From patchwork Thu Nov 14 21:32:46 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ata, John (US)" X-Patchwork-Id: 1195215 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=uclibc-ng.org (client-ip=89.238.66.15; helo=helium.openadk.org; envelope-from=devel-bounces@uclibc-ng.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=baesystems.com Received: from helium.openadk.org (helium.openadk.org [89.238.66.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47DZTk3fl8z9sPk for ; Fri, 15 Nov 2019 08:33:11 +1100 (AEDT) Received: from helium.openadk.org (localhost [IPv6:::1]) by helium.openadk.org (Postfix) with ESMTP id 1DB3A10002; Thu, 14 Nov 2019 22:33:02 +0100 (CET) X-Original-To: devel@uclibc-ng.org Delivered-To: devel@helium.openadk.org Received: from dmzms99801.na.baesystems.com (dmzms99801.na.baesystems.com [149.32.232.65]) by helium.openadk.org (Postfix) with ESMTPS id 885A610002 for ; Thu, 14 Nov 2019 22:32:50 +0100 (CET) Authentication-Results: dmzms99801.na.baesystems.com; spf=None smtp.mailfrom=john.ata@baesystems.com; spf=None smtp.helo=postmaster@nhnams85001.na.baesystems.com Received-SPF: None (dmzms99801.na.baesystems.com: no sender authenticity information available from domain of john.ata@baesystems.com) identity=mailfrom; client-ip=10.37.193.66; receiver=dmzms99801.na.baesystems.com; envelope-from="john.ata@baesystems.com"; x-sender="john.ata@baesystems.com"; x-conformance=spf_only Received-SPF: None (dmzms99801.na.baesystems.com: no sender authenticity information available from domain of postmaster@nhnams85001.na.baesystems.com) identity=helo; client-ip=10.37.193.66; receiver=dmzms99801.na.baesystems.com; envelope-from="john.ata@baesystems.com"; x-sender="postmaster@nhnams85001.na.baesystems.com"; x-conformance=spf_only IronPort-PHdr: 9a23:vQ84VRN8gOnXiWu5BhQl6mtUPXoX/o7sNwtQ0KIMzox0I//7rarrMEGX3/hxlliBBdydt6sfzbON6Ou5BTxIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSizexfL1/IA+roQjfuMQajpZuJ6kyxxDUvnZGZuNayH9yK1mOhRj8/MCw/JBi8yRUpf0s8tNLXLv5caolU7FWFSwqPG8p6sLlsxnDVhaP6WAHUmoKiBpIAhPK4w/8U5zsryb1rOt92C2dPc3rUbA5XCmp4ql3RBP0jioMKjg0+3zVhMNtlqJWuBKvqQJizY7Ibo+bN/t+cb/Sct4BX2pNQsRRWjZdDo+gcYcCCfcKM+ZCr4n6olsDtRWyCBWwBOz10jNDm3v43ao60+QnDArNwQgsENwTvnjRotn+KaAfUeKyzKnIyzXPdelZ2Svn54XTaR8uu++DXalwcMrK1UkgCQbFjk6KpYP5ODOV0/0Avm6G5ORuUuKvjnQoqwB3ojW32scthIjJhp4Jyl/a7yV12po6Jdq9SEJjb96kFJpQuD2ZN4tsWM8tX2ZouCMixrIdo5G0YjMKyZQ8xx7DdfOHdpOI7gj/W+aWJDd0nHJkeLWihxau7Eiv0fPzWtOo31ZNqypIlMTHuHMV1xHL98SLVuFx80mj1DqVygze7u9JLVo1mKfaM5It36I8moAdvEnMBCP7ll/6gLKKekgk/OWj9v7pba/8ppCGMo95kgT+MqMzlcOhGek4KQ0OX3SD+eS7yb3j4VX1QLVUgf0ylanUqJbaJcQdpqGjBg9VyYUu5hajAzu6zdgUh38HI0hfdB2clYfmJUrOIfDjDfejnVuslSxry+raMb3mB5XBNnnDkLH/crZh80NQ1RY/wcpR6p9WEL0NPfb+V0HruNHZDxI1Kwm0zPzmCNV52IMeQ2WPAqqBPaPQtl+I5uQvL/OWa48JojnwMOMq6OTwgn8imV4dZrWp0oUSaHCjBPhpP0KZYX/0jtcbDWgKphY+TPDtiFCaTDFceWiyULw45jwgFYKpEYPDRoG2j7OdxSu7GJJWanpBClCWHne7P7mDDr0AZTyfJud8mTgFX7PkTYBn0guh/keux7d5I+785yYctJjokd56oerJmkdh2yZzCpHX+n2ECylWmWMOD3d24Zs+6wQpyFCD1+5xn/VwH9Ve/OJSTgo/LtjXyOksWIO6YR7IYtrcEAXued6hGzxkFotgke9LWF50HpCZtj6G2iOrB7EPkLnSWs4++6/HzmPtKsNmjX3B0ft51gR0co50LWSjw5VH2U3TCorOyBzLkaasfKEHjHOVrD7Fy2PItkhVSx9rTajARjYUYU6E9dk= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A2C5BgC2xs1d/0LBJQpjAx0BAQEJAREFBQGBfoEcgXCBMQqSd4NBilOPVwkBAQEBAQEBAQEDAQMBIwwBAYFMgnSCPgY6EwIOAQEFAQEBAQECAwQBhiMBC4I7IoMAAR8IAV0BJQEBARgBBgkFEA8MFBIBBBIBCAaDFYMGs2GFToR2EAkBgSyNbj6BEYJdgzwOCwEBgXgKJoUnBJVRJG6NUoJmhwMHA4IqhgABj0Mjgj6MG4srjRKBNY1CgUGLAQIEAgQFAhWBaUyBLnCDPAlHERSRIwMXg1CKU3SQcYEPAQE