From unknown Tue Jun 17 21:56:28 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47412: env: fragile argument parsing Resent-From: Frank Busse Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Fri, 26 Mar 2021 15:40:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 47412 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: 47412@debbugs.gnu.org X-Debbugs-Original-To: bug-coreutils@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.161677316628967 (code B ref -1); Fri, 26 Mar 2021 15:40:02 +0000 Received: (at submit) by debbugs.gnu.org; 26 Mar 2021 15:39:26 +0000 Received: from localhost ([127.0.0.1]:42255 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPoYW-0007X8-Qx for submit@debbugs.gnu.org; Fri, 26 Mar 2021 11:39:26 -0400 Received: from lists.gnu.org ([209.51.188.17]:46962) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPnwz-0006Yt-Ns for submit@debbugs.gnu.org; Fri, 26 Mar 2021 11:00:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:36436) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPnww-0002Qr-0a for bug-coreutils@gnu.org; Fri, 26 Mar 2021 11:00:35 -0400 Received: from smtphub2.cc.ic.ac.uk ([2a0c:5bc0:88:101::47]:50391) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPnwr-0004wk-S2 for bug-coreutils@gnu.org; Fri, 26 Mar 2021 11:00:33 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=imperial.ac.uk; s=main01; h=MIME-Version:Content-Transfer-Encoding: Content-Type:Message-ID:Subject:To:From:Date:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=enmPyWMp6wyHDnyldKhhtOG3vvsQRIbm7VgszP+pbgs=; b=iVCxi9kkPj1ruC1yibKbEN0RR7 dlMH4BfEnCXNBV/Ybs4eD/pUhwP49JEKx4RMzwsh57QNoeM1biKasZEk0n4FWmxXE2ITMvN/tMFal KKaVDQIu8kdvPEun8sB5WIonuvgVtHPChlaCOTOd23lUmNwgAcO46Hdv5ETto6dGu6fg=; Received: from mail-he1eur01lp0201.outbound.protection.outlook.com ([2a01:111:f400:7e1f::201] helo=EUR01-HE1-obe.outbound.protection.outlook.com) by smtphub2.cc.ic.ac.uk with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94) (envelope-from ) id 1lPnwk-00020f-Hm for bug-coreutils@gnu.org; Fri, 26 Mar 2021 15:00:22 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dFy1TtiE1Q5+ccdWIXwzUV1vKQZSBE3X+LqwiCbcGM0z/w2KcUL08iyZlW3d5tJoZHtxQk/eCOiIFQETScsHQ9IzOzn7MT2G+afPZRHA83F8/bYJzq6iclLUUAqz14tR2sN9zMFKXhJLV1e1iDU/hMuXZf9YqmcxIzG6B+6IZqoiXpMxHVCSLz05TFYbDB/JCMyuce4cqBffnDao5/KLM+bTt4jTxlQBNjskfIAfClIVLECCuBzixPrIANJmFbR49zyQg5L1m/Ba5ikfxcOUJIPLLdIk+lTVZ/LGvRk3T7G1fk/ucVyFr37Gh0B1dnZawec69uStu7riFrpnkXtkOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=enmPyWMp6wyHDnyldKhhtOG3vvsQRIbm7VgszP+pbgs=; b=B+Ys2tJr6Y0hveOIrPD5vSDGH9zdEm7xNoa7gejiNWujx4ohSJ24zQW1hTiQMxjiWqAIHV/xmedj/IZgNyQ2P2P7PRumYp6g7G8iR4AEWbhwg+XrT4IJyvc1gAH1yaQMDLcJOuP9DlqQb2qWEWEhojoRD1C6p7anL5dmOdRHeZb3MhcxxYXHsC+JlzmAP2lb4NWCZ9wFPehACbW+LACBb66S/G9KpFylkx0k+FIahp9q9DUJDp4j0MobBEM/gSsRfFtuJNbnXWXsQ8WsdWxJEw7gmg/EJOs9yY/I2MOoVGN7w7akmQtMnTVHm+aKMyKV0146tooHx1MVRKKxfdjupA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=imperial.ac.uk; dmarc=pass action=none header.from=imperial.ac.uk; dkim=pass header.d=imperial.ac.uk; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ImperialLondon.onmicrosoft.com; s=selector2-ImperialLondon-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=enmPyWMp6wyHDnyldKhhtOG3vvsQRIbm7VgszP+pbgs=; b=HMh4Gbs/lqYdlKyCico//ntpXssPoYT/HmxFMHQhqp5SDb+A1OaGP3c/LcpBkuDm9NkBqXiosgsmw0vLff2kp0Y8RxvLBR94+s8ud14TcLmF82Az2NkDWhs0WnpcAiux0PKPE8WdF/E95wuxRg2g3a4bobNjEJT0ako/Qkw4n1g= Authentication-Results: gnu.org; dkim=none (message not signed) header.d=none;gnu.org; dmarc=none action=none header.from=imperial.ac.uk; Received: from VI1PR0601MB2653.eurprd06.prod.outlook.com (2603:10a6:800:85::14) by VI1PR0601MB2399.eurprd06.prod.outlook.com (2603:10a6:801:9::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3977.25; Fri, 26 Mar 2021 15:00:21 +0000 Received: from VI1PR0601MB2653.eurprd06.prod.outlook.com ([fe80::207c:2af6:cb62:2dd2]) by VI1PR0601MB2653.eurprd06.prod.outlook.com ([fe80::207c:2af6:cb62:2dd2%12]) with mapi id 15.20.3977.029; Fri, 26 Mar 2021 15:00:20 +0000 Date: Fri, 26 Mar 2021 15:00:17 +0000 From: Frank Busse Message-ID: <20210326150017.2a2dbc5c@haengemotte.localdomain> Organization: Imperial College London X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu) Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Originating-IP: [5.71.73.112] X-ClientProxiedBy: LNXP265CA0072.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:5d::36) To VI1PR0601MB2653.eurprd06.prod.outlook.com (2603:10a6:800:85::14) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from haengemotte.localdomain (5.71.73.112) by LNXP265CA0072.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:5d::36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.24 via Frontend Transport; Fri, 26 Mar 2021 15:00:20 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: bee0e2a6-65f3-447b-dd78-08d8f067e01a X-MS-TrafficTypeDiagnostic: VI1PR0601MB2399: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1775; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: +glDGw0EC61+rBo/5eXYczk63+Hs7LEhhcNmEiU4rGp3xk1fgP/h6os31mhTck7kLkEx4IeRa++F3PgOieTFCetSPp4JElYZLQP6mnEErJ6SLpaaUAoDZr9a9wIP40wajjHx8Kn1HTti6lpVvQtGbao3u5bMg79ahKz+U5M4jfd97jKnh6/nsG18t33Usb6mg2vuAi3fjLUxq/ePsia1sjZDLLqCmYsVHHZKYYn1LqfTxQqJ0c4rNrYI7sXpqb4JULTSfglmbuKoHv2Qj63LcP7c13+xaAgI9X9k+ZsjaOBgc9R6TvdHj8DV4LznzICSsFi3O1uzoygfx26jBWa25Ur3+T34T3QNfDX8az75oGKa+4zg3nti5f7YyCcWBq5HFbaUoMdYN96Qnz2ToQ0ub915gzpnuYu73/BY5eRdHrOtlHJ5SXxoLrSb/MZJT8z12TZGfXjtkSKGGVqnlfMQdW4Y7OyFTZ7JIzKmZdcTS5pMj9h713fECsU6d75fX7AfxR3Trrg/QPAvMOOy91yz1wtJfOG9HcTxDJXQbj4hy8ZcnOKc3I/HURY297rkcOh9xW/PLpOcBa9MUfI9I/VDO619OuZ0Ev8HixHj5uefF61ckg/bKVjsWzfh7XAfyZYj52k+GHO9YjAzMFDDT01jWg== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR0601MB2653.eurprd06.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(366004)(346002)(376002)(136003)(396003)(16526019)(9686003)(316002)(5660300002)(8936002)(26005)(186003)(786003)(7696005)(55016002)(52116002)(36916002)(38100700001)(7116003)(66476007)(2906002)(6916009)(6506007)(66556008)(6666004)(956004)(8676002)(66946007)(478600001)(1076003); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: ajXqSv9eXarEkiO/QUIfWcqab6sLRSyr/tRa8ryAd8TbTaufca+0pHFXOAfeizS4hXJr5vpMS/CDvEllwkkKnCnaPtQxpTXoFdMp3c4hBmm0fXhAdYWQilA50WgLlxoWxFqRqj5zbsKNf+8tgQaL1AFTP600jCFa/r9RdqWfv3jIzVHPIp7eCv8K11R3ePIBKz79DB9aRJ5RtISLxLdt5R5wczuRTV3kNnDie4Q+zxLVkoQjxKwuIefBGF7PYx96jNBSjQ2ox6vh1VoSkjSqviYKcyuuP5YRSj52+JatsPf7NesDhXIQ3i7zLnGm+IcSrdbKn6m57a9prCpu2DBC2e2PVt6LULfS3OVKrHFDtdfNZ0wl8DJirUaQGoZCaSu8rQ12WFRZXfkTTFDtvib6qwFxiZ3cOlHc5vfLUmekPZFFRiPEaIFmTSFLM7Q+n0wWTef0Z2IUSyC7bOUX5d+dZeTMcRzSkpoEaR8lwyFDhF4YWIwfEsP6cuYDX2CfOECnvh9e3KuXhHMSkzDFKpdMEEsElckkhOlcORR4/exywVC1IibFwgoCu3LbCjRUep9MwWBmFcYkP6HX25LZ6EzAQ9DcfA5O8423L7yL3DY4WV1qlLO8HWe7/Dv2XSIjV9nOtGzYfVfC7IWQ49gnRS9N99qVV7EaTbz5Fbp0kLOt/rm7Jzmxpofv4hPGLVUmSCH/OvF7F+YDwgdQV8O2ZbymgMUVxVWmeFtYN/Kc1iLFSdUBsCTRFyeQUaWcciMb3VvXqez8HN+Ietu0pjN6vnf7QtnVUVRlVRQSwH3ipojSNrRt8L/eQiPxghmT+ExCyHFP/mH9QZ7q6zUV9efdfLQTE+4N3M7LDyYKlH/F0Wb4YlmNabAt7sKSG5QWN00/FA5YQdXkoq8L3+19fhvDTIji4/myddxMHxZ841w9fCT97vC5Hp9bcGBf7rik+5vhSt3pqItj1xWy1zxBX0fBGYZGsgmesuEf11zWUewb1i7JesYep05n7AzTF/pghul7SEtqrIVjz9CxOmWqaXLC4zi9Gk7NMMNawBjRSo4JDFPBBPKVhOGLZfVG0ZwD0vKDTJL3a7m7JnHJ5RWz5HjzUE+OW0ITJHjRm4UUcHVdgjdJbJfi1pY0UNYgw0gDG3ySvc43UPKIp0d/DnHIDgRvlG682XLhtzALgagMP6C01fLvuIczdt+Rt6R7BMQA2b6AApf1DNJQXyirKj063Pm21oXjms6iIAEuZM6IhDIcKz6VrHEk2RzW0Pp4a/V4oaxxkwoR92sNsvaoKhTT4AtNEw21/xuKXH4viE7d5kQiPlxhX+i7td0T4aUokLei60V9Z1SB X-OriginatorOrg: imperial.ac.uk X-MS-Exchange-CrossTenant-Network-Message-Id: bee0e2a6-65f3-447b-dd78-08d8f067e01a X-MS-Exchange-CrossTenant-AuthSource: VI1PR0601MB2653.eurprd06.