty
>>> arguments list ({ NULL }) and although manual states first argument
>>> should be the script name itself, by convention, old and current
>>> implementation allows it.
>>>
>>> This patch fixes the issue by just account for arguments and not the
>>> final 'NULL' (since the 'argv + 1' will indeed ignored the script name).
>>> The empty argument list is handled in a special case with a minimum
>>> allocated size.  The patch also adds extra tests for such case in
>>> tst-vfork3.
>>>
>>> Tested on x86_64.
>>>
>>> 	[BZ #20847]
>>> 	* posix/execvpe.c (maybe_script_execute): Remove write past allocated
>>> 	array bounds for else branch.
>>> 	(__execvpe): Style fixes.
>>> 	* posix/tst-vfork3.c (run_script): New function.
>>> 	(create_script): Likewise.
>>> 	(do_test): Use run_script internal function.
>>> 	(do_prepare): Use create_script internal function.
>>> ---
>>>  ChangeLog          |  12 ++++
>>>  posix/execvpe.c    |  19 ++++--
>>>  posix/tst-vfork3.c | 185 +++++++++++++++++++----------------------------------
>>>  3 files changed, 91 insertions(+), 125 deletions(-)
>>>
>>> diff --git a/posix/execvpe.c b/posix/execvpe.c
>>> index 7cdb06a..a2d0145 100644
>>> --- a/posix/execvpe.c
>>> +++ b/posix/execvpe.c
>>> @@ -38,8 +38,8 @@
>>>  static void
>>>  maybe_script_execute (const char *file, char *const argv[], char *const envp[])
>>>  {
>>> -  ptrdiff_t argc = 0;
>>> -  while (argv[argc++] != NULL)
>>> +  ptrdiff_t argc;
>>> +  for (argc = 0; argv[argc] != NULL; argc++)
>>>      {
>>>        if (argc == INT_MAX - 1)
>>>  	{
>>> @@ -48,13 +48,18 @@ maybe_script_execute (const char *file, char *const argv[], char *const envp[])
>>>  	}
>>>      }
>>>  
>>> -  /* Construct an argument list for the shell.  It will contain at minimum 3
>>> -     arguments (current shell, script, and an ending NULL.  */
>>> -  char *new_argv[argc + 1];
>>> +  /* Construct an argument list for the shell based on original arguments:
>>> +     1. Empty list (argv = { NULL }, argc = 1 }: new argv will contain 3
>>> +	arguments - default shell, script to execute, and ending NULL.
>>> +     2. Non empty argument list (argc = { ..., NULL }, argc > 1}: new argv
>>> +	will contain also the default shell and the script to execute.  It
>>> +	will also skip the script name in arguments and only copy script
>>> +	arguments.  */
>>> +  char *new_argv[argc > 1 ? 2 + argc : 3];
>>>    new_argv[0] = (char *) _PATH_BSHELL;
>>>    new_argv[1] = (char *) file;
>>>    if (argc > 1)
>>> -    memcpy (new_argv + 2, argv + 1, (argc - 1) * sizeof(char *));
>>> +    memcpy (new_argv + 2, argv + 1, argc * sizeof(char *));
>>>    else
>>>      new_argv[2] = NULL;
>>>  
>>> @@ -96,7 +101,7 @@ __execvpe (const char *file, char *const argv[], char *const envp[])
>>>    size_t path_len = __strnlen (path, PATH_MAX - 1) + 1;
>>>  
>>>    /* NAME_MAX does not include the terminating null character.  */
>>> -  if (((file_len-1) > NAME_MAX)
>>> +  if ((file_len - 1 > NAME_MAX)
>>>        || !__libc_alloca_cutoff (path_len + file_len + 1))
>>>      {
>>>        errno = ENAMETOOLONG;
>>> diff --git a/posix/tst-vfork3.c b/posix/tst-vfork3.c
>>> index 05edc5a..f5fe5c3 100644
>>> --- a/posix/tst-vfork3.c
>>> +++ b/posix/tst-vfork3.c
>>> @@ -33,84 +33,64 @@ char *tmpdirname;
>>>  #define PREPARE(argc, argv) do_prepare ()
>>>  #include "../test-skeleton.c"
>>>  
>>> -static int
>>> -do_test (void)
>>> +static void
>>> +run_script (const char *script, char *const argv[])
>>>  {
>>> -  mtrace ();
>>> -
>>> -  const char *path = getenv ("PATH");
