Commit Graph

13 Commits

Author SHA1 Message Date
Adhemerval Zanella
283d985122 posix: Fix posix_spawnp to not execute invalid binaries in non compat mode (BZ#23264)
Current posix_spawnp implementation wrongly tries to execute invalid
binaries (for instance script without shebang) as a shell script in
non compat mode.  It was a regression introduced by
9ff72da471 when __spawni started to use
__execvpe instead of __execve (glibc __execvpe try to execute ENOEXEC
as shell script regardless).

This patch fixes it by using an internal symbol (__execvpex) with the
faulty semantic (since compat mode is handled by spawni.c itself).

It was reported by Daniel Drake on libc-help [1].

Checked on x86_64-linux-gnu and i686-linux-gnu.

	[BZ #23264]
	* include/unistd.h (__execvpex): New prototype.
	* posix/Makefile (tests): Add tst-spawn4.
	(tests-internal): Add tst-spawn4-compat.
	* posix/execvpe.c (__execvpe_common, __execvpex): New functions.
	* posix/tst-spawn4-compat.c: New file.
	* posix/tst-spawn4.c: Likewise.
	* sysdeps/unix/sysv/linux/spawni.c (__spawni): Do not interpret invalid
	binaries as shell scripts.
	* sysdeps/posix/spawni.c (__spawni): Likewise.

[1] https://sourceware.org/ml/libc-help/2018-06/msg00012.html
2018-06-08 17:27:46 -03:00
Joseph Myers
688903eb3e Update copyright dates with scripts/update-copyrights.
* All files with FSF copyright notices: Update copyright dates
	using scripts/update-copyrights.
	* locale/programs/charmap-kw.h: Regenerated.
	* locale/programs/locfile-kw.h: Likewise.
2018-01-01 00:32:25 +00:00
Joseph Myers
bfff8b1bec Update copyright dates with scripts/update-copyrights. 2017-01-01 00:14:16 +00:00
Adhemerval Zanella
8047e7cf71 Fix writes past the allocated array bounds in execvpe (BZ#20847)
Commit 6c9e1be87a wrongly fixes BZ#20847 by lefting the else branch
on maybe_script_execute to still being able to invalid write on stack
allocated buffer.  It happens if execvp{e} is executed with an empty
arguments list ({ NULL }) and although manual states first argument
should be the script name itself, by convention, old and current
implementation allows it.

This patch fixes the issue by just account for arguments and not the
final 'NULL' (since the 'argv + 1' will indeed ignored the script name).
The empty argument list is handled in a special case with a minimum
allocated size.  The patch also adds extra tests for such case in
tst-vfork3.

Tested on x86_64.

	[BZ #20847]
	* posix/execvpe.c (maybe_script_execute): Remove write past allocated
	array bounds for else branch.
	(__execvpe): Style fixes.
	* posix/tst-vfork3.c (run_script): New function.
	(create_script): Likewise.
	(do_test): Use run_script internal function.
	(do_prepare): Use create_script internal function.
2016-12-07 09:48:26 -02:00
Adhemerval Zanella
6c9e1be87a Fix writes past the allocated array bounds in execvpe (BZ#20847)
This patch fixes an invalid write out or stack allocated buffer in
2 places at execvpe implementation:

  1. On 'maybe_script_execute' function where it allocates the new
     argument list and it does not account that a minimum of argc
     plus 3 elements (default shell path, script name, arguments,
     and ending null pointer) should be considered.  The straightforward
     fix is just to take account of the correct list size on argument
     copy.

  2. On '__execvpe' where the executable file name lenght may not
     account for ending '\0' and thus subsequent path creation may
     write past array bounds because it requires to add the terminating
     null.  The fix is to change how to calculate the executable name
     size to add the final '\0' and adjust the rest of the code
     accordingly.

As described in GCC bug report 78433 [1], these issues were masked off by
GCC because it allocated several bytes more than necessary so that many
off-by-one bugs went unnoticed.

Checked on x86_64 with a latest GCC (7.0.0 20161121) with -O3 on CFLAGS.

	[BZ #20847]
	* posix/execvpe.c (maybe_script_execute): Remove write past allocated
	array bounds.
	(__execvpe): Likewise.