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Mar 2021 15:00:20.7238 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 2b897507-ee8c-4575-830b-4f8267c3d307 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 1bDxlLhJm7Y9ubFhpEttn0QwNhZiO+ow4QICs347e/wCqbMh5kTQpDnEcSFLnZXV X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0601MB2399 X-IC-MsgID: 1lPnwk-00020f-Hm Received-SPF: pass client-ip=2a0c:5bc0:88:101::47; envelope-from=f.busse17@imperial.ac.uk; helo=smtphub2.cc.ic.ac.uk X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Mailman-Approved-At: Fri, 26 Mar 2021 11:39:22 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) Hi, env crashes for some nonsensical command line arguments (reported by KLEE), e.g.: --- > python3 -c "import os; os.execl('./src/env', 'env', b'--s=\"\"\t\x0b')" ================================================================= ==140651==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000028 at pc 0x562e1cc1078a bp 0x7ffd59964dd0 sp 0x7ffd59964dc0 WRITE of size 8 at 0x603000000028 thread T0 #0 0x562e1cc10789 in build_argv src/env.c:511 #1 0x562e1cc10982 in parse_split_string src/env.c:548 #2 0x562e1cc127bc in main src/env.c:849 #3 0x7f1c167e3b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) #4 0x562e1cc0e54d in _start (coreutils-8.32/src/env+0x654d) 0x603000000028 is located 0 bytes to the right of 24-byte region [0x603000000010,0x603000000028) allocated by thread T0 here: #0 0x7f1c16a3b459 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x562e1cc19463 in xmalloc lib/xmalloc.c:41 #2 0x562e1cc0ff54 in build_argv src/env.c:404 #3 0x562e1cc10982 in parse_split_string src/env.c:548 #4 0x562e1cc127bc in main src/env.c:849 #5 0x7f1c167e3b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) SUMMARY: AddressSanitizer: heap-buffer-overflow src/env.c:511 in build_argv --- or --- > python3 -c "import os; os.execl('./src/env', 'env', b'--s=\xff \r\x0b\t\x0b-')" ================================================================= ==140886==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000030 at pc 0x55821372878a bp 0x7ffdd6e4bc40 sp 0x7ffdd6e4bc30 WRITE of size 8 at 0x603000000030 thread T0 #0 0x558213728789 in build_argv src/env.c:511 #1 0x558213728982 in parse_split_string src/env.c:548 #2 0x55821372a7bc in main src/env.c:849 #3 0x7f5b05ec5b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) #4 0x55821372654d in _start (coreutils-8.32/src/env+0x654d) 0x603000000030 is located 0 bytes to the right of 32-byte region [0x603000000010,0x603000000030) allocated by thread T0 here: #0 0x7f5b0611d459 in __interceptor_malloc/build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x558213731463 in xmalloc lib/xmalloc.c:41 #2 0x558213727f54 in build_argv src/env.c:404 #3 0x558213728982 in parse_split_string src/env.c:548 #4 0x55821372a7bc in main src/env.c:849 #5 0x7f5b05ec5b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) SUMMARY: AddressSanitizer: heap-buffer-overflow src/env.c:511 in build_argv --- Version: 8.32 Configure: CFLAGS="-ggdb -O0 -fsanitize=address" ./configure --without-selinux --without-gmp --disable-acl --disable-largefile --disable-libsmack --disable-xattr --disable-libcap --disable-nls Kind regards, Frank From unknown Tue Jun 17 21:56:28 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47412: env: fragile argument parsing Resent-From: =?UTF-8?Q?P=C3=A1draig?= Brady Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Fri, 26 Mar 2021 20:14:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47412 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: Frank Busse , 47412@debbugs.gnu.org Received: via spool by 47412-submit@debbugs.gnu.org id=B47412.16167895836106 (code B ref 47412); Fri, 26 Mar 2021 20:14:02 +0000 Received: (at 47412) by debbugs.gnu.org; 26 Mar 2021 20:13:03 +0000 Received: from localhost ([127.0.0.1]:42570 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPspK-0001aN-PO for submit@debbugs.gnu.org; Fri, 26 Mar 2021 16:13:02 -0400 Received: from mail-wr1-f43.google.com ([209.85.221.43]:40719) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPspJ-0001Zh-S6 for 47412@debbugs.gnu.org; Fri, 26 Mar 2021 16:13:02 -0400 Received: by mail-wr1-f43.google.com with SMTP id v11so6768936wro.7 for <47412@debbugs.gnu.org>; Fri, 26 Mar 2021 13:13:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:subject:to:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=nGGYGG9osRVx4DZHQUc221hSqztI3KbTHNB4imcI8Z4=; b=nli94MTAcUx6FtBwGhfsiEFbbcKmjPmFjPLuo7V0DY9EKbqtZkb79rhQ8lBvkfICca 7N0ux/OzrIoctuqLb7CzTGduaPK+/SoF6GqWVb0Bg6HaWXM51baPODFuA1LFSCn8z1se cpK4d6IOJkXhA39ittyAUo4Mcb3OzGQpINHnyxX5zTAbD4BEpMt3Ev6Qx4Zh7B3afvhz 8Dq4yykHfS1jbL0M6k87Yh4/GqV0jJFlt0Hq/558Dlgs3gNxBkpULZHL9HK0BSMCIyjO oEXDXPznuNL79r0hYJ0Jj49ol2gbtBQsrEhGWyGbTxTjkZ/egwaPEm1flSfD6G5UsYwz sDzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:subject:to:references:from:message-id :date:user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=nGGYGG9osRVx4DZHQUc221hSqztI3KbTHNB4imcI8Z4=; b=DktkVpRpeuxRb/QdU3gXH7yPWKVcvxy8aiWsowaddE0n/r4GiN3Ea/mJsn+v9aDiS4 AUhHvCjrpJOLSqEwFegDLfgVehsVl6KoogDZKS+zpcajNWXsabwyH7aUbswJgEsGeGPj ak6Ga5Uy42s9ihC8eumD5RNJ4k8EwJd2EKRM7v1qdE4gdIeu2fzp9hTCrW5toVuIVV+R ib4ft6ZoJss3HKEqFwJJYmxD4M9pg427VfyLcQD09iJKB6HY3szUxMndxyuxjrgeoxCm adGJxlKtEJrJvQI2cuN1reR4CZ17c+nSeNc37i3uvEYLtYVBsU+U+mo+tvgIRm91Tw4z RyEw== X-Gm-Message-State: AOAM532BrT9YXQNTHzVHI2S2PzTW0lsI8bEB4wNQFgMRZIYzJZS0J4FT 31SboLxGizcmrxgl1aWpez40fQtQTz5E4w== X-Google-Smtp-Source: ABdhPJzpnHyUkoZPMvWqmN/iVeTK/7XTR4rZC5lGAA8Y8mUE1N9BKndbNjUYzwtI4AY0r9BodyuYXw== X-Received: by 2002:adf:e5cd:: with SMTP id a13mr15661407wrn.65.1616789575937; Fri, 26 Mar 2021 13:12:55 -0700 (PDT) Received: from localhost.localdomain (86-42-14-227-dynamic.agg2.lod.rsl-rtd.eircom.net. [86.42.14.227]) by smtp.googlemail.com with UTF8SMTPSA id l6sm13165486wrt.56.2021.03.26.13.12.54 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 26 Mar 2021 13:12:55 -0700 (PDT) References: <20210326150017.2a2dbc5c@haengemotte.localdomain> From: =?UTF-8?Q?P=C3=A1draig?= Brady Message-ID: Date: Fri, 26 Mar 2021 20:12:53 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:84.0) Gecko/20100101 Thunderbird/84.0 MIME-Version: 1.0 In-Reply-To: <20210326150017.2a2dbc5c@haengemotte.localdomain> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Spam-Score: 0.5 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) On 26/03/2021 15:00, Frank Busse wrote: > Hi, > > > env crashes for some nonsensical command line arguments (reported by > KLEE), e.g.: > > --- >> python3 -c "import os; os.execl('./src/env', 'env', b'--s=\"\"\t\x0b')" > > ================================================================= > ==140651==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x603000000028 at pc 0x562e1cc1078a bp 0x7ffd59964dd0 sp 0x7ffd59964dc0 > WRITE of size 8 at 0x603000000028 thread T0 > #0 0x562e1cc10789 in build_argv src/env.c:511 > #1 0x562e1cc10982 in parse_split_string src/env.c:548 > #2 0x562e1cc127bc in main src/env.c:849 > #3 0x7f1c167e3b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) > #4 0x562e1cc0e54d in _start (coreutils-8.32/src/env+0x654d) > > 0x603000000028 is located 0 bytes to the right of 24-byte region > [0x603000000010,0x603000000028) > allocated by thread T0 here: > #0 0x7f1c16a3b459 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145 > #1 0x562e1cc19463 in xmalloc lib/xmalloc.c:41 > #2 0x562e1cc0ff54 in build_argv src/env.c:404 > #3 0x562e1cc10982 in parse_split_string src/env.c:548 > #4 0x562e1cc127bc in main src/env.c:849 > #5 0x7f1c167e3b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) Confirmed on an ASAN build of the latest source. I'll fix it up. thanks! Pádraig From unknown Tue Jun 17 21:56:28 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47412: env: fragile argument parsing Resent-From: Paul Eggert Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Fri, 26 Mar 2021 20:50:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47412 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: =?UTF-8?Q?P=C3=A1draig?