GNU bug report logs -
#47412
env: fragile argument parsing
Previous Next
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your message dated Fri, 26 Mar 2021 13:52:40 -0700
with message-id <21fd1450-205f-8330-d493-af3375e42949 <at> cs.ucla.edu>
and subject line Re: bug#47412: env: fragile argument parsing
has caused the debbugs.gnu.org bug report #47412,
regarding env: fragile argument parsing
to be marked as done.
(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)
--
47412: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=47412
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
Hi,
env crashes for some nonsensical command line arguments (reported by
KLEE), e.g.:
---
> python3 -c "import os; os.execl('./src/env', 'env', b'--s=\"\"\t\x0b')"
=================================================================
==140651==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x603000000028 at pc 0x562e1cc1078a bp 0x7ffd59964dd0 sp 0x7ffd59964dc0
WRITE of size 8 at 0x603000000028 thread T0
#0 0x562e1cc10789 in build_argv src/env.c:511
#1 0x562e1cc10982 in parse_split_string src/env.c:548
#2 0x562e1cc127bc in main src/env.c:849
#3 0x7f1c167e3b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
#4 0x562e1cc0e54d in _start (coreutils-8.32/src/env+0x654d)
0x603000000028 is located 0 bytes to the right of 24-byte region
[0x603000000010,0x603000000028)
allocated by thread T0 here:
#0 0x7f1c16a3b459 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x562e1cc19463 in xmalloc lib/xmalloc.c:41
#2 0x562e1cc0ff54 in build_argv src/env.c:404
#3 0x562e1cc10982 in parse_split_string src/env.c:548
#4 0x562e1cc127bc in main src/env.c:849
#5 0x7f1c167e3b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
SUMMARY: AddressSanitizer: heap-buffer-overflow src/env.c:511 in build_argv
---
or
---
> python3 -c "import os; os.execl('./src/env', 'env', b'--s=\xff \r\x0b\t\x0b-')"
=================================================================
==140886==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x603000000030 at pc 0x55821372878a bp 0x7ffdd6e4bc40 sp 0x7ffdd6e4bc30
WRITE of size 8 at 0x603000000030 thread T0
#0 0x558213728789 in build_argv src/env.c:511
#1 0x558213728982 in parse_split_string src/env.c:548
#2 0x55821372a7bc in main src/env.c:849
#3 0x7f5b05ec5b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
#4 0x55821372654d in _start (coreutils-8.32/src/env+0x654d)
0x603000000030 is located 0 bytes to the right of 32-byte region
[0x603000000010,0x603000000030) allocated by thread T0 here:
#0 0x7f5b0611d459 in __interceptor_malloc/build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x558213731463 in xmalloc lib/xmalloc.c:41
#2 0x558213727f54 in build_argv src/env.c:404
#3 0x558213728982 in parse_split_string src/env.c:548
#4 0x55821372a7bc in main src/env.c:849
#5 0x7f5b05ec5b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
SUMMARY: AddressSanitizer: heap-buffer-overflow src/env.c:511 in build_argv
---
Version: 8.32
Configure: CFLAGS="-ggdb -O0 -fsanitize=address" ./configure --without-selinux --without-gmp --disable-acl --disable-largefile --disable-libsmack --disable-xattr --disable-libcap --disable-nls
Kind regards,
Frank
[Message part 3 (message/rfc822, inline)]
[Message part 4 (text/plain, inline)]
Thanks for the bug report. I installed the attached to fix it and am
closing the report.
[0001-env-fix-address-violation-with-v-in-S.patch (text/x-patch, attachment)]
This bug report was last modified 4 years and 51 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.