Environment handling broken in /bin/sh with changes to
{get,set,put}env()
Andrey Chernov
ache at nagual.pp.ru
Fri Jul 13 16:27:46 UTC 2007
On Sun, Jul 08, 2007 at 09:17:27PM +0400, Andrey Chernov wrote:
> Hmm. I just think a bit more and feel worry about that place in the merge
> code:
>
> *equals = '\0';
> if (setenv(*env, equals + 1, 1) == -1)
> return (-1);
> *equals = '=';
> because it modifies memory which may be treated like const one.
>
> Consider following scenario: getenv() is not thread-safe, but may be
[snip]
I found another breakage case not covered by your last getenv() fix.
Take this simple program:
-- a.c -------------------------------------------------------------------
#include <stdlib.h>
extern char **environ;
main () {
static char *nenv[2];
nenv[0] = "PATH=/bin";
nenv[1] = NULL;
/*
environ = nenv;
unsetenv("PATH"); or somethig like
which touch '=' char in nenv[0]
*/
nenv[0][4] = '\0';
}
-- a.c -------------------------------------------------------------------
Look at assembler code first:
cc -S a.c
cat a.s
.file "a.c"
.local nenv.1948
.comm nenv.1948,8,4
.section .rodata
.LC0:
.string "PATH=/bin"
.text
[skipped]
As you may see, compiler puts "PATH=/bin" to the program's .rodata section
which is placed to read only memory.
If later you'll modify this single "PATH=/bin" (comes from "nenv" now) by
*equals = '\0';
...
*equals = '=';
core dump happens, which simulated in my simple a.c example by
nenv[0][4] = '\0';
Just run it and got code dump.
--
http://ache.pp.ru/
More information about the freebsd-current
mailing list