GNU bug report logs -
#47412
env: fragile argument parsing
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 47412 in the body.
You can then email your comments to 47412 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-coreutils <at> gnu.org:
bug#47412; Package
coreutils.
(Fri, 26 Mar 2021 15:40:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Frank Busse <f.busse <at> imperial.ac.uk>:
New bug report received and forwarded. Copy sent to
bug-coreutils <at> gnu.org.
(Fri, 26 Mar 2021 15:40:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi,
env crashes for some nonsensical command line arguments (reported by
KLEE), e.g.:
---
> python3 -c "import os; os.execl('./src/env', 'env', b'--s=\"\"\t\x0b')"
=================================================================
==140651==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x603000000028 at pc 0x562e1cc1078a bp 0x7ffd59964dd0 sp 0x7ffd59964dc0
WRITE of size 8 at 0x603000000028 thread T0
#0 0x562e1cc10789 in build_argv src/env.c:511
#1 0x562e1cc10982 in parse_split_string src/env.c:548
#2 0x562e1cc127bc in main src/env.c:849
#3 0x7f1c167e3b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
#4 0x562e1cc0e54d in _start (coreutils-8.32/src/env+0x654d)
0x603000000028 is located 0 bytes to the right of 24-byte region
[0x603000000010,0x603000000028)
allocated by thread T0 here:
#0 0x7f1c16a3b459 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x562e1cc19463 in xmalloc lib/xmalloc.c:41
#2 0x562e1cc0ff54 in build_argv src/env.c:404
#3 0x562e1cc10982 in parse_split_string src/env.c:548
#4 0x562e1cc127bc in main src/env.c:849
#5 0x7f1c167e3b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
SUMMARY: AddressSanitizer: heap-buffer-overflow src/env.c:511 in build_argv
---
or
---
> python3 -c "import os; os.execl('./src/env', 'env', b'--s=\xff \r\x0b\t\x0b-')"
=================================================================
==140886==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x603000000030 at pc 0x55821372878a bp 0x7ffdd6e4bc40 sp 0x7ffdd6e4bc30
WRITE of size 8 at 0x603000000030 thread T0
#0 0x558213728789 in build_argv src/env.c:511
#1 0x558213728982 in parse_split_string src/env.c:548
#2 0x55821372a7bc in main src/env.c:849
#3 0x7f5b05ec5b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
#4 0x55821372654d in _start (coreutils-8.32/src/env+0x654d)
0x603000000030 is located 0 bytes to the right of 32-byte region
[0x603000000010,0x603000000030) allocated by thread T0 here:
#0 0x7f5b0611d459 in __interceptor_malloc/build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x558213731463 in xmalloc lib/xmalloc.c:41
#2 0x558213727f54 in build_argv src/env.c:404
#3 0x558213728982 in parse_split_string src/env.c:548
#4 0x55821372a7bc in main src/env.c:849
#5 0x7f5b05ec5b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
SUMMARY: AddressSanitizer: heap-buffer-overflow src/env.c:511 in build_argv
---
Version: 8.32
Configure: CFLAGS="-ggdb -O0 -fsanitize=address" ./configure --without-selinux --without-gmp --disable-acl --disable-largefile --disable-libsmack --disable-xattr --disable-libcap --disable-nls
Kind regards,
Frank
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#47412; Package
coreutils.
(Fri, 26 Mar 2021 20:14:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 47412 <at> debbugs.gnu.org (full text, mbox):
On 26/03/2021 15:00, Frank Busse wrote:
> Hi,
>
>
> env crashes for some nonsensical command line arguments (reported by
> KLEE), e.g.:
>
> ---
>> python3 -c "import os; os.execl('./src/env', 'env', b'--s=\"\"\t\x0b')"
>
> =================================================================
> ==140651==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x603000000028 at pc 0x562e1cc1078a bp 0x7ffd59964dd0 sp 0x7ffd59964dc0
> WRITE of size 8 at 0x603000000028 thread T0
> #0 0x562e1cc10789 in build_argv src/env.c:511
> #1 0x562e1cc10982 in parse_split_string src/env.c:548
> #2 0x562e1cc127bc in main src/env.c:849
> #3 0x7f1c167e3b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
> #4 0x562e1cc0e54d in _start (coreutils-8.32/src/env+0x654d)
>
> 0x603000000028 is located 0 bytes to the right of 24-byte region
> [0x603000000010,0x603000000028)
> allocated by thread T0 here:
> #0 0x7f1c16a3b459 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
> #1 0x562e1cc19463 in xmalloc lib/xmalloc.c:41
> #2 0x562e1cc0ff54 in build_argv src/env.c:404
> #3 0x562e1cc10982 in parse_split_string src/env.c:548
> #4 0x562e1cc127bc in main src/env.c:849
> #5 0x7f1c167e3b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
Confirmed on an ASAN build of the latest source.
I'll fix it up.
thanks!
Pádraig
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#47412; Package
coreutils.
(Fri, 26 Mar 2021 20:50:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 47412 <at> debbugs.gnu.org (full text, mbox):
On 3/26/21 1:12 PM, Pádraig Brady wrote:
> I'll fix it up.
I've got a fix. My goodness, that part of the code is messy.
Reply sent
to
Paul Eggert <eggert <at> cs.ucla.edu>:
You have taken responsibility.
(Fri, 26 Mar 2021 20:53:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Frank Busse <f.busse <at> imperial.ac.uk>:
bug acknowledged by developer.
(Fri, 26 Mar 2021 20:53:01 GMT)
Full text and
rfc822 format available.
Message #16 received at 47412-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Thanks for the bug report. I installed the attached to fix it and am
closing the report.
[0001-env-fix-address-violation-with-v-in-S.patch (text/x-patch, attachment)]
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#47412; Package
coreutils.
(Fri, 26 Mar 2021 22:22:01 GMT)
Full text and
rfc822 format available.
Message #19 received at 47412 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
I also installed the attached two followup patches to document this and
issue a better warning in rare cases.
The -S code could use some more fixes in this area too - it can probably
still dump core on platforms like the Hurd that don't limit exec arg
size - but one thing at a time.
[0001-doc-document-env-fix.patch (text/x-patch, attachment)]
[0001-env-improve-whitespace-warning.patch (text/x-patch, attachment)]
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#47412; Package
coreutils.
(Mon, 29 Mar 2021 15:01:01 GMT)
Full text and
rfc822 format available.
Message #22 received at 47412 <at> debbugs.gnu.org (full text, mbox):
On 26/03/2021 20:52, Paul Eggert wrote:
> Thanks for the bug report. I installed the attached to fix it and am
> closing the report.
The fix looks good, thanks.
I added in a test case also at:
https://git.sv.gnu.org/gitweb/?p=coreutils.git;a=commitdiff;h=9f1bda18f
cheers,
Pádraig
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#47412; Package
coreutils.
(Tue, 30 Mar 2021 05:07:02 GMT)
Full text and
rfc822 format available.
Message #25 received at 47412 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 3/26/21 3:21 PM, Paul Eggert wrote:
> The -S code could use some more fixes in this area too - it can
> probably still dump core on platforms like the Hurd that don't limit
> exec arg size - but one thing at a time.
I fixed the (unlikely) bugs I found in this area by installing the attached.
[0001-env-simplify-split-string-memory-management.patch (text/x-patch, attachment)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 27 Apr 2021 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 357 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.