[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78433
2016-11-22 10:23:07 -02:00
Adhemerval Zanella
1eb8930608 posix: execvpe cleanup
This patch removes all the dynamic allocation on execvpe code and
instead use direct stack allocation.  This is QoI approach to make
it possible use in scenarios where memory is shared with parent
(vfork or clone with CLONE_VM).

For default process spawn (script file without a shebang), stack
allocation is bounded by NAME_MAX plus PATH_MAX plus 1.  Large
file arguments returns an error (ENAMETOOLONG).  This differs than
current GLIBC pratice in general, but it used to limit stack
allocation for large inputs.  Also, path in PATH environment variable
larger than PATH_MAX are ignored.

The shell direct execution exeception, where execve returns ENOEXEC,
might requires a large stack allocation due large input argument list.

Tested on i686, x86_64, powerpc64le, and aarch64.

	* posix/execvpe.c (__execvpe): Remove dynamic allocation.
	* posix/Makefile (tests): Add tst-execvpe{1,2,3,4,5,6}.
	* posix/tst-execvp1.c (do_test): Use a macro to call execvp.
	* posix/tst-execvp2.c (do_test): Likewise.
	* posix/tst-execvp3.c (do_test): Likewise.
	* posix/tst-execvp4.c (do_test): Likewise.
	* posix/tst-execvpe1.c: New file.
	* posix/tst-execvpe2.c: Likewise.
	* posix/tst-execvpe3.c: Likewise.
	* posix/tst-execvpe4.c: Likewise.
	* posix/tst-execvpe5.c: Likewise.
	* posix/tst-execvpe6.c: Likewise.
2016-03-07 00:21:37 -03:00
Joseph Myers
f7a9f785e5 Update copyright dates with scripts/update-copyrights. 2016-01-04 16:05:18 +00:00
Joseph Myers
a72ddc1424 Convert 24 more function definitions to prototype style (array parameters).
This automatically-generated patch converts 24 function definitions in
glibc from old-style K&R to prototype-style.  Following my other
recent such patches, this one deals with the case of functions with
array parameters.

Tested for x86_64 and x86 (testsuite, and that installed stripped
shared libraries are unchanged by the patch).

	* crypt/cert.c (main): Convert to prototype-style function
	definition.
	* io/pipe.c (__pipe): Likewise.
	* io/pipe2.c (__pipe2): Likewise.
	* misc/futimesat.c (futimesat): Likewise.
	* misc/utimes.c (__utimes): Likewise.
	* posix/execve.c (__execve): Likewise.
	* posix/execvp.c (execvp): Likewise.
	* posix/execvpe.c (__execvpe): Likewise.
	* posix/fexecve.c (fexecve): Likewise.
	* socket/socketpair.c (socketpair): Likewise.
	* stdlib/drand48-iter.c (__drand48_iterate): Likewise.
	* stdlib/erand48.c (erand48): Likewise.
	* stdlib/erand48_r.c (__erand48_r): Likewise.
	* stdlib/jrand48.c (jrand48): Likewise.
	* stdlib/jrand48_r.c (__jrand48_r): Likewise.
	* stdlib/lcong48.c (lcong48): Likewise.
	* stdlib/lcong48_r.c (__lcong48_r): Likewise.
	* stdlib/nrand48.c (nrand48): Likewise.
	* stdlib/nrand48_r.c (__nrand48_r): Likewise.
	* stdlib/seed48.c (seed48): Likewise.
	* stdlib/seed48_r.c (__seed48_r): Likewise.
	* sysdeps/mach/hurd/execve.c (__execve): Likewise.
	* sysdeps/mach/hurd/utimes.c (__utimes): Likewise.
	* sysdeps/unix/sysv/linux/fexecve.c (fexecve): Likewise.
2015-10-20 11:51:03 +00:00
Joseph Myers
b168057aaa Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
Allan McRae
d4697bc93d Update copyright notices with scripts/update-copyrights 2014-01-01 22:00:23 +10:00
Joseph Myers
568035b787 Update copyright notices with scripts/update-copyrights. 2013-01-02 19:05:09 +00:00
Paul Eggert
59ba27a63a Replace FSF snail mail address with URLs. 2012-02-09 23:18:22 +00:00
Ulrich Drepper
3d5243d416 Implement execvpe.
There is some existing practice in other OSes and it's trivial to
implement giving the existing code.  Fixes BZ #10221.
2009-06-02 07:03:02 -07:00