From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 49497 invoked by alias); 9 Mar 2015 22:25:52 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org Received: (qmail 49445 invoked by uid 48); 9 Mar 2015 22:25:47 -0000 From: "ppluzhnikov at google dot com" To: glibc-bugs@sourceware.org Subject: [Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param Date: Mon, 09 Mar 2015 22:25:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: libc X-Bugzilla-Version: 2.21 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: ppluzhnikov at google dot com X-Bugzilla-Status: RESOLVED X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: ppluzhnikov at google dot com X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security+ X-Bugzilla-Changed-Fields: bug_status resolution Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2015-03/txt/msg00092.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=3D18043 Paul Pluzhnikov changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution|--- |FIXED --- Comment #17 from Paul Pluzhnikov --- The test from comment #13 is invalid. Small repro: #include #include int main() { setenv("Ca", NULL, 1); char *p =3D getenv("Ca"); printf("p: %s\n", p); return 0; } $ gcc t2.c t2.c: In function =E2=80=98main=E2=80=99: t2.c:5:3: warning: null argument where non-null required (argument 2) [-Wnonnull] setenv("Ca", NULL, 1); ^ That is, setenv(..., NULL, ...) is explicitly disallowed. valgrind ./a.out =3D=3D30371=3D=3D Invalid read of size 1 =3D=3D30371=3D=3D at 0x4A70A03: vfprintf (/build/buildd/eglibc-2.19/stdio-common/vfprintf.c:1661) =3D=3D30371=3D=3D by 0x4A79498: printf (/build/buildd/eglibc-2.19/stdio-common/printf.c:33) =3D=3D30371=3D=3D by 0x40060C: main (in /tmp/a.out) =3D=3D30371=3D=3D Address 0x4dea2d3 is 0 bytes after a block of size 3 all= oc'd =3D=3D30371=3D=3D at 0x40307C4: malloc (valgrind/coregrind/m_replacemalloc/vg_replace_malloc.c:270) =3D=3D30371=3D=3D by 0x4A60C59: __add_to_environ (/build/buildd/eglibc-2.19/stdlib/setenv.c:193) =3D=3D30371=3D=3D by 0x40344BF: setenv (valgrind/memcheck/mc_replace_str= mem.c:1643) =3D=3D30371=3D=3D by 0x4005E8: main (in /tmp/a.out) Now, arguably GLIBC could do something smarter and make these equivalent: setenv("Ca", NULL, 1); setenv("Ca", "", 1); But if that NULL should be handled at all, it's a separate bug. --=20 You are receiving this mail because: You are on the CC list for the bug. >>From glibc-bugs-return-27800-listarch-glibc-bugs=sources.redhat.com@sourceware.org Mon Mar 09 22:27:30 2015 Return-Path: Delivered-To: listarch-glibc-bugs@sources.redhat.com Received: (qmail 50682 invoked by alias); 9 Mar 2015 22:27:30 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org Delivered-To: mailing list glibc-bugs@sourceware.org Received: (qmail 50648 invoked by uid 48); 9 Mar 2015 22:27:27 -0000 From: "konstantin.s.serebryany at gmail dot com" To: glibc-bugs@sourceware.org Subject: [Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param Date: Mon, 09 Mar 2015 22:27:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: libc X-Bugzilla-Version: 2.21 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: konstantin.s.serebryany at gmail dot com X-Bugzilla-Status: RESOLVED X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: ppluzhnikov at google dot com X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security+ X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2015-03/txt/msg00093.txt.bz2 Content-length: 320 https://sourceware.org/bugzilla/show_bug.cgi?id=18043 --- Comment #18 from Kostya Serebryany --- The problem here is that setenv("Ca", NULL, 1); is performed by wordexp. I'll file a separate bug. -- You are receiving this mail because: You are on the CC list for the bug.