From unknown Tue Jun 17 20:19:11 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#47412 <47412@debbugs.gnu.org> To: bug#47412 <47412@debbugs.gnu.org> Subject: Status: env: fragile argument parsing Reply-To: bug#47412 <47412@debbugs.gnu.org> Date: Wed, 18 Jun 2025 03:19:11 +0000 retitle 47412 env: fragile argument parsing reassign 47412 coreutils submitter 47412 Frank Busse severity 47412 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 26 11:39:26 2021 Received: (at submit) by debbugs.gnu.org; 26 Mar 2021 15:39:26 +0000 Received: from localhost ([127.0.0.1]:42255 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPoYW-0007X8-Qx for submit@debbugs.gnu.org; Fri, 26 Mar 2021 11:39:26 -0400 Received: from lists.gnu.org ([209.51.188.17]:46962) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPnwz-0006Yt-Ns for submit@debbugs.gnu.org; Fri, 26 Mar 2021 11:00:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:36436) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPnww-0002Qr-0a for bug-coreutils@gnu.org; Fri, 26 Mar 2021 11:00:35 -0400 Received: from smtphub2.cc.ic.ac.uk ([2a0c:5bc0:88:101::47]:50391) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPnwr-0004wk-S2 for bug-coreutils@gnu.org; Fri, 26 Mar 2021 11:00:33 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=imperial.ac.uk; s=main01; h=MIME-Version:Content-Transfer-Encoding: Content-Type:Message-ID:Subject:To:From:Date:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=enmPyWMp6wyHDnyldKhhtOG3vvsQRIbm7VgszP+pbgs=; b=iVCxi9kkPj1ruC1yibKbEN0RR7 dlMH4BfEnCXNBV/Ybs4eD/pUhwP49JEKx4RMzwsh57QNoeM1biKasZEk0n4FWmxXE2ITMvN/tMFal KKaVDQIu8kdvPEun8sB5WIonuvgVtHPChlaCOTOd23lUmNwgAcO46Hdv5ETto6dGu6fg=; Received: from mail-he1eur01lp0201.outbound.protection.outlook.com ([2a01:111:f400:7e1f::201] helo=EUR01-HE1-obe.outbound.protection.outlook.com) by smtphub2.cc.ic.ac.uk with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94) (envelope-from ) id 1lPnwk-00020f-Hm for bug-coreutils@gnu.org; Fri, 26 Mar 2021 15:00:22 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dFy1TtiE1Q5+ccdWIXwzUV1vKQZSBE3X+LqwiCbcGM0z/w2KcUL08iyZlW3d5tJoZHtxQk/eCOiIFQETScsHQ9IzOzn7MT2G+afPZRHA83F8/bYJzq6iclLUUAqz14tR2sN9zMFKXhJLV1e1iDU/hMuXZf9YqmcxIzG6B+6IZqoiXpMxHVCSLz05TFYbDB/JCMyuce4cqBffnDao5/KLM+bTt4jTxlQBNjskfIAfClIVLECCuBzixPrIANJmFbR49zyQg5L1m/Ba5ikfxcOUJIPLLdIk+lTVZ/LGvRk3T7G1fk/ucVyFr37Gh0B1dnZawec69uStu7riFrpnkXtkOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=enmPyWMp6wyHDnyldKhhtOG3vvsQRIbm7VgszP+pbgs=; b=B+Ys2tJr6Y0hveOIrPD5vSDGH9zdEm7xNoa7gejiNWujx4ohSJ24zQW1hTiQMxjiWqAIHV/xmedj/IZgNyQ2P2P7PRumYp6g7G8iR4AEWbhwg+XrT4IJyvc1gAH1yaQMDLcJOuP9DlqQb2qWEWEhojoRD1C6p7anL5dmOdRHeZb3MhcxxYXHsC+JlzmAP2lb4NWCZ9wFPehACbW+LACBb66S/G9KpFylkx0k+FIahp9q9DUJDp4j0MobBEM/gSsRfFtuJNbnXWXsQ8WsdWxJEw7gmg/EJOs9yY/I2MOoVGN7w7akmQtMnTVHm+aKMyKV0146tooHx1MVRKKxfdjupA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=imperial.ac.uk; dmarc=pass action=none header.from=imperial.ac.uk; dkim=pass header.d=imperial.ac.uk; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ImperialLondon.onmicrosoft.com; s=selector2-ImperialLondon-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=enmPyWMp6wyHDnyldKhhtOG3vvsQRIbm7VgszP+pbgs=; b=HMh4Gbs/lqYdlKyCico//ntpXssPoYT/HmxFMHQhqp5SDb+A1OaGP3c/LcpBkuDm9NkBqXiosgsmw0vLff2kp0Y8RxvLBR94+s8ud14TcLmF82Az2NkDWhs0WnpcAiux0PKPE8WdF/E95wuxRg2g3a4bobNjEJT0ako/Qkw4n1g= Authentication-Results: gnu.org; dkim=none (message not signed) header.d=none;gnu.org; dmarc=none action=none header.from=imperial.ac.uk; Received: from VI1PR0601MB2653.eurprd06.prod.outlook.com (2603:10a6:800:85::14) by VI1PR0601MB2399.eurprd06.prod.outlook.com (2603:10a6:801:9::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3977.25; Fri, 26 Mar 2021 15:00:21 +0000 Received: from VI1PR0601MB2653.eurprd06.prod.outlook.com ([fe80::207c:2af6:cb62:2dd2]) by VI1PR0601MB2653.eurprd06.prod.outlook.com ([fe80::207c:2af6:cb62:2dd2%12]) with mapi id 15.20.3977.029; Fri, 26 Mar 2021 15:00:20 +0000 Date: Fri, 26 Mar 2021 15:00:17 +0000 From: Frank Busse To: bug-coreutils@gnu.org Subject: env: fragile argument parsing Message-ID: <20210326150017.2a2dbc5c@haengemotte.localdomain> Organization: Imperial College London X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu) Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Originating-IP: [5.71.73.112] X-ClientProxiedBy: LNXP265CA0072.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:5d::36) To VI1PR0601MB2653.eurprd06.prod.outlook.com (2603:10a6:800:85::14) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from haengemotte.localdomain (5.71.73.112) by LNXP265CA0072.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:5d::36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.24 via Frontend Transport; Fri, 26 Mar 2021 15:00:20 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: bee0e2a6-65f3-447b-dd78-08d8f067e01a X-MS-TrafficTypeDiagnostic: VI1PR0601MB2399: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1775; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: +glDGw0EC61+rBo/5eXYczk63+Hs7LEhhcNmEiU4rGp3xk1fgP/h6os31mhTck7kLkEx4IeRa++F3PgOieTFCetSPp4JElYZLQP6mnEErJ6SLpaaUAoDZr9a9wIP40wajjHx8Kn1HTti6lpVvQtGbao3u5bMg79ahKz+U5M4jfd97jKnh6/nsG18t33Usb6mg2vuAi3fjLUxq/ePsia1sjZDLLqCmYsVHHZKYYn1LqfTxQqJ0c4rNrYI7sXpqb4JULTSfglmbuKoHv2Qj63LcP7c13+xaAgI9X9k+ZsjaOBgc9R6TvdHj8DV4LznzICSsFi3O1uzoygfx26jBWa25Ur3+T34T3QNfDX8az75oGKa+4zg3nti5f7YyCcWBq5HFbaUoMdYN96Qnz2ToQ0ub915gzpnuYu73/BY5eRdHrOtlHJ5SXxoLrSb/MZJT8z12TZGfXjtkSKGGVqnlfMQdW4Y7OyFTZ7JIzKmZdcTS5pMj9h713fECsU6d75fX7AfxR3Trrg/QPAvMOOy91yz1wtJfOG9HcTxDJXQbj4hy8ZcnOKc3I/HURY297rkcOh9xW/PLpOcBa9MUfI9I/VDO619OuZ0Ev8HixHj5uefF61ckg/bKVjsWzfh7XAfyZYj52k+GHO9YjAzMFDDT01jWg== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR0601MB2653.eurprd06.