X-IPAS-Result: A2C5BgC2xs1d/0LBJQpjAx0BAQEJAREFBQGBfoEcgXCBMQqSd4NBilOPVwkBAQEBAQEBAQEDAQMBIwwBAYFMgnSCPgY6EwIOAQEFAQEBAQECAwQBhiMBC4I7IoMAAR8IAV0BJQEBARgBBgkFEA8MFBIBBBIBCAaDFYMGs2GFToR2EAkBgSyNbj6BEYJdgzwOCwEBgXgKJoUnBJVRJG6NUoJmhwMHA4IqhgABj0Mjgj6MG4srjRKBNY1CgUGLAQIEAgQFAhWBaUyBLnCDPAlHERSRIwMXg1CKU3SQcYEPAQE X-IronPort-AV: E=Sophos;i="5.68,305,1569283200"; d="png'150?scan'150,208,217,150";a="238418577" From: "Ata, John (US)" To: "devel@uclibc-ng.org" Thread-Topic: getenv() bug Thread-Index: AdWajM5b9gJtfLhrSeKfifQgjAWYCg== Date: Thu, 14 Nov 2019 21:32:46 +0000 Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [10.34.3.105] MIME-Version: 1.0 Subject: [uclibc-ng-devel] getenv() bug X-BeenThere: devel@uclibc-ng.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: uClibc-ng Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: devel-bounces@uclibc-ng.org Sender: "devel" Message-Id: <20191114213302.1DB3A10002@helium.openadk.org> Hi, The getenv() library call can trap under certain conditions. It compares the passed in environment variable name (var) with the name=variables (*ep) in the environment area and returns a pointer to the value in the environment if it exists. To accomplish this, it does a memcmp() using the length of the passed in name (len) for each environment variable (*ep) against the passed in name (var). So memcmp will attempt to scan both strings for len bytes. However, if for some reason, len is equal to or greater than 16 and longer than the length of the *ep in the environment and the *ep resides near the end of a page boundary while the next page is not present or mapped, the memcmp could trap with a sigsegv error while continuing the scan with the optimization read-ahead. However, if strncmp is used instead, there is no problem since both source and destination scanning will stop when either reaches a terminating NULL Test case: We are using gcc 4.8.5 and uclibc 1.0.31. With a small environment area, attempt to do a getenv() using a variable name such as "1234567890123456". Example: file run.c contains: #include #include int main() { char *n; n = getenv("1234567890123456"); printf("Return val: \"%s\"\n", n); return 0; } Then cc run.c -o run env -i 123=123 ./run. Segmentation fault Proposed fix: Then env -i 123=123 ./run. Can we get this patch upstream? Thanks, ---- John Ata, CISSP Senior Principal Software Engineer Electronics Systems STOP Operating System Software Development T 703-563-8115 | F 703-668-4359 | john.ata@baesystems.com http://www.baesystems.com/csp [cid:image001.png@01D138BC.8E54E330][cid:image003.png@01D138BC.8E54E330][cid:image004.png@01D138BC.8E54E330][cid:image006.png@01D138BC.8E54E330] --- uclibc/libc/stdlib/getenv.c 2019-11-13 17:22:26.260187664 -0500 +++ uclibc/libc/stdlib/getenv.c 2019-11-13 17:22:39.376111771 -0500 @@ -20,7 +20,7 @@ return NULL; len = strlen(var); while(*ep) { - if (memcmp(var, *ep, len) == 0 && (*ep)[len] == '=') { + if (strncmp(var, *ep, len) == 0 && (*ep)[len] == '=') { return *ep + len + 1; } ep++;