diff mbox

Fix writes past the allocated array bounds in execvpe (BZ# 20847)

Message ID d9adaf6e-9bf7-b73f-f123-e846ff5388b5@linaro.org
State New
Headers show

Commit Message

Adhemerval Zanella Netto Nov. 21, 2016, 2:54 p.m. UTC 
On 21/11/2016 12:16, Stefan Liebler wrote:
> On 11/21/2016 02:18 PM, Adhemerval Zanella wrote:
>> This patch fixes an invalid write out or stack allocated buffer in
>> 2 places at execvpe implementation:
>>
>>   1. On 'maybe_script_execute' function where it allocates the new
>>      argument list and it does not account that a minimum of argc
>>      plus 3 elements (default shell path, script name, arguments,
>>      and ending null pointer) should be considered.  The straightforward
>>      fix is just to take account of the correct list size.
>>
>>   2. On '__execvpe' where the executable file name lenght may not
>>      account for ending '\0' and thus subsequent path creation may
>>      write past array bounds because it requires to add the terminating
>>      null.  The fix is to change how to calculate the executable name
>>      size to add the final '\0' and adjust the rest of the code
>>      accordingly.
>>
>> As described in GCC bug report 78433 [1], these issues were masked off by
>> GCC because it allocated several bytes more than necessary so that many
>> off-by-one bugs went unnoticed.
>>
>> Checked on x86_64 with a latest GCC (7.0.0 20161121) with -O3 on CFLAGS.
>>
>>     * posix/execvpe.c (maybe_script_execute): Remove write past allocated
>>     array bounds.
>>     (__execvpe): Likewise.
>>
>> [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78433
>> ---
>>  ChangeLog       |  7 +++++++
>>  posix/execvpe.c | 17 +++++++++++------
>>  2 files changed, 18 insertions(+), 6 deletions(-)
>>
>> diff --git a/posix/execvpe.c b/posix/execvpe.c
>> index d933f9c..bd535b1 100644
>> --- a/posix/execvpe.c
>> +++ b/posix/execvpe.c
>> @@ -41,15 +41,16 @@ maybe_script_execute (const char *file, char *const argv[], char *const envp[])
>>    ptrdiff_t argc = 0;
>>    while (argv[argc++] != NULL)
>>      {
>> -      if (argc == INT_MAX - 1)
>> +      if (argc == INT_MAX - 2)
>>      {
>>        errno = E2BIG;
>>        return;
>>      }
>>      }
>>
>> -  /* Construct an argument list for the shell.  */
>> -  char *new_argv[argc + 1];
>> +  /* Construct an argument list for the shell.  It will contain at minimum 3
>> +     arguments (current shell, script, and an ending NULL.  */
>> +  char *new_argv[argc + 2];
>>    new_argv[0] = (char *) _PATH_BSHELL;
>>    new_argv[1] = (char *) file;
>>    if (argc > 1)
> Is this fix correct?

I think it is incomplete based on your remarks.

> memcpy reads behind NULL in argv!
> Assume:
> argv[0]="tst.sh"; argv[1]="abc"; argv[2]=NULL;
> => argc=3
> char *new_argv[3 + 2];
> memcpy (new_argv + 2, argv + 1, 3 * sizeof(char *))
> =>
> new_argv[0]=_PATH_BSHELL
> new_argv[1]=file
> new_argv[2]=argv[1]; /* "abc"  */
> new_argv[3]=argv[2]; /* NULL  */
> new_argv[4]=argv[3]; /* => reads from behind NULL-element in argv!  */
> 

Yes, we need to take only the script arguments without the script
itself.  Something like:
diff mbox

Patch

diff --git a/posix/execvpe.c b/posix/execvpe.c
index bd535b1..96a12bf5 100644
--- a/posix/execvpe.c
+++ b/posix/execvpe.c
@@ -54,7 +54,7 @@  maybe_script_execute (const char *file, char *const argv[], char *const envp[])
   new_argv[0] = (char *) _PATH_BSHELL;
   new_argv[1] = (char *) file;
   if (argc > 1)
-    memcpy (new_argv + 2, argv + 1, argc * sizeof(char *));
+    memcpy (new_argv + 2, argv + 1, (argc - 1) * sizeof(char *));
   else
     new_argv[2] = NULL;