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(366004)(346002)(376002)(136003)(396003)(16526019)(9686003)(316002)(5660300002)(8936002)(26005)(186003)(786003)(7696005)(55016002)(52116002)(36916002)(38100700001)(7116003)(66476007)(2906002)(6916009)(6506007)(66556008)(6666004)(956004)(8676002)(66946007)(478600001)(1076003); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?ajXqSv9eXarEkiO/QUIfWcqab6sLRSyr/tRa8ryAd8TbTaufca+0pHFXOAfe?= =?us-ascii?Q?izS4hXJr5vpMS/CDvEllwkkKnCnaPtQxpTXoFdMp3c4hBmm0fXhAdYWQilA5?= =?us-ascii?Q?0WgLlxoWxFqRqj5zbsKNf+8tgQaL1AFTP600jCFa/r9RdqWfv3jIzVHPIp7e?= =?us-ascii?Q?Cv8K11R3ePIBKz79DB9aRJ5RtISLxLdt5R5wczuRTV3kNnDie4Q+zxLVkoQj?= =?us-ascii?Q?xKwuIefBGF7PYx96jNBSjQ2ox6vh1VoSkjSqviYKcyuuP5YRSj52+JatsPf7?= =?us-ascii?Q?NesDhXIQ3i7zLnGm+IcSrdbKn6m57a9prCpu2DBC2e2PVt6LULfS3OVKrHFD?= =?us-ascii?Q?tdfNZ0wl8DJirUaQGoZCaSu8rQ12WFRZXfkTTFDtvib6qwFxiZ3cOlHc5vfL?= =?us-ascii?Q?UmekPZFFRiPEaIFmTSFLM7Q+n0wWTef0Z2IUSyC7bOUX5d+dZeTMcRzSkpoE?= =?us-ascii?Q?aR8lwyFDhF4YWIwfEsP6cuYDX2CfOECnvh9e3KuXhHMSkzDFKpdMEEsElckk?= =?us-ascii?Q?hOlcORR4/exywVC1IibFwgoCu3LbCjRUep9MwWBmFcYkP6HX25LZ6EzAQ9Dc?= =?us-ascii?Q?fA5O8423L7yL3DY4WV1qlLO8HWe7/Dv2XSIjV9nOtGzYfVfC7IWQ49gnRS9N?= =?us-ascii?Q?99qVV7EaTbz5Fbp0kLOt/rm7Jzmxpofv4hPGLVUmSCH/OvF7F+YDwgdQV8O2?= =?us-ascii?Q?ZbymgMUVxVWmeFtYN/Kc1iLFSdUBsCTRFyeQUaWcciMb3VvXqez8HN+Ietu0?= =?us-ascii?Q?pjN6vnf7QtnVUVRlVRQSwH3ipojSNrRt8L/eQiPxghmT+ExCyHFP/mH9QZ7q?= =?us-ascii?Q?6zUV9efdfLQTE+4N3M7LDyYKlH/F0Wb4YlmNabAt7sKSG5QWN00/FA5YQdXk?= =?us-ascii?Q?oq8L3+19fhvDTIji4/myddxMHxZ841w9fCT97vC5Hp9bcGBf7rik+5vhSt3p?= =?us-ascii?Q?qItj1xWy1zxBX0fBGYZGsgmesuEf11zWUewb1i7JesYep05n7AzTF/pghul7?= =?us-ascii?Q?SEtqrIVjz9CxOmWqaXLC4zi9Gk7NMMNawBjRSo4JDFPBBPKVhOGLZfVG0ZwD?= =?us-ascii?Q?0vKDTJL3a7m7JnHJ5RWz5HjzUE+OW0ITJHjRm4UUcHVdgjdJbJfi1pY0UNYg?= =?us-ascii?Q?w0gDG3ySvc43UPKIp0d/DnHIDgRvlG682XLhtzALgagMP6C01fLvuIczdt+R?= =?us-ascii?Q?t6R7BMQA2b6AApf1DNJQXyirKj063Pm21oXjms6iIAEuZM6IhDIcKz6VrHEk?= =?us-ascii?Q?2RzW0Pp4a/V4oaxxkwoR92sNsvaoKhTT4AtNEw21/xuKXH4viE7d5kQiPlxh?= =?us-ascii?Q?X+i7td0T4aUokLei60V9Z1SB?= X-OriginatorOrg: imperial.ac.uk X-MS-Exchange-CrossTenant-Network-Message-Id: bee0e2a6-65f3-447b-dd78-08d8f067e01a X-MS-Exchange-CrossTenant-AuthSource: VI1PR0601MB2653.eurprd06.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Mar 2021 15:00:20.7238 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 2b897507-ee8c-4575-830b-4f8267c3d307 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 1bDxlLhJm7Y9ubFhpEttn0QwNhZiO+ow4QICs347e/wCqbMh5kTQpDnEcSFLnZXV X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0601MB2399 X-IC-MsgID: 1lPnwk-00020f-Hm Received-SPF: pass client-ip=2a0c:5bc0:88:101::47; envelope-from=f.busse17@imperial.ac.uk; helo=smtphub2.cc.ic.ac.uk X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Fri, 26 Mar 2021 11:39:22 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) Hi, env crashes for some nonsensical command line arguments (reported by KLEE), e.g.: --- > python3 -c "import os; os.execl('./src/env', 'env', b'--s=\"\"\t\x0b')" ================================================================= ==140651==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000028 at pc 0x562e1cc1078a bp 0x7ffd59964dd0 sp 0x7ffd59964dc0 WRITE of size 8 at 0x603000000028 thread T0 #0 0x562e1cc10789 in build_argv src/env.c:511 #1 0x562e1cc10982 in parse_split_string src/env.c:548 #2 0x562e1cc127bc in main src/env.c:849 #3 0x7f1c167e3b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) #4 0x562e1cc0e54d in _start (coreutils-8.32/src/env+0x654d) 0x603000000028 is located 0 bytes to the right of 24-byte region [0x603000000010,0x603000000028) allocated by thread T0 here: #0 0x7f1c16a3b459 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x562e1cc19463 in xmalloc lib/xmalloc.c:41 #2 0x562e1cc0ff54 in build_argv src/env.c:404 #3 0x562e1cc10982 in parse_split_string src/env.c:548 #4 0x562e1cc127bc in main src/env.c:849 #5 0x7f1c167e3b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) SUMMARY: AddressSanitizer: heap-buffer-overflow src/env.c:511 in build_argv --- or --- > python3 -c "import os; os.execl('./src/env', 'env', b'--s=\xff \r\x0b\t\x0b-')" ================================================================= ==140886==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000030 at pc 0x55821372878a bp 0x7ffdd6e4bc40 sp 0x7ffdd6e4bc30 WRITE of size 8 at 0x603000000030 thread T0 #0 0x558213728789 in build_argv src/env.c:511 #1 0x558213728982 in parse_split_string src/env.c:548 #2 0x55821372a7bc in main src/env.c:849 #3 0x7f5b05ec5b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) #4 0x55821372654d in _start (coreutils-8.32/src/env+0x654d) 0x603000000030 is located 0 bytes to the right of 32-byte region [0x603000000010,0x603000000030) allocated by thread T0 here: #0 0x7f5b0611d459 in __interceptor_malloc/build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x558213731463 in xmalloc lib/xmalloc.c:41 #2 0x558213727f54 in build_argv src/env.c:404 #3 0x558213728982 in parse_split_string src/env.c:548 #4 0x55821372a7bc in main src/env.c:849 #5 0x7f5b05ec5b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) SUMMARY: AddressSanitizer: heap-buffer-overflow src/env.c:511 in build_argv --- Version: 8.32 Configure: CFLAGS="-ggdb -O0 -fsanitize=address" ./configure --without-selinux --without-gmp --disable-acl --disable-largefile --disable-libsmack --disable-xattr --disable-libcap --disable-nls Kind regards, Frank From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 26 16:13:03 2021 Received: (at 47412) by debbugs.gnu.org; 26 Mar 2021 20:13:03 +0000 Received: from localhost ([127.0.0.1]:42570 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPspK-0001aN-PO for submit@debbugs.gnu.org; Fri, 26 Mar 2021 16:13:02 -0400 Received: from mail-wr1-f43.google.com ([209.85.221.43]:40719) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPspJ-0001Zh-S6 for 47412@debbugs.gnu.org; Fri, 26 Mar 2021 16:13:02 -0400 Received: by mail-wr1-f43.google.com with SMTP id v11so6768936wro.7 for <47412@debbugs.gnu.org>; Fri, 26 Mar 2021 13:13:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:subject:to:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=nGGYGG9osRVx4DZHQUc221hSqztI3KbTHNB4imcI8Z4=; b=nli94MTAcUx6FtBwGhfsiEFbbcKmjPmFjPLuo7V0DY9EKbqtZkb79rhQ8lBvkfICca 