>>> -  if (path == NULL)
>>> -    path = "/bin";
>>> -  char pathbuf[strlen (tmpdirname) + 1 + strlen (path) + 1];
>>> -  strcpy (stpcpy (stpcpy (pathbuf, tmpdirname), ":"), path);
>>> -  if (setenv ("PATH", pathbuf, 1) < 0)
>>> -    {
>>> -      puts ("setenv failed");
>>> -      return 1;
>>> -    }
>>> -
>>> -  size_t i;
>>> -  char *argv[3] = { (char *) "script1.sh", (char *) "1", NULL };
>>> -  for (i = 0; i < 5; i++)
>>> +  for (size_t i = 0; i < 5; i++)
>>>      {
>>>        pid_t pid = vfork ();
>>>        if (pid < 0)
>>> -	{
>>> -	  printf ("vfork failed: %m\n");
>>> -	  return 1;
>>> -	}
>>> +	FAIL_EXIT1 ("vfork failed: %m");
>>>        else if (pid == 0)
>>>  	{
>>> -	  execvp ("script1.sh", argv);
>>> +	  execvp (script, argv);
>>>  	  _exit (errno);
>>>  	}
>>> +
>>>        int status;
>>>        if (TEMP_FAILURE_RETRY (waitpid (pid, &status, 0)) != pid)
>>> -	{
>>> -	  puts ("waitpid failed");
>>> -	  return 1;
>>> -	}
>>> +	FAIL_EXIT1 ("waitpid failed");
>>>        else if (status != 0)
>>>  	{
>>>  	  if (WIFEXITED (status))
>>> -	    printf ("script1.sh failed with status %d\n",
>>> -		    WEXITSTATUS (status));
>>> +	    FAIL_EXIT1 ("%s failed with status %d\n", script,
>>> +			WEXITSTATUS (status));
>>>  	  else
>>> -	    printf ("script1.sh kill by signal %d\n",
>>> -		    WTERMSIG (status));
>>> -	  return 1;
>>> +	    FAIL_EXIT1 ("%s killed by signal %d\n", script,
>>> +			WTERMSIG (status));
>>>  	}
>>>      }
>>> +}
>>>  
>>> -  argv[0] = (char *) "script2.sh";
>>> -  argv[1] = (char *) "2";
>>> -  for (i = 0; i < 5; i++)
>>> +static int
>>> +do_test (void)
>>> +{
>>> +  mtrace ();
>>> +
>>> +  const char *path = getenv ("PATH");
>>> +  if (path == NULL)
>>> +    path = "/bin";
>>> +  char pathbuf[strlen (tmpdirname) + 1 + strlen (path) + 1];
>>> +  strcpy (stpcpy (stpcpy (pathbuf, tmpdirname), ":"), path);
>>> +  if (setenv ("PATH", pathbuf, 1) < 0)
>>>      {
>>> -      pid_t pid = vfork ();
>>> -      if (pid < 0)
>>> -	{
>>> -	  printf ("vfork failed: %m\n");
>>> -	  return 1;
>>> -	}
>>> -      else if (pid == 0)
>>> -	{
>>> -	  execvp ("script2.sh", argv);
>>> -	  _exit (errno);
>>> -	}
>>> -      int status;
>>> -      if (TEMP_FAILURE_RETRY (waitpid (pid, &status, 0)) != pid)
>>> -	{
>>> -	  puts ("waitpid failed");
>>> -	  return 1;
>>> -	}
>>> -      else if (status != 0)
>>> -	{
>>> -	  printf ("script2.sh failed with status %d\n", status);
>>> -	  return 1;
>>> -	}
>>> +      puts ("setenv failed");
>>> +      return 1;
>>>      }
>>>  
>>> -  for (i = 0; i < 5; i++)
>>> +  char *argv00[] = { NULL };
>>> +  run_script ("script0.sh", argv00);
>>> +  char *argv01[] = { (char*) "script0.sh", NULL };
>>> +  run_script ("script0.sh", argv01);
>>> +
>>> +  char *argv1[] = { (char *) "script1.sh", (char *) "1", NULL };
>>> +  run_script ("script1.sh", argv1);
>>> +
>>> +  char *argv2[] = { (char *) "script2.sh", (char *) "2", NULL };
>>> +  run_script ("script2.sh", argv2);
>>> +
>>> +  /* Same as before but with execlp.  */
>>> +  for (size_t i = 0; i < 5; i++)
>>>      {
>>>        pid_t pid = vfork ();
>>>        if (pid < 0)
>>> @@ -137,87 +117,56 @@ do_test (void)
>>>      }
>>>  
>>>    unsetenv ("PATH");
>>> -  argv[0] = (char *) "echo";
>>> -  argv[1] = (char *) "script 4";
>>> -  for (i = 0; i < 5; i++)
>>> -    {
>>> -      pid_t pid = vfork ();
>>> -      if (pid < 0)
>>> -	{
>>> -	  printf ("vfork failed: %m\n");
>>> -	  return 1;
>>> -	}
>>> -      else if (pid == 0)
>>> -	{
>>> -	  execvp ("echo", argv);
>>> -	  _exit (errno);
