From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 76910 invoked by alias); 11 Mar 2015 16:34:08 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org Received: (qmail 74839 invoked by uid 48); 11 Mar 2015 16:34:04 -0000 From: "carlos at redhat dot com" To: glibc-bugs@sourceware.org Subject: [Bug libc/18096] null deref in wordexp/parse_dollars/parse_arith Date: Wed, 11 Mar 2015 16:34:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: libc X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: carlos at redhat dot com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2015-03/txt/msg00131.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=18096 --- Comment #9 from Carlos O'Donell --- (In reply to Kostya Serebryany from comment #7) > a related question: is wordexp() really supposed to call setenv()? > It's not just an undocumented side effect, but it also introduces > thread-unsafety > (AFAICT, setenv is not expected to be thread-safe, but wordexp is) It is documented. The manual already list wordexp as MT-unsafe, see glibc/manual/pattern.texi: @deftypefun int wordexp (const char *@var{words}, wordexp_t *@var{word-vector-ptr}, int @var{flags}) @safety{@prelim{}@mtunsafe{@mtasurace{:utent} @mtasuconst{:@mtsenv{}} @mtsenv{} @mtascusig{:ALRM} @mtascutimer{} @mtslocale{}}@asunsafe{@ascudlopen{} @ascuplugin{} @ascuintl{} @ascuheap{} @asucorrupt{} @asulock{}}@acunsafe{@acucorrupt{} @aculock{} @acsfd{} @acsmem{}}} Which translates into: Preliminary: | MT-Unsafe race:utent const:env env sig:ALRM timer locale | AS- Unsafe dlopen plugin i18n heap corrupt lock | AC-Unsafe corrupt lock fd mem | See Section 1.2.2.1 [POSIX Safety Concepts], page 2. So some of the MT-safety issues can be mitigated, others can't. It needs to call setenv() to correctly handle expansions that might use that value. This is all again a QoI issues, it's likely the only safe way to handle any this is in a child process, which solves the SIGFPE issue also. Keeping the side-effects in the child process. -- You are receiving this mail because: You are on the CC list for the bug.