= Brady , Frank Busse , 47412@debbugs.gnu.org Received: via spool by 47412-submit@debbugs.gnu.org id=B47412.16167917739679 (code B ref 47412); Fri, 26 Mar 2021 20:50:02 +0000 Received: (at 47412) by debbugs.gnu.org; 26 Mar 2021 20:49:33 +0000 Received: from localhost ([127.0.0.1]:42634 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPtOf-0002W3-CM for submit@debbugs.gnu.org; Fri, 26 Mar 2021 16:49:33 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:45566) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPtOd-0002Vo-LW for 47412@debbugs.gnu.org; Fri, 26 Mar 2021 16:49:32 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 7D024160075; Fri, 26 Mar 2021 13:49:25 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id 9ddudg7hqMOS; Fri, 26 Mar 2021 13:49:24 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id DB078160099; Fri, 26 Mar 2021 13:49:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id j41SzQel5zyW; Fri, 26 Mar 2021 13:49:24 -0700 (PDT) Received: from [192.168.1.9] (cpe-23-243-218-95.socal.res.rr.com [23.243.218.95]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id B6D5A160075; Fri, 26 Mar 2021 13:49:24 -0700 (PDT) References: <20210326150017.2a2dbc5c@haengemotte.localdomain> From: Paul Eggert Organization: UCLA Computer Science Department Message-ID: Date: Fri, 26 Mar 2021 13:49:24 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) On 3/26/21 1:12 PM, P=C3=A1draig Brady wrote: > I'll fix it up. I've got a fix. My goodness, that part of the code is messy. From unknown Tue Jun 17 21:56:28 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Frank Busse Subject: bug#47412: closed (Re: bug#47412: env: fragile argument parsing) Message-ID: References: <21fd1450-205f-8330-d493-af3375e42949@cs.ucla.edu> <20210326150017.2a2dbc5c@haengemotte.localdomain> X-Gnu-PR-Message: they-closed 47412 X-Gnu-PR-Package: coreutils Reply-To: 47412@debbugs.gnu.org Date: Fri, 26 Mar 2021 20:53:01 +0000 Content-Type: multipart/mixed; boundary="----------=_1616791981-9991-1" This is a multi-part message in MIME format... ------------=_1616791981-9991-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #47412: env: fragile argument parsing which was filed against the coreutils package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 47412@debbugs.gnu.org. --=20 47412: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D47412 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1616791981-9991-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 47412-done) by debbugs.gnu.org; 26 Mar 2021 20:52:51 +0000 Received: from localhost ([127.0.0.1]:42638 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPtRq-0002al-TQ for submit@debbugs.gnu.org; Fri, 26 Mar 2021 16:52:51 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:45904) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPtRo-0002aU-3Z for 47412-done@debbugs.gnu.org; Fri, 26 Mar 2021 16:52:49 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 9F8C0160075; Fri, 26 Mar 2021 13:52:41 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id KTfOipRLmMuj; Fri, 26 Mar 2021 13:52:40 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id B42A416008D; Fri, 26 Mar 2021 13:52:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 3mAy2sC-kOGC; Fri, 26 Mar 2021 13:52:40 -0700 (PDT) Received: from [192.168.1.9] (cpe-23-243-218-95.socal.res.rr.com [23.243.218.95]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 8CE7A160075; Fri, 26 Mar 2021 13:52:40 -0700 (PDT) Subject: Re: bug#47412: env: fragile argument parsing To: Frank Busse References: <20210326150017.2a2dbc5c@haengemotte.localdomain> From: Paul Eggert Organization: UCLA Computer Science Department Message-ID: <21fd1450-205f-8330-d493-af3375e42949@cs.ucla.edu> Date: Fri, 26 Mar 2021 13:52:40 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1 MIME-Version: 1.0 In-Reply-To: <20210326150017.2a2dbc5c@haengemotte.localdomain> Content-Type: multipart/mixed; boundary="------------B06D680281AD30B05E4CECFE" Content-Language: en-US X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 47412-done Cc: 47412-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) This is a multi-part message in MIME format. --------------B06D680281AD30B05E4CECFE Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Thanks for the bug report. I installed the attached to fix it and am closing the report. --------------B06D680281AD30B05E4CECFE Content-Type: text/x-patch; charset=UTF-8; name="0001-env-fix-address-violation-with-v-in-S.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0001-env-fix-address-violation-with-v-in-S.patch" >From 6dd466eda6fa3f1f7d2a9474ec926ccd2ede98e9 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Fri, 26 Mar 2021 13:49:49 -0700 Subject: [PATCH] env: fix address violation with '\v' in -S Problem reported by Frank Busse (Bug#47412). * src/env.c (C_ISSPACE_CHARS): New macro. (shortopts, build_argv, main): Treate all C-locale space characters like space and tab, for compatibility with FreeBSD. (validate_split_str, build_argv, parse_split_string): Use the C locale, not the current locale, to determine whether a byte is a space character. --- src/env.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/src/env.c b/src/env.c index ba9da1113..e13a312cd 100644 --- a/src/env.c +++ b/src/env.c @@ -73,7 +73,10 @@ static bool sig_mask_changed; /* Whether to list non default handling. */ static bool report_signal_handling; -static char const shortopts[] = "+C:iS:u:v0 \t"; +/* isspace characters in the C locale. */ +#define C_ISSPACE_CHARS " \t\n\v\f\r" + +static char const shortopts[] = "+C:iS:u:v0" C_ISSPACE_CHARS; /* For long options that have no equivalent short option, use a non-character as a pseudo short option, starting with CHAR_MAX + 1. */ @@ -277,7 +280,7 @@ validate_split_str (const char* str, size_t* /*out*/ bufsize, size_t buflen; int cnt = 1; - assert (str && str[0] && !isspace (str[0])); /* LCOV_EXCL_LINE */ + assert (str && str[0] && !c_isspace (str[0])); /* LCOV_EXCL_LINE */ dq = sq = sp = false; buflen = strlen (str)+1; @@ -286,7 +289,7 @@ validate_split_str (const char* str, size_t* /*out*/ bufsize, { const char next = *(str+1); - if (isspace (*str) && !dq && !sq) + if (c_isspace (*str) && !dq && !sq) { sp = true; } @@ -392,7 +395,7 @@ build_argv (const char* str, int extra_argc) } \ } while (0) - assert (str && str[0] && !isspace (str[0])); /* LCOV_EXCL_LINE */ + assert (str && str[0] && !c_isspace (str[0])); /* LCOV_EXCL_LINE */ validate_split_str (str, &buflen, &newargc); @@ -433,13 +436,12 @@ build_argv (const char* str, int extra_argc) ++str; continue; - case ' ': - case '\t': - /* space/tab outside quotes starts a new argument. */ + case ' ': case '\t': case '\n': case '\v': case '\f': case '\r': + /* Start a new argument if outside quotes. */ if (sq || dq) break; sep = true; - str += strspn (str, " \t"); /* skip whitespace. */ + str += strspn (str, C_ISSPACE_CHARS); continue; case '#': @@ -540,7 +542,7 @@ parse_split_string (const char* str, int /*out*/ *orig_optind, char **newargv, **nextargv; - while (isspace (*str)) + while (c_isspace (*str)) str++; if (*str == '\0') return; @@ -848,8 +850,7 @@ main (int argc, char **argv) case 'S': parse_split_string (optarg, &optind, &argc, &argv); break; - case ' ': - case '\t': + case ' ': case '\t': case '\n': case '\v': case '\f': case '\r': /* These are undocumented options. Attempt to detect incorrect shebang usage with extraneous space, e.g.: #!