7N0ux/OzrIoctuqLb7CzTGduaPK+/SoF6GqWVb0Bg6HaWXM51baPODFuA1LFSCn8z1se cpK4d6IOJkXhA39ittyAUo4Mcb3OzGQpINHnyxX5zTAbD4BEpMt3Ev6Qx4Zh7B3afvhz 8Dq4yykHfS1jbL0M6k87Yh4/GqV0jJFlt0Hq/558Dlgs3gNxBkpULZHL9HK0BSMCIyjO oEXDXPznuNL79r0hYJ0Jj49ol2gbtBQsrEhGWyGbTxTjkZ/egwaPEm1flSfD6G5UsYwz sDzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:subject:to:references:from:message-id :date:user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=nGGYGG9osRVx4DZHQUc221hSqztI3KbTHNB4imcI8Z4=; b=DktkVpRpeuxRb/QdU3gXH7yPWKVcvxy8aiWsowaddE0n/r4GiN3Ea/mJsn+v9aDiS4 AUhHvCjrpJOLSqEwFegDLfgVehsVl6KoogDZKS+zpcajNWXsabwyH7aUbswJgEsGeGPj ak6Ga5Uy42s9ihC8eumD5RNJ4k8EwJd2EKRM7v1qdE4gdIeu2fzp9hTCrW5toVuIVV+R ib4ft6ZoJss3HKEqFwJJYmxD4M9pg427VfyLcQD09iJKB6HY3szUxMndxyuxjrgeoxCm adGJxlKtEJrJvQI2cuN1reR4CZ17c+nSeNc37i3uvEYLtYVBsU+U+mo+tvgIRm91Tw4z RyEw== X-Gm-Message-State: AOAM532BrT9YXQNTHzVHI2S2PzTW0lsI8bEB4wNQFgMRZIYzJZS0J4FT 31SboLxGizcmrxgl1aWpez40fQtQTz5E4w== X-Google-Smtp-Source: ABdhPJzpnHyUkoZPMvWqmN/iVeTK/7XTR4rZC5lGAA8Y8mUE1N9BKndbNjUYzwtI4AY0r9BodyuYXw== X-Received: by 2002:adf:e5cd:: with SMTP id a13mr15661407wrn.65.1616789575937; Fri, 26 Mar 2021 13:12:55 -0700 (PDT) Received: from localhost.localdomain (86-42-14-227-dynamic.agg2.lod.rsl-rtd.eircom.net. [86.42.14.227]) by smtp.googlemail.com with UTF8SMTPSA id l6sm13165486wrt.56.2021.03.26.13.12.54 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 26 Mar 2021 13:12:55 -0700 (PDT) Subject: Re: bug#47412: env: fragile argument parsing To: Frank Busse , 47412@debbugs.gnu.org References: <20210326150017.2a2dbc5c@haengemotte.localdomain> From: =?UTF-8?Q?P=c3=a1draig_Brady?= Message-ID: Date: Fri, 26 Mar 2021 20:12:53 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:84.0) Gecko/20100101 Thunderbird/84.0 MIME-Version: 1.0 In-Reply-To: <20210326150017.2a2dbc5c@haengemotte.localdomain> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Spam-Score: 0.5 (/) X-Debbugs-Envelope-To: 47412 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) On 26/03/2021 15:00, Frank Busse wrote: > Hi, > > > env crashes for some nonsensical command line arguments (reported by > KLEE), e.g.: > > --- >> python3 -c "import os; os.execl('./src/env', 'env', b'--s=\"\"\t\x0b')" > > ================================================================= > ==140651==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x603000000028 at pc 0x562e1cc1078a bp 0x7ffd59964dd0 sp 0x7ffd59964dc0 > WRITE of size 8 at 0x603000000028 thread T0 > #0 0x562e1cc10789 in build_argv src/env.c:511 > #1 0x562e1cc10982 in parse_split_string src/env.c:548 > #2 0x562e1cc127bc in main src/env.c:849 > #3 0x7f1c167e3b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) > #4 0x562e1cc0e54d in _start (coreutils-8.32/src/env+0x654d) > > 0x603000000028 is located 0 bytes to the right of 24-byte region > [0x603000000010,0x603000000028) > allocated by thread T0 here: > #0 0x7f1c16a3b459 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145 > #1 0x562e1cc19463 in xmalloc lib/xmalloc.c:41 > #2 0x562e1cc0ff54 in build_argv src/env.c:404 > #3 0x562e1cc10982 in parse_split_string src/env.c:548 > #4 0x562e1cc127bc in main src/env.c:849 > #5 0x7f1c167e3b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) Confirmed on an ASAN build of the latest source. I'll fix it up. thanks! Pádraig From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 26 16:49:33 2021 Received: (at 47412) by debbugs.gnu.org; 26 Mar 2021 20:49:33 +0000 Received: from localhost ([127.0.0.1]:42634 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPtOf-0002W3-CM for submit@debbugs.gnu.org; Fri, 26 Mar 2021 16:49:33 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:45566) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPtOd-0002Vo-LW for 47412@debbugs.gnu.org; Fri, 26 Mar 2021 16:49:32 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 7D024160075; Fri, 26 Mar 2021 13:49:25 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id 9ddudg7hqMOS; Fri, 26 Mar 2021 13:49:24 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id DB078160099; Fri, 26 Mar 2021 13:49:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id j41SzQel5zyW; Fri, 26 Mar 2021 13:49:24 -0700 (PDT) Received: from [192.168.1.9] (cpe-23-243-218-95.socal.res.rr.com [23.243.218.95]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id B6D5A160075; Fri, 26 Mar 2021 13:49:24 -0700 (PDT) Subject: Re: bug#47412: env: fragile argument parsing To: =?UTF-8?Q?P=c3=a1draig_Brady?= , Frank Busse , 47412@debbugs.gnu.org References: <20210326150017.2a2dbc5c@haengemotte.localdomain> From: Paul Eggert Organization: UCLA Computer Science Department Message-ID: Date: Fri, 26 Mar 2021 13:49:24 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 47412 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) On 3/26/21 1:12 PM, P=C3=A1draig Brady wrote: > I'll fix it up. I've got a fix. My goodness, that part of the code is messy. From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 26 16:52:51 2021 Received: (at 47412-done) by debbugs.gnu.org; 26 Mar 2021 20:52:51 +0000 Received: from localhost ([127.0.0.1]:42638 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPtRq-0002al-TQ for submit@debbugs.gnu.org; Fri, 26 Mar 2021 16:52:51 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:45904) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPtRo-0002aU-3Z for 47412-done@debbugs.gnu.org; Fri, 26 Mar 2021 16:52:49 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 9F8C0160075; Fri, 26 Mar 2021 13:52:41 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id KTfOipRLmMuj; Fri, 26 Mar 2021 13:52:40 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id B42A416008D; Fri, 26 Mar 2021 13:52:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 3mAy2sC-kOGC; Fri, 26 Mar 2021 13:52:40 -0700 (PDT) Received: from [192.168.1.9] (cpe-23-243-218-95.socal.res.rr.com [23.243.218.95]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 8CE7A160075; Fri, 26 Mar 2021 13:52:40 -0700 (PDT) Subject: Re: bug#47412: env: fragile argument parsing To: Frank Busse References: <20210326150017.2a2dbc5c@haengemotte.localdomain> From: Paul Eggert Organization: UCLA Computer Science Department Message-ID: <21fd1450-205f-8330-d493-af3375e42949@cs.ucla.edu> Date: Fri, 26 Mar 2021 13:52:40 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1 MIME-Version: 1.0 In-Reply-To: <20210326150017.2a2dbc5c@haengemotte.localdomain> Content-Type: multipart/mixed; boundary="------------B06D680281AD30B05E4CECFE" Content-Language: en-US X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 47412-done Cc: 47412-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) This is a multi-part message in MIME format. --------------B06D680281AD30B05E4CECFE Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Thanks for the bug report. I installed the attached to fix it and am closing the report. --------------B06D680281AD30B05E4CECFE Content-Type: text/x-patch; charset=UTF-8; name="0001-env-fix-address-violation-with-v-in-S.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0001-env-fix-address-violation-with-v-in-S.patch" >From 6dd466eda6fa3f1f7d2a9474ec926ccd2ede98e9 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Fri, 26 Mar 2021 13:49:49 -0700 Subject: [PATCH] env: fix address violation with '\v' in -S Problem reported by Frank Busse (Bug#47412). * src/env.c (C_ISSPACE_CHARS): New macro. (shortopts, build_argv, main): Treate all C-locale space characters like space and tab, for compatibility with FreeBSD. (validate_split_str, build_argv, parse_split_string): Use the C locale, not the current locale, to determine whether a byte is a space character. --- src/env.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/src/env.c b/src/env.c index ba9da1113..e13a312cd 100644 --- a/src/env.c +++ b/src/env.c @@ -73,7 +73,10 @@ static bool sig_mask_changed; /* Whether to list non default handling. */ static bool report_signal_handling; -static char const shortopts[] = "+C:iS:u:v0 \t"; +/* isspace characters in the C locale. */ +#define C_ISSPACE_CHARS " \t\n\v\f\r" + +static char const shortopts[] = "+C:iS:u:v0" C_ISSPACE_CHARS; /* For long options that have no equivalent short option, use a non-character as a pseudo short option, starting with CHAR_MAX + 1. */ @@ -277,7 +280,7 @@ validate_split_str (const char* str, size_t* /*out*/ bufsize, size_t buflen; int cnt = 1; - assert (str && str[0] && !isspace (str[0])); /* LCOV_EXCL_LINE */ + assert (str && str[0] && !c_isspace (str[0])); /* LCOV_EXCL_LINE */ dq = sq = sp = false; buflen = strlen (str)+1; @@ -286,7 +289,7 @@ validate_split_str (const char* str, size_t* /*out*/ bufsize, { const char next = *(str+1); - if (isspace (*str) && !dq && !sq) + if (c_isspace (*str) && !dq && !sq) { sp = true; } @@ -392,7 +395,7 @@ build_argv (const char* str, int extra_argc) } \ } while (0) - assert (str && str[0] && !isspace (str[0])); /* LCOV_EXCL_LINE */ + assert (str && str[0] && !c_isspace (str[0])); /* LCOV_EXCL_LINE */ validate_split_str (str, &buflen, &newargc); @@ -433,13 +436,12 @@ build_argv (const char* str, int extra_argc) ++str; continue; - case ' ': - case '\t': - /* space/tab outside quotes starts a new argument. */ + case ' ': case '\t': case '\n': case '\v': case '\f': case '\r': + /* Start a new argument if outside quotes. */ if (sq || dq) break; sep = true; - str += strspn (str, " \t"); /* skip whitespace. */ + str += strspn (str, C_ISSPACE_CHARS); continue; case '#': @@ -540,7 +542,7 @@ parse_split_string (const char* str, int /*out*/ *orig_optind, char **newargv, **nextargv; - while (isspace (*str)) + while (c_isspace (*str)) str++; if (*str == '\0') return; @@ -848,8 +850,7 @@ main (int argc, char **argv) case 'S': parse_split_string (optarg, &optind, &argc, &argv); break; - case ' ': - case '\t': + case ' ': case '\t': case '\n': case '\v': case '\f': case '\r': /* These are undocumented options. Attempt to detect incorrect shebang usage with extraneous space, e.g.: #!/usr/bin/env -i command -- 2.30.2 --------------B06D680281AD30B05E4CECFE-- From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 26 18:21:12 2021 Received: (at 47412) by debbugs.gnu.org; 26 Mar 2021 22:21:12 +0000 Received: from localhost ([127.0.0.1]:42779 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPupM-0000XA-3j for submit@debbugs.gnu.org; Fri, 26 Mar 2021 18:21:12 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:57392) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPupK-0000Ww-E9 for 47412@debbugs.gnu.org; Fri, 26 Mar 2021 18:21:11 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 4A5CC16008D; Fri, 26 Mar 2021 15:21:04 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id nphNDsOQ7NT8; Fri, 26 Mar 2021 15:21:03 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 5F5E3160091; Fri, 26 Mar 2021 15:21:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id GWBQ426bluCQ; Fri, 26 Mar 2021 15:21:03 -0700 (PDT) Received: from [192.168.1.9] (cpe-23-243-218-95.socal.res.rr.com [23.243.218.95]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 34D7516008D; Fri, 26 Mar 2021 15:21:03 -0700 (PDT) Subject: Re: bug#47412: env: fragile argument parsing From: Paul Eggert To: Frank Busse References: <20210326150017.2a2dbc5c@haengemotte.localdomain> <21fd1450-205f-8330-d493-af3375e42949@cs.ucla.edu> Organization: UCLA Computer Science Department Message-ID: Date: Fri, 26 Mar 2021 15:21:01 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1 MIME-Version: 1.0 In-Reply-To: <21fd1450-205f-8330-d493-af3375e42949@cs.ucla.edu> Content-Type: multipart/mixed; boundary="------------E4E0537E28A7DA7EAE8D1BE3" Content-Language: en-US X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 47412 Cc: 47412@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) This is a multi-part message in MIME format. --------------E4E0537E28A7DA7EAE8D1BE3 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit I also installed the attached two followup patches to document this and issue a better warning in rare cases. The -S code could use some more fixes in this area too - it can probably still dump core on platforms like the Hurd that don't limit exec arg size - but one thing at a time. --------------E4E0537E28A7DA7EAE8D1BE3 Content-Type: text/x-patch; charset=UTF-8; name="0001-doc-document-env-fix.