[uclibc-ng-devel] getenv() bug

Thu, 14 Nov 2019 13:33:54 -0800 

Hi,

The getenv() library call can trap under certain conditions.  It compares the 
passed in environment variable name (var) with the name=variables (*ep) in the 
environment area and returns a pointer to the value in the environment if it 
exists.  To accomplish this, it does a memcmp() using the length of the passed 
in name (len) for each environment variable (*ep) against the passed in name 
(var).  So memcmp will attempt to scan both strings for len bytes. However, if 
for some reason, len is equal to or greater than 16 and  longer than the length 
of  the *ep in the environment and the *ep resides near the end of a page 
boundary while the next page is not present or mapped, the memcmp could trap 
with a sigsegv error while continuing the scan with the optimization 
read-ahead. However, if strncmp is used instead, there is no problem since both 
source and destination scanning will stop when either reaches a terminating NULL

Test case: We are using gcc 4.8.5 and uclibc 1.0.31. With a small environment 
area, attempt to do a getenv() using a variable name such as 
"1234567890123456". Example: file run.c contains:

#include <stdlib.h>
#include <stdio.h>

int main()
{
   char *n;

    n = getenv("1234567890123456");
    printf("Return val: \"%s\"\n", n);
    return 0;
}

Then

<sh> cc run.c -o run
<sh> env -i 123=123 ./run.
Segmentation fault

Proposed fix:

--- uclibc/libc/stdlib/getenv.c  2019-11-13 17:22:26.260187664 -0500
+++ uclibc/libc/stdlib/getenv.c  2019-11-13 17:22:39.376111771 -0500
@@ -20,7 +20,7 @@
        return NULL;
     len = strlen(var);
     while(*ep) {
-       if (memcmp(var, *ep, len) == 0 && (*ep)[len] == '=') {
+       if (strncmp(var, *ep, len) == 0 && (*ep)[len] == '=') {
            return *ep + len + 1;
        }
        ep++;


Then

<sh> env -i 123=123 ./run.
<sh>

Can we get this patch upstream?

Thanks,
----
John Ata, CISSP
Senior Principal Software Engineer
Electronics Systems
STOP Operating System<http://www.baesystems.com/en-us/product/stop> Software 
Development

T 703-563-8115 | F 703-668-4359 | 
john....@baesystems.com<mailto:john....@baesystems.com>
http://www.baesystems.com/csp

[cid:image001.png@01D138BC.8E54E330][cid:image003.png@01D138BC.8E54E330]<http://www.twitter.com/baesystemsinc>[cid:image004.png@01D138BC.8E54E330]<http://www.youtube.com/baesystemsinc>[cid:image006.png@01D138BC.8E54E330]<http://www.flickr.com/photos/baesystemsinc/>


_______________________________________________
devel mailing list
devel@uclibc-ng.org
https://mailman.uclibc-ng.org/cgi-bin/mailman/listinfo/devel

Reply via email to