/usr/bin/env -i command -- 2.30.2 --------------B06D680281AD30B05E4CECFE-- ------------=_1616791981-9991-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 26 Mar 2021 15:39:26 +0000 Received: from localhost ([127.0.0.1]:42255 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPoYW-0007X8-Qx for submit@debbugs.gnu.org; Fri, 26 Mar 2021 11:39:26 -0400 Received: from lists.gnu.org ([209.51.188.17]:46962) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPnwz-0006Yt-Ns for submit@debbugs.gnu.org; Fri, 26 Mar 2021 11:00:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:36436) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPnww-0002Qr-0a for bug-coreutils@gnu.org; Fri, 26 Mar 2021 11:00:35 -0400 Received: from smtphub2.cc.ic.ac.uk ([2a0c:5bc0:88:101::47]:50391) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPnwr-0004wk-S2 for bug-coreutils@gnu.org; Fri, 26 Mar 2021 11:00:33 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=imperial.ac.uk; s=main01; h=MIME-Version:Content-Transfer-Encoding: Content-Type:Message-ID:Subject:To:From:Date:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=enmPyWMp6wyHDnyldKhhtOG3vvsQRIbm7VgszP+pbgs=; b=iVCxi9kkPj1ruC1yibKbEN0RR7 dlMH4BfEnCXNBV/Ybs4eD/pUhwP49JEKx4RMzwsh57QNoeM1biKasZEk0n4FWmxXE2ITMvN/tMFal KKaVDQIu8kdvPEun8sB5WIonuvgVtHPChlaCOTOd23lUmNwgAcO46Hdv5ETto6dGu6fg=; Received: from mail-he1eur01lp0201.outbound.protection.outlook.com ([2a01:111:f400:7e1f::201] helo=EUR01-HE1-obe.outbound.protection.outlook.com) by smtphub2.cc.ic.ac.uk with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94) (envelope-from ) id 1lPnwk-00020f-Hm for bug-coreutils@gnu.org; Fri, 26 Mar 2021 15:00:22 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dFy1TtiE1Q5+ccdWIXwzUV1vKQZSBE3X+LqwiCbcGM0z/w2KcUL08iyZlW3d5tJoZHtxQk/eCOiIFQETScsHQ9IzOzn7MT2G+afPZRHA83F8/bYJzq6iclLUUAqz14tR2sN9zMFKXhJLV1e1iDU/hMuXZf9YqmcxIzG6B+6IZqoiXpMxHVCSLz05TFYbDB/JCMyuce4cqBffnDao5/KLM+bTt4jTxlQBNjskfIAfClIVLECCuBzixPrIANJmFbR49zyQg5L1m/Ba5ikfxcOUJIPLLdIk+lTVZ/LGvRk3T7G1fk/ucVyFr37Gh0B1dnZawec69uStu7riFrpnkXtkOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=enmPyWMp6wyHDnyldKhhtOG3vvsQRIbm7VgszP+pbgs=; b=B+Ys2tJr6Y0hveOIrPD5vSDGH9zdEm7xNoa7gejiNWujx4ohSJ24zQW1hTiQMxjiWqAIHV/xmedj/IZgNyQ2P2P7PRumYp6g7G8iR4AEWbhwg+XrT4IJyvc1gAH1yaQMDLcJOuP9DlqQb2qWEWEhojoRD1C6p7anL5dmOdRHeZb3MhcxxYXHsC+JlzmAP2lb4NWCZ9wFPehACbW+LACBb66S/G9KpFylkx0k+FIahp9q9DUJDp4j0MobBEM/gSsRfFtuJNbnXWXsQ8WsdWxJEw7gmg/EJOs9yY/I2MOoVGN7w7akmQtMnTVHm+aKMyKV0146tooHx1MVRKKxfdjupA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=imperial.ac.uk; dmarc=pass action=none header.from=imperial.ac.uk; dkim=pass header.d=imperial.ac.uk; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ImperialLondon.onmicrosoft.com; s=selector2-ImperialLondon-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=enmPyWMp6wyHDnyldKhhtOG3vvsQRIbm7VgszP+pbgs=; b=HMh4Gbs/lqYdlKyCico//ntpXssPoYT/HmxFMHQhqp5SDb+A1OaGP3c/LcpBkuDm9NkBqXiosgsmw0vLff2kp0Y8RxvLBR94+s8ud14TcLmF82Az2NkDWhs0WnpcAiux0PKPE8WdF/E95wuxRg2g3a4bobNjEJT0ako/Qkw4n1g= Authentication-Results: gnu.org; dkim=none (message not signed) header.d=none;gnu.org; dmarc=none action=none header.from=imperial.ac.uk; Received: from VI1PR0601MB2653.eurprd06.prod.outlook.com (2603:10a6:800:85::14) by VI1PR0601MB2399.eurprd06.prod.outlook.com (2603:10a6:801:9::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3977.25; Fri, 26 Mar 2021 15:00:21 +0000 Received: from VI1PR0601MB2653.eurprd06.prod.outlook.com ([fe80::207c:2af6:cb62:2dd2]) by VI1PR0601MB2653.eurprd06.prod.outlook.com ([fe80::207c:2af6:cb62:2dd2%12]) with mapi id 15.20.3977.029; Fri, 26 Mar 2021 15:00:20 +0000 Date: Fri, 26 Mar 2021 15:00:17 +0000 From: Frank Busse To: bug-coreutils@gnu.org Subject: env: fragile argument parsing Message-ID: <20210326150017.2a2dbc5c@haengemotte.localdomain> Organization: Imperial College London X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu) Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Originating-IP: [5.71.73.112] X-ClientProxiedBy: LNXP265CA0072.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:5d::36) To VI1PR0601MB2653.eurprd06.prod.outlook.com (2603:10a6:800:85::14) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from haengemotte.localdomain (5.71.73.112) by LNXP265CA0072.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:5d::36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.24 via Frontend Transport; Fri, 26 Mar 2021 15:00:20 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: bee0e2a6-65f3-447b-dd78-08d8f067e01a X-MS-TrafficTypeDiagnostic: VI1PR0601MB2399: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1775; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: +glDGw0EC61+rBo/5eXYczk63+Hs7LEhhcNmEiU4rGp3xk1fgP/h6os31mhTck7kLkEx4IeRa++F3PgOieTFCetSPp4JElYZLQP6mnEErJ6SLpaaUAoDZr9a9wIP40wajjHx8Kn1HTti6lpVvQtGbao3u5bMg79ahKz+U5M4jfd97jKnh6/nsG18t33Usb6mg2vuAi3fjLUxq/ePsia1sjZDLLqCmYsVHHZKYYn1LqfTxQqJ0c4rNrYI7sXpqb4JULTSfglmbuKoHv2Qj63LcP7c13+xaAgI9X9k+ZsjaOBgc9R6TvdHj8DV4LznzICSsFi3O1uzoygfx26jBWa25Ur3+T34T3QNfDX8az75oGKa+4zg3nti5f7YyCcWBq5HFbaUoMdYN96Qnz2ToQ0ub915gzpnuYu73/BY5eRdHrOtlHJ5SXxoLrSb/MZJT8z12TZGfXjtkSKGGVqnlfMQdW4Y7OyFTZ7JIzKmZdcTS5pMj9h713fECsU6d75fX7AfxR3Trrg/QPAvMOOy91yz1wtJfOG9HcTxDJXQbj4hy8ZcnOKc3I/HURY297rkcOh9xW/PLpOcBa9MUfI9I/VDO619OuZ0Ev8HixHj5uefF61ckg/bKVjsWzfh7XAfyZYj52k+GHO9YjAzMFDDT01jWg== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR0601MB2653.eurprd06.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(366004)(346002)(376002)(136003)(396003)(16526019)(9686003)(316002)(5660300002)(8936002)(26005)(186003)(786003)(7696005)(55016002)(52116002)(36916002)(38100700001)(7116003)(66476007)(2906002)(6916009)(6506007)(66556008)(6666004)(956004)(8676002)(66946007)(478600001)(1076003); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?ajXqSv9eXarEkiO/QUIfWcqab6sLRSyr/tRa8ryAd8TbTaufca+0pHFXOAfe?= =?us-ascii?Q?izS4hXJr5vpMS/CDvEllwkkKnCnaPtQxpTXoFdMp3c4hBmm0fXhAdYWQilA5?= =?us-ascii?Q?0WgLlxoWxFqRqj5zbsKNf+8tgQaL1AFTP600jCFa/r9RdqWfv3jIzVHPIp7e?= =?us-ascii?Q?Cv8K11R3ePIBKz79DB9aRJ5RtISLxLdt5R5wczuRTV3kNnDie4Q+zxLVkoQj?= =?us-ascii?Q?xKwuIefBGF7PYx96jNBSjQ2ox6vh1VoSkjSqviYKcyuuP5YRSj52+JatsPf7?= =?us-ascii?Q?NesDhXIQ3i7zLnGm+IcSrdbKn6m57a9prCpu2DBC2e2PVt6LULfS3OVKrHFD?= =?us-ascii?Q?tdfNZ0wl8DJirUaQGoZCaSu8rQ12WFRZXfkTTFDtvib6qwFxiZ3cOlHc5vfL?= =?us-ascii?Q?UmekPZFFRiPEaIFmTSFLM7Q+n0wWTef0Z2IUSyC7bOUX5d+dZeTMcRzSkpoE?= =?us-ascii?Q?aR8lwyFDhF4YWIwfEsP6cuYDX2CfOECnvh9e3KuXhHMSkzDFKpdMEEsElckk?= =?us-ascii?Q?hOlcORR4/exywVC1IibFwgoCu3LbCjRUep9MwWBmFcYkP6HX25LZ6EzAQ9Dc?= =?us-ascii?Q?fA5O8423L7yL3DY4WV1qlLO8HWe7/Dv2XSIjV9nOtGzYfVfC7IWQ49gnRS9N?= =?us-ascii?Q?99qVV7EaTbz5Fbp0kLOt/rm7Jzmxpofv4hPGLVUmSCH/OvF7F+YDwgdQV8O2?= =?us-ascii?Q?ZbymgMUVxVWmeFtYN/Kc1iLFSdUBsCTRFyeQUaWcciMb3VvXqez8HN+Ietu0?= =?us-ascii?Q?pjN6vnf7QtnVUVRlVRQSwH3ipojSNrRt8L/eQiPxghmT+ExCyHFP/mH9QZ7q?= =?us-ascii?Q?6zUV9efdfLQTE+4N3M7LDyYKlH/F0Wb4YlmNabAt7sKSG5QWN00/FA5YQdXk?= =?us-ascii?Q?oq8L3+19fhvDTIji4/myddxMHxZ841w9fCT97vC5Hp9bcGBf7rik+5vhSt3p?= =?us-ascii?Q?qItj1xWy1zxBX0fBGYZGsgmesuEf11zWUewb1i7JesYep05n7AzTF/pghul7?= =?us-ascii?Q?SEtqrIVjz9CxOmWqaXLC4zi9Gk7NMMNawBjRSo4JDFPBBPKVhOGLZfVG0ZwD?