Re: Environment handling broken in /bin/sh with changes to {get,set,put}env()

From: Sean C. Farley <scf_at_FreeBSD.org>
Date: Fri, 13 Jul 2007 14:39:30 -0500 (CDT)
On Fri, 13 Jul 2007, Andrey Chernov wrote:

> On Sun, Jul 08, 2007 at 09:17:27PM +0400, Andrey Chernov wrote:

*snip*

> [snip]
>
> I found another breakage case not covered by your last getenv() fix.
> Take this simple program:
>
> -- a.c ---------------------------------------------------------------
> #include <stdlib.h>
> extern char **environ;
>
> main () {
>
> static char *nenv[2];
>
> nenv[0] = "PATH=/bin";
> nenv[1] = NULL;
>
> /*
>   environ = nenv;
>   unsetenv("PATH"); or somethig like
>   which touch '=' char in nenv[0]
> */
>
> nenv[0][4] = '\0';
>
> }
> -- a.c ---------------------------------------------------------------

*snip*

> As you may see, compiler puts "PATH=/bin" to the program's .rodata
> section which is placed to read only memory.
>
> If later you'll modify this single "PATH=/bin" (comes from "nenv" now)
> by
> *equals = '\0';
> ...
> *equals = '=';
> core dump happens, which simulated in my simple a.c example by
> nenv[0][4] = '\0';
>
> Just run it and got code dump.

FreeBSD 6 will also dump if the length of the value was less than or
equal to "/bin" since it reuses this string.  This will core dump:

nenv[0] = "PATH=/bin";
nenv[1] = NULL;
environ = nenv;
setenv("PATH", "/bin", 1);

Sean
-- 
scf_at_FreeBSD.org
Received on Fri Jul 13 2007 - 17:39:48 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:14 UTC