>>> -	}
>>> -      int status;
>>> -      if (TEMP_FAILURE_RETRY (waitpid (pid, &status, 0)) != pid)
>>> -	{
>>> -	  puts ("waitpid failed");
>>> -	  return 1;
>>> -	}
>>> -      else if (status != 0)
>>> -	{
>>> -	  printf ("echo failed with status %d\n", status);
>>> -	  return 1;
>>> -	}
>>> -    }
>>> +  char *argv4[] = { (char *) "echo", (char *) "script 4", NULL };
>>> +  run_script ("echo", argv4);
>>>  
>>>    return 0;
>>>  }
>>>  
>>>  static void
>>> +create_script (const char *script, const char *contents, size_t size)
>>> +{
>>> +  int fd = open (script, O_WRONLY | O_CREAT, 0700);
>>> +  if (fd < 0
>>> +      || TEMP_FAILURE_RETRY (write (fd, contents, size)) != size
>>> +      || fchmod (fd, S_IRUSR | S_IXUSR) < 0)
>>> +    FAIL_EXIT1 ("could not write %s\n", script);
>>> +  close (fd);
>>> +}
>>> +
>>> +static void
>>>  do_prepare (void)
>>>  {
>>>    size_t len = strlen (test_dir) + sizeof ("/tst-vfork3.XXXXXX");
>>>    tmpdirname = malloc (len);
>>> -  char *script1 = malloc (len + sizeof "/script1.sh");
>>> -  char *script2 = malloc (len + sizeof "/script2.sh");
>>> -  if (tmpdirname == NULL || script1 == NULL || script2 == NULL)
>>> -    {
>>> -      puts ("out of memory");
>>> -      exit (1);
>>> -    }
>>> +  if (tmpdirname == NULL)
>>> +    FAIL_EXIT1 ("out of memory");
>>>    strcpy (stpcpy (tmpdirname, test_dir), "/tst-vfork3.XXXXXX");
>>>  
>>>    tmpdirname = mkdtemp (tmpdirname);
>>>    if (tmpdirname == NULL)
>>> -    {
>>> -      puts ("could not create temporary directory");
>>> -      exit (1);
>>> -    }
>>> +    FAIL_EXIT1 ("could not create temporary directory");
>>> +
>>> +  char script0[len + sizeof "/script0.sh"];
>>> +  char script1[len + sizeof "/script1.sh"];
>>> +  char script2[len + sizeof "/script2.sh"];
>>>  
>>> +  strcpy (stpcpy (script0, tmpdirname), "/script0.sh");
>>>    strcpy (stpcpy (script1, tmpdirname), "/script1.sh");
>>>    strcpy (stpcpy (script2, tmpdirname), "/script2.sh");
>>>  
>>> -  /* Need to make sure tmpdirname is at the end of the linked list.  */
>>> +  add_temp_file (script0);
>>>    add_temp_file (script1);
>>> -  add_temp_file (tmpdirname);
>>>    add_temp_file (script2);
>>> +  /* Need to make sure tmpdirname is at the end of the linked list.  */
>>> +  add_temp_file (tmpdirname);
>>> +
>>> +  const char content0[] = "#!/bin/sh\necho empty\n";
>>> +  create_script (script0, content0, sizeof content0);
>>>  
>>>    const char content1[] = "#!/bin/sh\necho script $1\n";
>>> -  int fd = open (script1, O_WRONLY | O_CREAT, 0700);
>>> -  if (fd < 0
>>> -      || TEMP_FAILURE_RETRY (write (fd, content1, sizeof content1))
>>> -	 != sizeof content1
>>> -      || fchmod (fd, S_IRUSR | S_IXUSR) < 0)
>>> -    {
>>> -      printf ("Could not write %s\n", script1);
>>> -      exit (1);
>>> -    }
>>> -  close (fd);
>>> +  create_script (script1, content1, sizeof content1);
>>>  
>>>    const char content2[] = "echo script $1\n";
>>> -  fd = open (script2, O_WRONLY | O_CREAT, 0700);
>>> -  if (fd < 0
>>> -      || TEMP_FAILURE_RETRY (write (fd, content2, sizeof content2))
>>> -	 != sizeof content2
>>> -      || fchmod (fd, S_IRUSR | S_IXUSR) < 0)
>>> -    {
>>> -      printf ("Could not write %s\n", script2);
>>> -      exit (1);
>>> -    }
>>> -  close (fd);
>>> +  create_script (script2, content2, sizeof content2);
>>>  }
>>>
References:
- Re: [PATCH v3] Fix writes past the allocated array bounds in execvpe (BZ#20847)
  - From: Adhemerval Zanella
Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]