= =?us-ascii?Q?0vKDTJL3a7m7JnHJ5RWz5HjzUE+OW0ITJHjRm4UUcHVdgjdJbJfi1pY0UNYg?= =?us-ascii?Q?w0gDG3ySvc43UPKIp0d/DnHIDgRvlG682XLhtzALgagMP6C01fLvuIczdt+R?= =?us-ascii?Q?t6R7BMQA2b6AApf1DNJQXyirKj063Pm21oXjms6iIAEuZM6IhDIcKz6VrHEk?= =?us-ascii?Q?2RzW0Pp4a/V4oaxxkwoR92sNsvaoKhTT4AtNEw21/xuKXH4viE7d5kQiPlxh?= =?us-ascii?Q?X+i7td0T4aUokLei60V9Z1SB?= X-OriginatorOrg: imperial.ac.uk X-MS-Exchange-CrossTenant-Network-Message-Id: bee0e2a6-65f3-447b-dd78-08d8f067e01a X-MS-Exchange-CrossTenant-AuthSource: VI1PR0601MB2653.eurprd06.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Mar 2021 15:00:20.7238 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 2b897507-ee8c-4575-830b-4f8267c3d307 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 1bDxlLhJm7Y9ubFhpEttn0QwNhZiO+ow4QICs347e/wCqbMh5kTQpDnEcSFLnZXV X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0601MB2399 X-IC-MsgID: 1lPnwk-00020f-Hm Received-SPF: pass client-ip=2a0c:5bc0:88:101::47; envelope-from=f.busse17@imperial.ac.uk; helo=smtphub2.cc.ic.ac.uk X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Fri, 26 Mar 2021 11:39:22 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) Hi, env crashes for some nonsensical command line arguments (reported by KLEE), e.g.: --- > python3 -c "import os; os.execl('./src/env', 'env', b'--s=\"\"\t\x0b')" ================================================================= ==140651==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000028 at pc 0x562e1cc1078a bp 0x7ffd59964dd0 sp 0x7ffd59964dc0 WRITE of size 8 at 0x603000000028 thread T0 #0 0x562e1cc10789 in build_argv src/env.c:511 #1 0x562e1cc10982 in parse_split_string src/env.c:548 #2 0x562e1cc127bc in main src/env.c:849 #3 0x7f1c167e3b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) #4 0x562e1cc0e54d in _start (coreutils-8.32/src/env+0x654d) 0x603000000028 is located 0 bytes to the right of 24-byte region [0x603000000010,0x603000000028) allocated by thread T0 here: #0 0x7f1c16a3b459 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x562e1cc19463 in xmalloc lib/xmalloc.c:41 #2 0x562e1cc0ff54 in build_argv src/env.c:404 #3 0x562e1cc10982 in parse_split_string src/env.c:548 #4 0x562e1cc127bc in main src/env.c:849 #5 0x7f1c167e3b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) SUMMARY: AddressSanitizer: heap-buffer-overflow src/env.c:511 in build_argv --- or --- > python3 -c "import os; os.execl('./src/env', 'env', b'--s=\xff \r\x0b\t\x0b-')" ================================================================= ==140886==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000030 at pc 0x55821372878a bp 0x7ffdd6e4bc40 sp 0x7ffdd6e4bc30 WRITE of size 8 at 0x603000000030 thread T0 #0 0x558213728789 in build_argv src/env.c:511 #1 0x558213728982 in parse_split_string src/env.c:548 #2 0x55821372a7bc in main src/env.c:849 #3 0x7f5b05ec5b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) #4 0x55821372654d in _start (coreutils-8.32/src/env+0x654d) 0x603000000030 is located 0 bytes to the right of 32-byte region [0x603000000010,0x603000000030) allocated by thread T0 here: #0 0x7f5b0611d459 in __interceptor_malloc/build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x558213731463 in xmalloc lib/xmalloc.c:41 #2 0x558213727f54 in build_argv src/env.c:404 #3 0x558213728982 in parse_split_string src/env.c:548 #4 0x55821372a7bc in main src/env.c:849 #5 0x7f5b05ec5b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) SUMMARY: AddressSanitizer: heap-buffer-overflow src/env.c:511 in build_argv --- Version: 8.32 Configure: CFLAGS="-ggdb -O0 -fsanitize=address" ./configure --without-selinux --without-gmp --disable-acl --disable-largefile --disable-libsmack --disable-xattr --disable-libcap --disable-nls Kind regards, Frank ------------=_1616791981-9991-1-- From unknown Tue Jun 17 21:56:28 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47412: env: fragile argument parsing Resent-From: Paul Eggert Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Fri, 26 Mar 2021 22:22:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47412 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: Frank Busse Cc: 47412@debbugs.gnu.org Received: via spool by 47412-submit@debbugs.gnu.org id=B47412.16167972722060 (code B ref 47412); Fri, 26 Mar 2021 22:22:01 +0000 Received: (at 47412) by debbugs.gnu.org; 26 Mar 2021 22:21:12 +0000 Received: from localhost ([127.0.0.1]:42779 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPupM-0000XA-3j for submit@debbugs.gnu.org; Fri, 26 Mar 2021 18:21:12 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:57392) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPupK-0000Ww-E9 for 47412@debbugs.gnu.org; Fri, 26 Mar 2021 18:21:11 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 4A5CC16008D; Fri, 26 Mar 2021 15:21:04 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id nphNDsOQ7NT8; Fri, 26 Mar 2021 15:21:03 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 5F5E3160091; Fri, 26 Mar 2021 15:21:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id GWBQ426bluCQ; Fri, 26 Mar 2021 15:21:03 -0700 (PDT) Received: from [192.168.1.9] (cpe-23-243-218-95.socal.res.rr.com [23.243.218.95]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 34D7516008D; Fri, 26 Mar 2021 15:21:03 -0700 (PDT) From: Paul Eggert References: <20210326150017.2a2dbc5c@haengemotte.localdomain> <21fd1450-205f-8330-d493-af3375e42949@cs.ucla.edu> Organization: UCLA Computer Science Department Message-ID: Date: Fri, 26 Mar 2021 15:21:01 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1 MIME-Version: 1.0 In-Reply-To: <21fd1450-205f-8330-d493-af3375e42949@cs.ucla.edu> Content-Type: multipart/mixed; boundary="------------E4E0537E28A7DA7EAE8D1BE3" Content-Language: en-US X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) This is a multi-part message in MIME format. --------------E4E0537E28A7DA7EAE8D1BE3 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit I also installed the attached two followup patches to document this and issue a better warning in rare cases. The -S code could use some more fixes in this area too - it can probably still dump core on platforms like the Hurd that don't limit exec arg size - but one thing at a time. --------------E4E0537E28A7DA7EAE8D1BE3 Content-Type: text/x-patch; charset=UTF-8; name="0001-doc-document-env-fix.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0001-doc-document-env-fix.patch" >From 6c4efdc0f51c8e253f16da2ec60cdf647bec3c06 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Fri, 26 Mar 2021 14:00:37 -0700 Subject: [PATCH] doc: document env fix * NEWS, doc/coreutils.texi (env invocation): Document recent change. --- NEWS | 3 +++ doc/coreutils.texi | 2 ++ 2 files changed, 5 insertions(+) diff --git a/NEWS b/NEWS index 97cb4bd64..802f4b427 100644 --- a/NEWS +++ b/NEWS @@ -17,6 +17,9 @@ GNU coreutils NEWS -*- outline -*- heavily changed during the run. [bug introduced in coreutils-8.25] + env -S no longer crashes when given unusual whitespace characters + [bug introduced in coreutils-8.30] + expr no longer mishandles unmatched \(...\) in regular expressions. [bug introduced in coreutils-6.0] diff --git a/doc/coreutils.texi b/doc/coreutils.texi index ac0b4467d..06ecdd74c 100644 --- a/doc/coreutils.texi +++ b/doc/coreutils.texi @@ -17592,6 +17592,8 @@ hello Running @command{env -Sstring} splits the @var{string} into arguments based on unquoted spaces or tab characters. +(Newlines, carriage returns, vertical tabs and form feeds are treated +like spaces and tabs.) In the following contrived example the @command{awk} variable @samp{OFS} will be @code{xyz} as these spaces are inside -- 2.30.2 --------------E4E0537E28A7DA7EAE8D1BE3 Content-Type: text/x-patch; charset=UTF-8; name="0001-env-improve-whitespace-warning.