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0001-doc-document-env-fix.patch" >From 6c4efdc0f51c8e253f16da2ec60cdf647bec3c06 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Fri, 26 Mar 2021 14:00:37 -0700 Subject: [PATCH] doc: document env fix * NEWS, doc/coreutils.texi (env invocation): Document recent change. --- NEWS | 3 +++ doc/coreutils.texi | 2 ++ 2 files changed, 5 insertions(+) diff --git a/NEWS b/NEWS index 97cb4bd64..802f4b427 100644 --- a/NEWS +++ b/NEWS @@ -17,6 +17,9 @@ GNU coreutils NEWS -*- outline -*- heavily changed during the run. [bug introduced in coreutils-8.25] + env -S no longer crashes when given unusual whitespace characters + [bug introduced in coreutils-8.30] + expr no longer mishandles unmatched \(...\) in regular expressions. [bug introduced in coreutils-6.0] diff --git a/doc/coreutils.texi b/doc/coreutils.texi index ac0b4467d..06ecdd74c 100644 --- a/doc/coreutils.texi +++ b/doc/coreutils.texi @@ -17592,6 +17592,8 @@ hello Running @command{env -Sstring} splits the @var{string} into arguments based on unquoted spaces or tab characters. +(Newlines, carriage returns, vertical tabs and form feeds are treated +like spaces and tabs.) In the following contrived example the @command{awk} variable @samp{OFS} will be @code{xyz} as these spaces are inside -- 2.30.2 --------------E4E0537E28A7DA7EAE8D1BE3 Content-Type: text/x-patch; charset=UTF-8; name="0001-env-improve-whitespace-warning.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0001-env-improve-whitespace-warning.patch" >From 5f99c7533df49f25819d7bb850be5c6cb49aa13d Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Fri, 26 Mar 2021 14:51:55 -0700 Subject: [PATCH] env: improve whitespace warning * src/env.c (main): Issue -S warning for any whitespace, not just space. --- src/env.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/env.c b/src/env.c index d07918fee..341777cb8 100644 --- a/src/env.c +++ b/src/env.c @@ -942,7 +942,7 @@ main (int argc, char **argv) int exit_status = errno == ENOENT ? EXIT_ENOENT : EXIT_CANNOT_INVOKE; error (0, errno, "%s", quote (argv[optind])); - if (exit_status == EXIT_ENOENT && strchr (argv[optind], ' ')) + if (exit_status == EXIT_ENOENT && strpbrk (argv[optind], C_ISSPACE_CHARS)) error (0, 0, _("use -[v]S to pass options in shebang lines")); return exit_status; -- 2.30.2 --------------E4E0537E28A7DA7EAE8D1BE3-- From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 29 11:00:49 2021 Received: (at 47412) by debbugs.gnu.org; 29 Mar 2021 15:00:49 +0000 Received: from localhost ([127.0.0.1]:49227 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lQtNp-0000xq-Ep for submit@debbugs.gnu.org; Mon, 29 Mar 2021 11:00:49 -0400 Received: from mail-wm1-f52.google.com ([209.85.128.52]:33655) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lQtNl-0000xb-Tb for 47412@debbugs.gnu.org; Mon, 29 Mar 2021 11:00:48 -0400 Received: by mail-wm1-f52.google.com with SMTP id w203-20020a1c49d40000b029010c706d0642so8661281wma.0 for <47412@debbugs.gnu.org>; Mon, 29 Mar 2021 08:00:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:subject:to:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=Bw3T10zxoKlMlnczMixZtCceziA5UVlH2YKO8a2I+jk=; b=N0izvLcNqe7OS3X5XDaD379eCW1ciXTw10hrelX/uLfYoZFlBrdKUKAEmJgljH/Q4y 6/RL1frrHvp2OczYSFpK1vXC8Z5cmYnos0zDYAAfbiPpy66oqPKKMZeM+FDkCo/J3YMV zXHxs2FBVmb4KWWb6ev8Zi72721TZKH0FSIIM3G735j8K22pIhadnzmXnX1JgBtJBl5B 0VIOg6wr9uS4JQsPS7STrYzHB/oU8I9u06oB8kqKGmLi7uV/9o0zCy42oasMps7zrwVt xEROrWyo8bCVOeBrMrQnkbd5Fah1f9tlRHxB5vJPQy/f5exIK0Ws5sO4wEtFpP9r74QX YFtw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:subject:to:references:from:message-id :date:user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=Bw3T10zxoKlMlnczMixZtCceziA5UVlH2YKO8a2I+jk=; b=FrnvnGJP3XYybPsm1mtNU0zXE0OJYXDllv6sz3gFXRZ/csYkcXmqI++J0jDtSqHq5+ NiqBfR2Vsqb6LUctbqV4oxD2LEMVQ6tb0n9j4Zm/nD6Mv/mRZjaap89wPTXhvvcpzz+r zxniLZo1swQQNPG6hrurCZT2rMVEDLNXBzXZfV3N3gWpnMGukoyEiD4fRWrtAr1txqCh NX4BvOWvvNbsZv+2lXVfchCoLeW2BjwR27yzJPZf/NU+ZObLnWCLsVLi0H8QckzNTbmw K9/f+ba6IOzbUP2Qi1U1qGjOlAOaMvoCQ/6v/TMRr6zMPXIPM7w89RVOXFYGCFRBnc59 4Z2A== X-Gm-Message-State: AOAM531RA4Wu8taSsO5D4k+2Ypuy0r9At8RSOM8a0q1uaEH+lnRbYT6f 4YkpP22HroBeEj0dVwJ/eUE= X-Google-Smtp-Source: ABdhPJx+Tsy4o4zo6frpE3CqPHwkqdPChRNGVdiu1Qdf0/a/lYGg9sJLuPPF044U3uGjXzDcPcx1WA== X-Received: by 2002:a1c:1f94:: with SMTP id f142mr25384588wmf.180.1617030039864; Mon, 29 Mar 2021 08:00:39 -0700 (PDT) Received: from localhost.localdomain (86-42-14-227-dynamic.agg2.lod.rsl-rtd.eircom.net. [86.42.14.227]) by smtp.googlemail.com with UTF8SMTPSA id j20sm24197804wmp.30.2021.03.29.08.00.38 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 29 Mar 2021 08:00:38 -0700 (PDT) Subject: Re: bug#47412: env: fragile argument parsing To: 47412@debbugs.gnu.org, eggert@cs.ucla.edu, f.busse@imperial.ac.uk References: <20210326150017.2a2dbc5c@haengemotte.localdomain> <21fd1450-205f-8330-d493-af3375e42949@cs.ucla.edu> From: =?UTF-8?Q?P=c3=a1draig_Brady?