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0001-env-improve-whitespace-warning.patch" >From 5f99c7533df49f25819d7bb850be5c6cb49aa13d Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Fri, 26 Mar 2021 14:51:55 -0700 Subject: [PATCH] env: improve whitespace warning * src/env.c (main): Issue -S warning for any whitespace, not just space. --- src/env.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/env.c b/src/env.c index d07918fee..341777cb8 100644 --- a/src/env.c +++ b/src/env.c @@ -942,7 +942,7 @@ main (int argc, char **argv) int exit_status = errno == ENOENT ? EXIT_ENOENT : EXIT_CANNOT_INVOKE; error (0, errno, "%s", quote (argv[optind])); - if (exit_status == EXIT_ENOENT && strchr (argv[optind], ' ')) + if (exit_status == EXIT_ENOENT && strpbrk (argv[optind], C_ISSPACE_CHARS)) error (0, 0, _("use -[v]S to pass options in shebang lines")); return exit_status; -- 2.30.2 --------------E4E0537E28A7DA7EAE8D1BE3-- From unknown Tue Jun 17 21:56:28 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47412: env: fragile argument parsing Resent-From: =?UTF-8?Q?P=C3=A1draig?= Brady Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Mon, 29 Mar 2021 15:01:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47412 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: 47412@debbugs.gnu.org, eggert@cs.ucla.edu, f.busse@imperial.ac.uk Received: via spool by 47412-submit@debbugs.gnu.org id=B47412.16170300493714 (code B ref 47412); Mon, 29 Mar 2021 15:01:01 +0000 Received: (at 47412) by debbugs.gnu.org; 29 Mar 2021 15:00:49 +0000 Received: from localhost ([127.0.0.1]:49227 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lQtNp-0000xq-Ep for submit@debbugs.gnu.org; Mon, 29 Mar 2021 11:00:49 -0400 Received: from mail-wm1-f52.google.com ([209.85.128.52]:33655) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lQtNl-0000xb-Tb for 47412@debbugs.gnu.org; Mon, 29 Mar 2021 11:00:48 -0400 Received: by mail-wm1-f52.google.com with SMTP id w203-20020a1c49d40000b029010c706d0642so8661281wma.0 for <47412@debbugs.gnu.org>; Mon, 29 Mar 2021 08:00:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:subject:to:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=Bw3T10zxoKlMlnczMixZtCceziA5UVlH2YKO8a2I+jk=; b=N0izvLcNqe7OS3X5XDaD379eCW1ciXTw10hrelX/uLfYoZFlBrdKUKAEmJgljH/Q4y 6/RL1frrHvp2OczYSFpK1vXC8Z5cmYnos0zDYAAfbiPpy66oqPKKMZeM+FDkCo/J3YMV zXHxs2FBVmb4KWWb6ev8Zi72721TZKH0FSIIM3G735j8K22pIhadnzmXnX1JgBtJBl5B 0VIOg6wr9uS4JQsPS7STrYzHB/oU8I9u06oB8kqKGmLi7uV/9o0zCy42oasMps7zrwVt xEROrWyo8bCVOeBrMrQnkbd5Fah1f9tlRHxB5vJPQy/f5exIK0Ws5sO4wEtFpP9r74QX YFtw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:subject:to:references:from:message-id :date:user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=Bw3T10zxoKlMlnczMixZtCceziA5UVlH2YKO8a2I+jk=; b=FrnvnGJP3XYybPsm1mtNU0zXE0OJYXDllv6sz3gFXRZ/csYkcXmqI++J0jDtSqHq5+ NiqBfR2Vsqb6LUctbqV4oxD2LEMVQ6tb0n9j4Zm/nD6Mv/mRZjaap89wPTXhvvcpzz+r zxniLZo1swQQNPG6hrurCZT2rMVEDLNXBzXZfV3N3gWpnMGukoyEiD4fRWrtAr1txqCh NX4BvOWvvNbsZv+2lXVfchCoLeW2BjwR27yzJPZf/NU+ZObLnWCLsVLi0H8QckzNTbmw K9/f+ba6IOzbUP2Qi1U1qGjOlAOaMvoCQ/6v/TMRr6zMPXIPM7w89RVOXFYGCFRBnc59 4Z2A== X-Gm-Message-State: AOAM531RA4Wu8taSsO5D4k+2Ypuy0r9At8RSOM8a0q1uaEH+lnRbYT6f 4YkpP22HroBeEj0dVwJ/eUE= X-Google-Smtp-Source: ABdhPJx+Tsy4o4zo6frpE3CqPHwkqdPChRNGVdiu1Qdf0/a/lYGg9sJLuPPF044U3uGjXzDcPcx1WA== X-Received: by 2002:a1c:1f94:: with SMTP id f142mr25384588wmf.180.1617030039864; Mon, 29 Mar 2021 08:00:39 -0700 (PDT) Received: from localhost.localdomain (86-42-14-227-dynamic.agg2.lod.rsl-rtd.eircom.net. [86.42.14.227]) by smtp.googlemail.com with UTF8SMTPSA id j20sm24197804wmp.30.2021.03.29.08.00.38 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 29 Mar 2021 08:00:38 -0700 (PDT) References: <20210326150017.2a2dbc5c@haengemotte.localdomain> <21fd1450-205f-8330-d493-af3375e42949@cs.ucla.edu> From: =?UTF-8?Q?P=C3=A1draig?= Brady Message-ID: Date: Mon, 29 Mar 2021 16:00:38 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:84.0) Gecko/20100101 Thunderbird/84.0 MIME-Version: 1.0 In-Reply-To: <21fd1450-205f-8330-d493-af3375e42949@cs.ucla.edu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Spam-Score: 0.5 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) On 26/03/2021 20:52, Paul Eggert wrote: > Thanks for the bug report. I installed the attached to fix it and am > closing the report. The fix looks good, thanks. I added in a test case also at: https://git.sv.gnu.org/gitweb/?p=coreutils.git;a=commitdiff;h=9f1bda18f cheers, Pádraig From unknown Tue Jun 17 21:56:28 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47412: env: fragile argument parsing Resent-From: Paul Eggert Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Tue, 30 Mar 2021 05:07:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47412 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: Frank Busse Cc: 47412@debbugs.gnu.org Received: via spool by 47412-submit@debbugs.gnu.org id=B47412.161708078919239 (code B ref 47412); Tue, 30 Mar 2021 05:07:02 +0000 Received: (at 47412) by debbugs.gnu.org; 30 Mar 2021 05:06:29 +0000 Received: from localhost ([127.0.0.1]:50016 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lR6aC-00050E-5u for submit@debbugs.gnu.org; Tue, 30 Mar 2021 01:06:29 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:43896) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lR6a7-0004zy-V8 for 47412@debbugs.gnu.org; Tue, 30 Mar 2021 01:06:27 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id B086C1600B7; Mon, 29 Mar 2021 22:06:17 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id vHgRAyhhEgUa; Mon, 29 Mar 2021 22:06:15 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 957F41600C2; Mon, 29 Mar 2021 22:06:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id SbPSnoFioLxQ; Mon, 29 Mar 2021 22:06:15 -0700 (PDT) Received: from [10.240.133.226] (unknown [149.142.15.226]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 5F4D51600B7; Mon, 29 Mar 2021 22:06:15 -0700 (PDT) From: Paul Eggert References: <20210326150017.2a2dbc5c@haengemotte.localdomain> <21fd1450-205f-8330-d493-af3375e42949@cs.ucla.edu> Message-ID: <1b1b46bf-f195-326c-514a-37c49d3e3fac@cs.ucla.edu> Date: Mon, 29 Mar 2021 22:06:15 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/mixed; boundary="------------244A612492CED8DEF7FFEC37" Content-Language: en-US X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) This is a multi-part message in MIME format. --------------244A612492CED8DEF7FFEC37 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit On 3/26/21 3:21 PM, Paul Eggert wrote: > The -S code could use some more fixes in this area too - it can > probably still dump core on platforms like the Hurd that don't limit > exec arg size - but one thing at a time. I fixed the (unlikely) bugs I found in this area by installing the attached. --------------244A612492CED8DEF7FFEC37 Content-Type: text/x-patch; charset=UTF-8; name="0001-env-simplify-split-string-memory-management.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0001-env-simplify-split-string-memory-management.patch" >From e3766c5db176ca7abbb8212d5b0b7862fb98a5be Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Mon, 29 Mar 2021 21:42:44 -0700 Subject: [PATCH] env: simplify --split-string memory management * bootstrap.conf (gnulib_modules): Add idx. * src/env.c: Include idx.h, minmax.h. Prefer idx_t to ptrdiff_t when values are nonnegative. (valid_escape_sequence, escape_char, validate_split_str) (CHECK_START_NEW_ARG): Remove; no longer needed now that we validate as we go. (struct splitbuf): New type. (splitbuf_grow, splitbuf_append_byte, check_start_new_arg) (splitbuf_finishup): New functions. (build_argv): New arg ARGC. Validate and process in one go, using the new functions; this is simpler and more reliable than the old approach (as witness the recent bug). Avoid integer overflow in the unlikely case where the string contains more than INT_MAX arguments. (parse_split_string): Simplify by exploiting the new build_argv. --- bootstrap.conf | 1 + src/env.c | 385 ++++++++++++++++++++++--------------------------- 2 files changed, 173 insertions(+), 213 deletions(-) diff --git a/bootstrap.conf b/bootstrap.conf index ab6b3ef0c..f55da99db 100644 --- a/bootstrap.conf +++ b/bootstrap.conf @@ -134,6 +134,7 @@ gnulib_modules=" host-os human idcache + idx ignore-value inttostr inttypes diff --git a/src/env.c b/src/env.c index 11db374d9..e2ab39fd5 100644 --- a/src/env.c +++ b/src/env.c @@ -26,6 +26,8 @@ #include "system.h" #include "die.h" #include "error.h" +#include "idx.h" +#include "minmax.h" #include "operand2sig.h" #include "quote.h" #include "sig2str.h" @@ -41,14 +43,14 @@ /* Array of envvars to unset. */ static const char **usvars; static size_t usvars_alloc; -static ptrdiff_t usvars_used; +static idx_t usvars_used; /* Annotate the output with extra info to aid the user. */ static bool dev_debug; /* Buffer and length of extracted envvars in -S strings. */ static char *varname; -static ptrdiff_t vnlen; +static idx_t vnlen; /* Possible actions on each signal. */ enum SIGNAL_MODE { @@ -175,7 +177,7 @@ append_unset_var (const char *var) static void unset_envvars (void) { - for (ptrdiff_t i = 0; i < usvars_used; ++i) + for (idx_t i = 0; i < usvars_used; ++i) { devmsg ("unset: %s\n", usvars[i]); @@ -190,29 +192,6 @@ unset_envvars (void) IF_LINT (usvars_alloc = 0); } -static bool _GL_ATTRIBUTE_PURE -valid_escape_sequence (const char c) -{ - return (c == 'c' || c == 'f' || c == 'n' || c == 'r' || c == 't' || c == 'v' \ - || c == '#' || c == '$' || c == '_' || c == '"' || c == '\'' \ - || c == '\\'); -} - -static char _GL_ATTRIBUTE_PURE -escape_char (const char c) -{ - switch (c) - { - /* \a, \b not supported by FreeBSD's env. */ - case 'f': return '\f'; - case 'n': return '\n'; - case 'r': return '\r'; - case 't': return '\t'; - case 'v': return '\v'; - default: assume (false); - } -} - /* Return a pointer to the end of a valid ${VARNAME} string, or NULL. 'str' should point to the '$' character. First letter in VARNAME must be alpha or underscore, @@ -241,7 +220,7 @@ scan_varname (const char *str) static char * extract_varname (const char *str) { - ptrdiff_t i; + idx_t i; const char *p; p = scan_varname (str); @@ -263,150 +242,127 @@ extract_varname (const char *str) return varname; } -/* Validate the "-S" parameter, according to the syntax defined by FreeBSD's - env(1). Terminate with an error message if not valid. +/* Temporary buffer used by --split-string processing. */ +struct splitbuf +{ + /* Buffer address, arg count, and half the number of elements in the buffer. + ARGC and ARGV are as in 'main', and ARGC + 1 <= HALF_ALLOC so + that the upper half of ARGV can be used for string contents. + This may waste up to half the space but keeps the code simple, + which is better for this rarely-used but security-sensitive code. + + ARGV[0] is not initialized; that is the caller's responsibility + after finalization. + + During assembly, ARGV[I] (where 0 < I < ARGC) contains the offset + of the Ith string (relative to ARGV + HALF_ALLOC), so that + reallocating ARGV does not change the validity of its contents. + The integer offset is cast to char * during assembly, and is + converted to a true char * pointer on finalization. + + During assembly, ARGV[ARGC] contains the offset of the first + unused string byte (relative to ARGV + HALF_ALLOC). */ + char **argv; + int argc; + idx_t half_alloc; + + /* The number of extra argv slots to keep room for. */ + int extra_argc; + + /* Whether processing should act as if the most recent character + seen was a separator. */ + bool sep; +}; - Calculate and set two values: - bufsize - the size (in bytes) required to hold the resulting string - after ENVVAR expansion (the value is overestimated). - maxargc - the maximum number of arguments (the size of the new argv). */ +/* Expand SS so that it has at least one more argv slot and at least + one more string byte. */ static void -validate_split_str (const char *str, ptrdiff_t *bufsize, int *maxargc) +splitbuf_grow (struct splitbuf *ss) { - bool dq, sq, sp; - const char *pch; - ptrdiff_t buflen; - int cnt = 1; + idx_t old_half_alloc = ss->half_alloc; + idx_t string_bytes = (intptr_t) ss->argv[ss->argc]; + ss->argv = xpalloc (ss->argv, &ss->half_alloc, 1, + MIN (INT_MAX, IDX_MAX), 2 * sizeof *ss->argv); + memmove (ss->argv + ss->half_alloc, ss->argv + old_half_alloc, string_bytes); +} - dq = sq = sp = false; - buflen = strlen (str) + 1; +/* In SS, append C to the last string. */ +static void +splitbuf_append_byte (struct splitbuf *ss, char c) +{ + idx_t string_bytes = (intptr_t) ss->argv[ss->argc]; + if (ss->half_alloc * sizeof *ss->argv <= string_bytes) + splitbuf_grow (ss); + ((char *) (ss->argv + ss->half_alloc))[string_bytes] = c; + ss->argv[ss->argc] = (char *) (intptr_t) (string_bytes + 1); +} - while (*str) +/* If SS's most recent character was a separator, finish off its + previous argument and start a new one. */ +static void +check_start_new_arg (struct splitbuf *ss) +{ + if (ss->sep) { - const char next = str[1]; - - if (c_isspace (*str) && !dq && !sq) - { - sp = true; - } - else - { - if (sp) - ++cnt; - sp = false; - } - - switch (*str) - { - case '\'': - sq = !sq && !dq; - break; - - case '"': - dq = !sq && !dq; - break; - - case '\\': - if (dq && next == 'c') - die (EXIT_CANCELED, 0, - _("'\\c' must not appear in double-quoted -S string")); - - if (next == '\0') - die (EXIT_CANCELED, 0, - _("invalid backslash at end of string in -S")); - - if (!valid_escape_sequence (next)) - die (EXIT_CANCELED, 0, _("invalid sequence '\\%c' in -S"), next); - - if (next == '_') - ++cnt; - - ++str; - break; - - - case '$': - if (sq) - break; - - pch = extract_varname (str); - if (! pch) - die (EXIT_CANCELED, 0, _("only ${VARNAME} expansion is supported,"\ - " error at: %s"), str); - - pch = getenv (pch); - if (pch) - buflen += strlen (pch); - break; - } - ++str; + splitbuf_append_byte (ss, '\0'); + int argc = ss->argc; + if (ss->half_alloc <= argc + ss->extra_argc + 1) + splitbuf_grow (ss); + ss->argv[argc + 1] = ss->argv[argc]; + ss->argc = argc + 1; + ss->sep = false; } +} - if (dq || sq) - die (EXIT_CANCELED, 0, _("no terminating quote in -S string")); - - *maxargc = cnt; - *bufsize = buflen; +/* All additions to SS have been made. Convert its offsets to pointers, + and return the resulting argument vector. */ +static char ** +splitbuf_finishup (struct splitbuf *ss) +{ + int argc = ss->argc; + char **argv = ss->argv; + char *stringbase = (char *) (ss->argv + ss->half_alloc); + for (int i = 1; i < argc; i++) + argv[i] = stringbase + (intptr_t) argv[i]; + return argv; } -/* Return a newly-allocated *arg[]-like array, +/* Return a newly-allocated argv-like array, by parsing and splitting the input 'str'. + 'extra_argc' is the number of additional elements to allocate in the array (on top of the number of args required to split 'str'). + Store into *argc the number of arguments found (plus 1 for + the program name). + Example: - char **argv = build_argv ("A=B uname -k', 3) + int argc; + char **argv = build_argv ("A=B uname -k', 3, &argc); Results in: - argv[0] = "DUMMY" - dummy executable name, can be replaced later. + argc = 4 + argv[0] = [not initialized] argv[1] = "A=B" argv[2] = "uname" argv[3] = "-k" - argv[4] = NULL - argv[5,6,7] = [allocated due to extra_argc, but not initialized] + argv[4,5,6,7] = [allocated due to extra_argc + 1, but not initialized] - The strings are stored in an allocated buffer, pointed by argv[0]. To free allocated memory: - free (argv[0]); - free (argv); */ + free (argv); + However, 'env' does not free since it's about to exec or exit anyway + and the complexity of keeping track of the storage that may have been + allocated via multiple calls to build_argv is not worth the hassle. */ static char ** -build_argv (const char *str, int extra_argc) +build_argv (const char *str, int extra_argc, int *argc) { - bool dq = false, sq = false, sep = true; - - /* Buffer to hold the new argv values. Allocated as one buffer, but - will contain multiple NUL-terminate strings. */ - char *dest; - - char **newargv, **nextargv; - int newargc = 0; - ptrdiff_t buflen = 0; - - /* This macro is called before inserting any characters to the output - buffer. It checks if the previous character was a separator - and if so starts a new argv element. */ -#define CHECK_START_NEW_ARG \ - do { \ - if (sep) \ - { \ - *dest++ = '\0'; \ - *nextargv++ = dest; \ - sep = false; \ - } \ - } while (0) - - validate_split_str (str, &buflen, &newargc); - - /* Allocate buffer. +6 for the "DUMMY\0" executable name, +1 for NUL. */ - dest = xmalloc (buflen + 6 + 1); - - /* Allocate the argv array. - +2 for the program name (argv[0]) and the last NULL pointer. */ - nextargv = newargv = xmalloc ((newargc + extra_argc + 2) * sizeof (char *)); - - /* argv[0] = executable's name - will be replaced later. */ - strcpy (dest, "DUMMY"); - *nextargv++ = dest; - dest += 6; + bool dq = false, sq = false; + struct splitbuf ss; + ss.argv = xnmalloc (extra_argc + 2, 2 * sizeof *ss.argv); + ss.argc = 1; + ss.half_alloc = extra_argc + 2; + ss.extra_argc = extra_argc; + ss.sep = true; + ss.argv[ss.argc] = 0; /* In the following loop, 'break' causes the character 'newc' to be added to *dest, @@ -421,7 +377,7 @@ build_argv (const char *str, int extra_argc) if (dq) break; sq = !sq; - CHECK_START_NEW_ARG; + check_start_new_arg (&ss); ++str; continue; @@ -429,7 +385,7 @@ build_argv (const char *str, int extra_argc) if (sq) break; dq = !dq; - CHECK_START_NEW_ARG; + check_start_new_arg (&ss); ++str; continue; @@ -437,12 +393,12 @@ build_argv (const char *str, int extra_argc) /* Start a new argument if outside quotes. */ if (sq || dq) break; - sep = true; + ss.sep = true; str += strspn (str, C_ISSPACE_CHARS); continue; case '#': - if (!sep) + if (!ss.sep) break; goto eos; /* '#' as first char terminates the string. */ @@ -454,26 +410,41 @@ build_argv (const char *str, int extra_argc) /* Skip the backslash and examine the next character. */ newc = *++str; - if (newc == '\\' || newc == '\'' - || (!sq && (newc == '#' || newc == '$' || newc == '"'))) + switch (newc) { + case '"': case '#': case '$': case '\'': case '\\': /* Pass escaped character as-is. */ - } - else if (newc == '_') - { + break; + + case '_': if (!dq) { ++str; /* '\_' outside double-quotes is arg separator. */ - sep = true; + ss.sep = true; continue; } - else - newc = ' '; /* '\_' inside double-quotes is space. */ + newc = ' '; /* '\_' inside double-quotes is space. */ + break; + + case 'c': + if (dq) + die (EXIT_CANCELED, 0, + _("'\\c' must not appear in double-quoted -S string")); + goto eos; /* '\c' terminates the string. */ + + case 'f': newc = '\f'; break; + case 'n': newc = '\n'; break; + case 'r': newc = '\r'; break; + case 't': newc = '\t'; break; + case 'v': newc = '\v'; break; + + case '\0': + die (EXIT_CANCELED, 0, + _("invalid backslash at end of string in -S")); + + default: + die (EXIT_CANCELED, 0, _("invalid sequence '\\%c' in -S"), newc); } - else if (newc == 'c') - goto eos; /* '\c' terminates the string. */ - else - newc = escape_char (newc); /* Other characters (e.g., '\n'). */ break; case '$': @@ -484,12 +455,18 @@ build_argv (const char *str, int extra_argc) /* Store the ${VARNAME} value. */ { char *n = extract_varname (str); + if (!n) + die (EXIT_CANCELED, 0, + _("only ${VARNAME} expansion is supported, error at: %s"), + str); + char *v = getenv (n); if (v) { - CHECK_START_NEW_ARG; + check_start_new_arg (&ss); devmsg ("expanding ${%s} into %s\n", n, quote (v)); - dest = stpcpy (dest, v); + for (; *v; v++) + splitbuf_append_byte (&ss, *v); } else devmsg ("replacing ${%s} with null string\n", n); @@ -499,16 +476,18 @@ build_argv (const char *str, int extra_argc) } } - CHECK_START_NEW_ARG; - *dest++ = newc; + check_start_new_arg (&ss); + splitbuf_append_byte (&ss, newc); ++str; } - eos: - *dest = '\0'; - *nextargv = NULL; /* Mark the last element in argv as NULL. */ + if (dq || sq) + die (EXIT_CANCELED, 0, _("no terminating quote in -S string")); - return newargv; + eos: + splitbuf_append_byte (&ss, '\0'); + *argc = ss.argc; + return splitbuf_finishup (&ss); } /* Process an "-S" string and create the corresponding argv array. @@ -517,67 +496,47 @@ build_argv (const char *str, int extra_argc) Example: if executed as: $ env -S"-i -C/tmp A=B" foo bar The input argv is: - argv[0] = 'env' + argv[0] = "env" argv[1] = "-S-i -C/tmp A=B" - argv[2] = foo - argv[3] = bar + argv[2] = "foo" + argv[3] = "bar" + argv[4] = NULL This function will modify argv to be: - argv[0] = 'env' + argv[0] = "env" argv[1] = "-i" argv[2] = "-C/tmp" - argv[3] = A=B" - argv[4] = foo - argv[5] = bar + argv[3] = "A=B" + argv[4] = "foo" + argv[5] = "bar" + argv[6] = NULL argc will be updated from 4 to 6. optind will be reset to 0 to force getopt_long to rescan all arguments. */ static void parse_split_string (const char *str, int *orig_optind, int *orig_argc, char ***orig_argv) { - int i, newargc; - char **newargv, **nextargv; - - - while (c_isspace (*str)) - str++; - if (*str == '\0') - return; - - newargv = build_argv (str, *orig_argc - *orig_optind); + int extra_argc = *orig_argc - *orig_optind, newargc; + char **newargv = build_argv (str, extra_argc, &newargc); /* Restore argv[0] - the 'env' executable name. */ *newargv = (*orig_argv)[0]; - /* Start from argv[1] */ - nextargv = newargv + 1; - - /* Print parsed arguments */ - if (dev_debug && *nextargv) + /* Print parsed arguments. */ + if (dev_debug && 1 < newargc) { devmsg ("split -S: %s\n", quote (str)); - devmsg (" into: %s\n", quote (*nextargv++)); - while (*nextargv) - devmsg (" & %s\n", quote (*nextargv++)); + devmsg (" into: %s\n", quote (newargv[1])); + for (int i = 2; i < newargc; i++) + devmsg (" & %s\n", quote (newargv[i])); } - else - { - /* Ensure nextargv points to the last argument */ - while (*nextargv) - ++nextargv; - } - - /* Add remaining arguments from original command line */ - for (i = *orig_optind; i < *orig_argc; ++i) - *nextargv++ = (*orig_argv)[i]; - *nextargv = NULL; - /* Count how many new arguments we have */ - newargc = 0; - for (nextargv = newargv; *nextargv; ++nextargv) - ++newargc; + /* Add remaining arguments and terminating null from the original + command line. */ + memcpy (newargv + newargc, *orig_argv + *orig_optind, + (extra_argc + 1) * sizeof *newargv); /* Set new values for original getopt variables. */ - *orig_argc = newargc; + *orig_argc = newargc + extra_argc; *orig_argv = newargv; *orig_optind = 0; /* Tell getopt to restart from first argument. */ } -- 2.25.1 --------------244A612492CED8DEF7FFEC37--