= Message-ID: Date: Mon, 29 Mar 2021 16:00:38 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:84.0) Gecko/20100101 Thunderbird/84.0 MIME-Version: 1.0 In-Reply-To: <21fd1450-205f-8330-d493-af3375e42949@cs.ucla.edu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Spam-Score: 0.5 (/) X-Debbugs-Envelope-To: 47412 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) On 26/03/2021 20:52, Paul Eggert wrote: > Thanks for the bug report. I installed the attached to fix it and am > closing the report. The fix looks good, thanks. I added in a test case also at: https://git.sv.gnu.org/gitweb/?p=coreutils.git;a=commitdiff;h=9f1bda18f cheers, Pádraig From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 30 01:06:29 2021 Received: (at 47412) by debbugs.gnu.org; 30 Mar 2021 05:06:29 +0000 Received: from localhost ([127.0.0.1]:50016 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lR6aC-00050E-5u for submit@debbugs.gnu.org; Tue, 30 Mar 2021 01:06:29 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:43896) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lR6a7-0004zy-V8 for 47412@debbugs.gnu.org; Tue, 30 Mar 2021 01:06:27 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id B086C1600B7; Mon, 29 Mar 2021 22:06:17 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id vHgRAyhhEgUa; Mon, 29 Mar 2021 22:06:15 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 957F41600C2; Mon, 29 Mar 2021 22:06:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id SbPSnoFioLxQ; Mon, 29 Mar 2021 22:06:15 -0700 (PDT) Received: from [10.240.133.226] (unknown [149.142.15.226]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 5F4D51600B7; Mon, 29 Mar 2021 22:06:15 -0700 (PDT) Subject: Re: bug#47412: env: fragile argument parsing From: Paul Eggert To: Frank Busse References: <20210326150017.2a2dbc5c@haengemotte.localdomain> <21fd1450-205f-8330-d493-af3375e42949@cs.ucla.edu> Message-ID: <1b1b46bf-f195-326c-514a-37c49d3e3fac@cs.ucla.edu> Date: Mon, 29 Mar 2021 22:06:15 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/mixed; boundary="------------244A612492CED8DEF7FFEC37" Content-Language: en-US X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 47412 Cc: 47412@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) This is a multi-part message in MIME format. --------------244A612492CED8DEF7FFEC37 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit On 3/26/21 3:21 PM, Paul Eggert wrote: > The -S code could use some more fixes in this area too - it can > probably still dump core on platforms like the Hurd that don't limit > exec arg size - but one thing at a time. I fixed the (unlikely) bugs I found in this area by installing the attached. --------------244A612492CED8DEF7FFEC37 Content-Type: text/x-patch; charset=UTF-8; name="0001-env-simplify-split-string-memory-management.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0001-env-simplify-split-string-memory-management.patch" >From e3766c5db176ca7abbb8212d5b0b7862fb98a5be Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Mon, 29 Mar 2021 21:42:44 -0700 Subject: [PATCH] env: simplify --split-string memory management * bootstrap.conf (gnulib_modules): Add idx. * src/env.c: Include idx.h, minmax.h. Prefer idx_t to ptrdiff_t when values are nonnegative. (valid_escape_sequence, escape_char, validate_split_str) (CHECK_START_NEW_ARG): Remove; no longer needed now that we validate as we go. (struct splitbuf): New type. (splitbuf_grow, splitbuf_append_byte, check_start_new_arg) (splitbuf_finishup): New functions. (build_argv): New arg ARGC. Validate and process in one go, using the new functions; this is simpler and more reliable than the old approach (as witness the recent bug). Avoid integer overflow in the unlikely case where the string contains more than INT_MAX arguments. (parse_split_string): Simplify by exploiting the new build_argv. --- bootstrap.conf | 1 + src/env.c | 385 ++++++++++++++++++++++--------------------------- 2 files changed, 173 insertions(+), 213 deletions(-) diff --git a/bootstrap.conf b/bootstrap.conf index ab6b3ef0c..f55da99db 100644 --- a/bootstrap.conf +++ b/bootstrap.conf @@ -134,6 +134,7 @@ gnulib_modules=" host-os human idcache + idx ignore-value inttostr inttypes diff --git a/src/env.c b/src/env.c index 11db374d9..e2ab39fd5 100644 --- a/src/env.c +++ b/src/env.c @@ -26,6 +26,8 @@ #include "system.h" #include "die.h" #include "error.h" +#include "idx.h" +#include "minmax.h" #include "operand2sig.h" #include "quote.h" #include "sig2str.h" @@ -41,14 +43,14 @@ /* Array of envvars to unset. */ static const char **usvars; static size_t usvars_alloc; -static ptrdiff_t usvars_used; +static idx_t usvars_used; /* Annotate the output with extra info to aid the user. */ static bool dev_debug; /* Buffer and length of extracted envvars in -S strings. */ static char *varname; -static ptrdiff_t vnlen; +static idx_t vnlen; /* Possible actions on each signal. */ enum SIGNAL_MODE { @@ -175,7 +177,7 @@ append_unset_var (const char *var) static void unset_envvars (void) { - for (ptrdiff_t i = 0; i < usvars_used; ++i) + for (idx_t i = 0; i < usvars_used; ++i) { devmsg ("unset: %s\n", usvars[i]); @@ -190,29 +192,6 @@ unset_envvars (void) IF_LINT (usvars_alloc = 0); } -static bool _GL_ATTRIBUTE_PURE -valid_escape_sequence (const char c) -{ - return (c == 'c' || c == 'f' || c == 'n' || c == 'r' || c == 't' || c == 'v' \ - || c == '#' || c == '$' || c == '_' || c == '"' || c == '\'' \ - || c == '\\'); -} - -static char _GL_ATTRIBUTE_PURE -escape_char (const char c) -{ - switch (c) - { - /* \a, \b not supported by FreeBSD's env. */ - case 'f': return '\f'; - case 'n': return '\n'; - case 'r': return '\r'; - case 't': return '\t'; - case 'v': return '\v'; - default: assume (false); - } -} - /* Return a pointer to the end of a valid ${VARNAME} string, or NULL. 'str' should point to the '$' character. First letter in VARNAME must be alpha or underscore, @@ -241,7 +220,7 @@ scan_varname (const char *str) static char * extract_varname (const char *str) { - ptrdiff_t i; + idx_t i; const char *p; p = scan_varname (str); @@ -263,150 +242,127 @@ extract_varname (const char *str) return varname; } -/* Validate the "-S" parameter, according to the syntax defined by FreeBSD's - env(1). Terminate with an error message if not valid. +/* Temporary buffer used by --split-string processing. */ +struct splitbuf +{ + /* Buffer address, arg count, and half the number of elements in the buffer. + ARGC and ARGV are as in 'main', and ARGC + 1 <= HALF_ALLOC so + that the upper half of ARGV can be used for string contents. + This may waste up to half the space but keeps the code simple, + which is better for this rarely-used but security-sensitive code. + + ARGV[0] is not initialized; that is the caller's responsibility + after finalization. + + During assembly, ARGV[I] (where 0 < I < ARGC) contains the offset + of the Ith string (relative to ARGV + HALF_ALLOC), so that + reallocating ARGV does not change the validity of its contents. + The integer offset is cast to char * during assembly, and is + converted to a true char * pointer on finalization. + + During assembly, ARGV[ARGC] contains the offset of the first + unused string byte (relative to ARGV + HALF_ALLOC). */ + char **argv; + int argc; + idx_t half_alloc; + + /* The number of extra argv slots to keep room for. */ + int extra_argc; + + /* Whether processing should act as if the most recent character + seen was a separator. */ + bool sep; +}; - Calculate and set two values: - bufsize - the size (in bytes) required to hold the resulting string - after ENVVAR expansion (the value is overestimated). - maxargc - the maximum number of arguments (the size of the new argv). */ +/* Expand SS so that it has at least one more argv slot and at least + one more string byte. */ static void -validate_split_str (const char *str, ptrdiff_t *bufsize, int *maxargc) +splitbuf_grow (struct splitbuf *ss) { - bool dq, sq, sp; - const char *pch; - ptrdiff_t buflen; - int cnt = 1; + idx_t old_half_alloc = ss->half_alloc; + idx_t string_bytes = (intptr_t) ss->argv[ss->argc]; + ss->argv = xpalloc (ss->argv, &ss->half_alloc, 1, + MIN (INT_MAX, IDX_MAX), 2 * sizeof *ss->argv); + memmove (ss->argv + ss->half_alloc, ss->argv + old_half_alloc, string_bytes); +} - dq = sq = sp = false; - buflen = strlen (str) + 1; +/* In SS, append C to the last string. */ +static void +splitbuf_append_byte (struct splitbuf *ss, char c) +{ + idx_t string_bytes = (intptr_t) ss->argv[ss->argc]; + if (ss->half_alloc * sizeof *ss->argv <= string_bytes) + splitbuf_grow (ss); + ((char *) (ss->argv + ss->half_alloc))[string_bytes] = c; + ss->argv[ss->argc] = (char *) (intptr_t) (string_bytes + 1); +} - while (*str) +/* If SS's most recent character was a separator, finish off its + previous argument and start a new one. */ +static void +check_start_new_arg (struct splitbuf *ss) +{ + if (ss->sep) { - const char next = str[1]; - - if (c_isspace (*str) && !dq && !sq) - { - sp = true; - } - else - { - if (sp) - ++cnt; - sp = false; - } - - switch (*str) - { - case '\'': - sq = !sq && !dq; - break; - - case '"': - dq = !sq && !dq; - break; - - case '\\': - if (dq && next == 'c') - die (EXIT_CANCELED, 0, - _("'\\c' must not appear in double-quoted -S string")); - - if (next == '\0') - die (EXIT_CANCELED, 0, - _("invalid backslash at end of string in -S")); - - if (!valid_escape_sequence (next)) - die (EXIT_CANCELED, 0, _("invalid sequence '\\%c' in -S"), next); - - if (next == '_') - ++cnt; - - ++str; - break; - - - case '$': - if (sq) - break; - - pch = extract_varname (str); - if (! pch) - die (EXIT_CANCELED, 0, _("only ${VARNAME} expansion is supported,"\ - " error at: %s"), str); - - pch = getenv (pch); - if (pch) - buflen += strlen (pch); - break; - } - ++str; + splitbuf_append_byte (ss, '\0'); + int argc = ss->argc; + if (ss->half_alloc <= argc + ss->extra_argc + 1) + splitbuf_grow (ss); + ss->argv[argc + 1] = ss->argv[argc]; + ss->argc = argc + 1; + ss->sep = false; } +} - if (dq || sq) - die (EXIT_CANCELED, 0, _("no terminating quote in -S string")); - - *maxargc = cnt; - *bufsize = buflen; +/* All additions to SS have been made. Convert its offsets to pointers, + and return the resulting argument vector. */ +static char ** +splitbuf_finishup (struct splitbuf *ss) +{ + int argc = ss->argc; + char **argv = ss->argv; + char *stringbase = (char *) (ss->argv + ss->half_alloc); + for (int i = 1; i < argc; i++) + argv[i] = stringbase + (intptr_t) argv[i]; + return argv; } -/* Return a newly-allocated *arg[]-like array, +/* Return a newly-allocated argv-like array, by parsing and splitting the input 'str'. + 'extra_argc' is the number of additional elements to allocate in the array (on top of the number of args required to split 'str'). + Store into *argc the number of arguments found (plus 1 for + the program name). + Example: - char **argv = build_argv ("A=B uname -k', 3) + int argc; + char **argv = build_argv ("A=B uname -k', 3, &argc); Results in: - argv[0] = "DUMMY" - dummy executable name, can be replaced later. + argc = 4 + argv[0] = [not initialized] argv[1] = "A=B" argv[2] = "uname" argv[3] = "-k" - argv[4] = NULL - argv[5,6,7] = [allocated due to extra_argc, but not initialized] + argv[4,5,6,7] = [allocated due to extra_argc + 1, but not initialized] - The strings are stored in an allocated buffer, pointed by argv[0]. To free allocated memory: - free (argv[0]); - free (argv); */ + free (argv); + However, 'env' does not free since it's about to exec or exit anyway + and the complexity of keeping track of the storage that may have been + allocated via multiple calls to build_argv is not worth the hassle. */ static char ** -build_argv (const char *str, int extra_argc) +build_argv (const char *str, int extra_argc, int *argc) { - bool dq = false, sq = false, sep = true; - - /* Buffer to hold the new argv values. Allocated as one buffer, but - will contain multiple NUL-terminate strings. */ - char *dest; - - char **newargv, **nextargv; - int newargc = 0; - ptrdiff_t buflen = 0; - - /* This macro is called before inserting any characters to the output - buffer. It checks if the previous character was a separator - and if so starts a new argv element. */ -#define CHECK_START_NEW_ARG \ - do { \ - if (sep) \ - { \ - *dest++ = '\0'; \ - *nextargv++ = dest; \ - sep = false; \ - } \ - } while (0) - - validate_split_str (str, &buflen, &newargc); - - /* Allocate buffer. +6 for the "DUMMY\0" executable name, +1 for NUL. */ - dest = xmalloc (buflen + 6 + 1); - - /* Allocate the argv array. - +2 for the program name (argv[0]) and the last NULL pointer. */ - nextargv = newargv = xmalloc ((newargc + extra_argc + 2) * sizeof (char *)); - - /* argv[0] = executable's name - will be replaced later. */ - strcpy (dest, "DUMMY"); - *nextargv++ = dest; - dest += 6; + bool dq = false, sq = false; + struct splitbuf ss; + ss.argv = xnmalloc (extra_argc + 2, 2 * sizeof *ss.argv); + ss.argc = 1; + ss.half_alloc = extra_argc + 2; + ss.extra_argc = extra_argc; + ss.sep = true; + ss.argv[ss.argc] = 0; /* In the following loop, 'break' causes the character 'newc' to be added to *dest, @@ -421,7 +377,7 @@ build_argv (const char *str, int extra_argc) if (dq) break; sq = !sq; - CHECK_START_NEW_ARG; + check_start_new_arg (&ss); ++str; continue; @@ -429,7 +385,7 @@ build_argv (const char *str, int extra_argc) if (sq) break; dq = !dq; - CHECK_START_NEW_ARG; + check_start_new_arg (&ss); ++str; continue; @@ -437,12 +393,12 @@ build_argv (const char *str, int extra_argc) /* Start a new argument if outside quotes. */ if (sq || dq) break; - sep = true; + ss.sep = true; str += strspn (str, C_ISSPACE_CHARS); continue; case '#': - if (!sep) + if (!ss.sep) break; goto eos; /* '#' as first char terminates the string. */ @@ -454,26 +410,41 @@ build_argv (const char *str, int extra_argc) /* Skip the backslash and examine the next character. */ newc = *++str; - if (newc == '\\' || newc == '\'' - || (!sq && (newc == '#' || newc == '$' || newc == '"'))) + switch (newc) { + case '"': case '#': case '$': case '\'': case '\\': /* Pass escaped character as-is. */ - } - else if (newc == '_') - { + break; + + case '_': if (!dq) { ++str; /* '\_' outside double-quotes is arg separator. */ - sep = true; + ss.sep = true; continue; } - else - newc = ' '; /* '\_' inside double-quotes is space. */ + newc = ' '; /* '\_' inside double-quotes is space. */ + break; + + case 'c': + if (dq) + die (EXIT_CANCELED, 0, + _("'\\c' must not appear in double-quoted -S string")); + goto eos; /* '\c' terminates the string. */ + + case 'f': newc = '\f'; break; + case 'n': newc = '\n'; break; + case 'r': newc = '\r'; break; + case 't': newc = '\t'; break; + case 'v': newc = '\v'; break; + + case '\0': + die (EXIT_CANCELED, 0, + _("invalid backslash at end of string in -S")); + + default: + die (EXIT_CANCELED, 0, _("invalid sequence '\\%c' in -S"), newc); } - else if (newc == 'c') - goto eos; /* '\c' terminates the string. */ - else - newc = escape_char (newc); /* Other characters (e.g., '\n'). */ break; case '$': @@ -484,12 +455,18 @@ build_argv (const char *str, int extra_argc) /* Store the ${VARNAME} value. */ { char *n = extract_varname (str); + if (!n) + die (EXIT_CANCELED, 0, + _("only ${VARNAME} expansion is supported, error at: %s"), + str); + char *v = getenv (n); if (v) { - CHECK_START_NEW_ARG; + check_start_new_arg (&ss); devmsg ("expanding ${%s} into %s\n", n, quote (v)); - dest = stpcpy (dest, v); + for (; *v; v++) + splitbuf_append_byte (&ss, *v); } else devmsg ("replacing ${%s} with null string\n", n); @@ -499,16 +476,18 @@ build_argv (const char *str, int extra_argc) } } - CHECK_START_NEW_ARG; - *dest++ = newc; + check_start_new_arg (&ss); + splitbuf_append_byte (&ss, newc); ++str; } - eos: - *dest = '\0'; - *nextargv = NULL; /* Mark the last element in argv as NULL. */ + if (dq || sq) + die (EXIT_CANCELED, 0, _("no terminating quote in -S string")); - return newargv; + eos: + splitbuf_append_byte (&ss, '\0'); + *argc = ss.argc; + return splitbuf_finishup (&ss); } /* Process an "-S" string and create the corresponding argv array. @@ -517,67 +496,47 @@ build_argv (const char *str, int extra_argc) Example: if executed as: $ env -S"-i -C/tmp A=B" foo bar The input argv is: - argv[0] = 'env' + argv[0] = "env" argv[1] = "-S-i -C/tmp A=B" - argv[2] = foo - argv[3] = bar + argv[2] = "foo" + argv[3] = "bar" + argv[4] = NULL This function will modify argv to be: - argv[0] = 'env' + argv[0] = "env" argv[1] = "-i" argv[2] = "-C/tmp" - argv[3] = A=B" - argv[4] = foo - argv[5] = bar + argv[3] = "A=B" + argv[4] = "foo" + argv[5] = "bar" + argv[6] = NULL argc will be updated from 4 to 6. optind will be reset to 0 to force getopt_long to rescan all arguments. */ static void parse_split_string (const char *str, int *orig_optind, int *orig_argc, char ***orig_argv) { - int i, newargc; - char **newargv, **nextargv; - - - while (c_isspace (*str)) - str++; - if (*str == '\0') - return; - - newargv = build_argv (str, *orig_argc - *orig_optind); + int extra_argc = *orig_argc - *orig_optind, newargc; + char **newargv = build_argv (str, extra_argc, &newargc); /* Restore argv[0] - the 'env' executable name. */ *newargv = (*orig_argv)[0]; - /* Start from argv[1] */ - nextargv = newargv + 1; - - /* Print parsed arguments */ - if (dev_debug && *nextargv) + /* Print parsed arguments. */ + if (dev_debug && 1 < newargc) { devmsg ("split -S: %s\n", quote (str)); - devmsg (" into: %s\n", quote (*nextargv++)); - while (*nextargv) - devmsg (" & %s\n", quote (*nextargv++)); + devmsg (" into: %s\n", quote (newargv[1])); + for (int i = 2; i < newargc; i++) + devmsg (" & %s\n", quote (newargv[i])); } - else - { - /* Ensure nextargv points to the last argument */ - while (*nextargv) - ++nextargv; - } - - /* Add remaining arguments from original command line */ - for (i = *orig_optind; i < *orig_argc; ++i) - *nextargv++ = (*orig_argv)[i]; - *nextargv = NULL; - /* Count how many new arguments we have */ - newargc = 0; - for (nextargv = newargv; *nextargv; ++nextargv) - ++newargc; + /* Add remaining arguments and terminating null from the original + command line. */ + memcpy (newargv + newargc, *orig_argv + *orig_optind, + (extra_argc + 1) * sizeof *newargv); /* Set new values for original getopt variables. */ - *orig_argc = newargc; + *orig_argc = newargc + extra_argc; *orig_argv = newargv; *orig_optind = 0; /* Tell getopt to restart from first argument. */ } -- 2.25.1 --------------244A612492CED8DEF7FFEC37-- From unknown Tue Jun 17 20:19:11 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 27 Apr 2021 11:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator