The function wordexp() fails to properly handle the WRDE_NOCMD
flag when processing arithmetic inputs in the form of "$((... ``))"
where "..." can be anything valid. The backticks in the arithmetic
epxression are evaluated by in a shell even if WRDE_NOCMD forbade
command substitution. This allows an attacker to attempt to pass
dangerous commands via constructs of the above form, and bypass
the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
in exec_comm(), the only place that can execute a shell. All other
checks for WRDE_NOCMD are superfluous and removed.
We expand the testsuite and add 3 new regression tests of roughly
the same form but with a couple of nested levels.
On top of the 3 new tests we add fork validation to the WRDE_NOCMD
testing. If any forks are detected during the execution of a wordexp()
call with WRDE_NOCMD, the test is marked as failed. This is slightly
heuristic since vfork might be used in the future, but it provides a
higher level of assurance that no shells were executed as part of
command substitution with WRDE_NOCMD in effect. In addition it doesn't
require libpthread or libdl, instead we use the public implementation
namespace function __register_atfork (already part of the public ABI
for libpthread).
Tested on x86_64 with no regressions.
file descriptors with close-on-exec set.
(exec_comm_child): Fix the case where the write end of the pipe is
STDOUT_FILENO already. In case it is, clear close-on-exec.
platforms.
* stdio-common/_itoa.c: Don't compile in _itoa and _fitoa for
64-bit platforms.
* malloc/mtrace.c (tr_where): Use _fitoa_word instead of _fitoa if
possible.
* posix/wordexp.c (parse_arith): Use _itoa_word instead of _itoa
if possible.
was allocated here. [Coverity CID 219]
* posix/getconf.c (print_all): Free confstr data after printing.
[Coverity CID 218]
* sysdeps/posix/getaddrinfo.c (gaih_inet): Free canon string if
list allocation fails. [Coverity CID 215]
* nss/nsswitch.c (__nss_configure_lookup): Fix loop end condition.
[Coverity CID 213]
* argp/argp-help.c (hol_entry_cmp): Don't call canon_doc_option if
string is NULL. [Coverity CID 212]
* argp/Makefile: Add rules to build and run bug-argp1.
* argp/bug-argp1.c: New file.
* io/ftw.c (ftw_dir): Use __rawmemchr instead of strchr to find
end of string.
* stdlib/canonicalize.c (__realpath): Likewise.
* locale/programs/ld-time.c (time_finish): Don't dereference NULL
pointer. [Coverity CID 206]
* elf/dl-dst.h (DL_DST_REQUIRED): Be prepared for missing link map
in statically linked code.
* elf/dl-load.c (_dl_dst_substitute): When replacing ORIGIN in
statically built code, be prepared to have no link map.
[Coverity CID 205]
* argp/argp-help.c (fill_in_uparams): Handle STATE==NULL in
dgettext calls. [Coverity CID 204]
* argp/argp-help.c (struct uparams): Remove valid member. Change
the one user.
(uparam_names): Reduce size. Avoid relative relocations.
Moved to read-only segment.
(fill_in_uparams): Update for new layout.
* sysdeps/unix/sysv/linux/ifaddrs.c (getifaddrs): Parameter can be
assumed to always be != NULL. [Coverity CID 202]
* argp/argp-help.c (hol_entry_help): Remove some dead code
[Coverity CID 200].
* nis/nss_nis/nis-service.c (_nss_nis_getservbyport_r): Optimize
away a few more unconditional yperr2nss calls.
(_nss_nis_getservbyname_r): Likewise.
* misc/daemon.c (daemon): Fail if !noclose and we cannot open the
real /dev/null device.
* sysdeps/generic/check_fds.c: Include device-nrs.h.
* sysdeps/generic/device-nrs.h: New file.
* sysdeps/unix/sysv/linux/device-nrs.h: New file.
* misc/Makefile (distribute): Add device-nrs.h.
* posix/wordexp.c (exec_comm_child): Likewise.
* locale/nl_langinfo.c: Allow use of file for __nl_langinfo_l
definition.
* posix/wordexp.c: Use we_offs everywhere if WRDE_DOOFS. Expand ~
correctly. Detect syntax errors in command substitutions. Delete
trailing newlines correctly. Don't split fields in command
substitution situations. Restore old structure in case of an
error. Handle WRDE_APPEND correctly.
Patch by Geoff Clare <gwc@unisoft.com>.
1999-11-05 Ulrich Drepper <drepper@cygnus.com>
* sysdeps/unix/sysv/linux/bits/resource.h (RLIM_INFINITY): Adjust
for kernel changes.
* sysdeps/unix/sysv/linux/bits/types.h (__rlim_t, __rlim64_t): Make
unsigned.
1999-10-04 Tim Waugh <twaugh@redhat.com>
* posix/wordexp-test.c: More tests.
* posix/wordexp.c (wordexp): Explicit null words should be kept.
1999-11-04 Shinya Hanataka <hanataka@abyss.rim.or.jp>
* locale/programs/linereader.c (get_string): Correct type of buf2
variable.
* locale/programs/ld-ctype.c (ctype_output): Store index correctly
for _NL_CTYPE_INDIGITS_MB_LEN, _NL_CTYPE_INDIGITS_WC_LEN,
_NL_CTYPE_INDIGITS*_MB, _NL_CTYPE_OUTDIGIT*_MB, and
_NL_CTYPE_OUTDIGIT*_WC.
(allocate_arrays): Completely initialize mapping tables.
* locale/programs/ld-time.c (time_startup): We need the wide car
string.
(time_finish): Correct handling of era.
(time_output): Fix a few array indeces.
(time_read): Pass the repertoire map to lr_token.
1999-07-02 Tim Waugh <tim@cyberelk.demon.co.uk>
* posix/wordexp-test.c: Revert bogus 'unset IFS' change. It
doesn't belong in the tests, but in the wordexp implementation.
* posix/wordexp.c (exec_comm): Unset IFS so that subshells don't
split fields.
1999-04-20 Andreas Jaeger <aj@arthur.rhein-neckar.de>
* posix/wordexp.c (parse_param): Fix type of offset to allow it to
be used correctly as parameter for parse_dollars/parse_tilde.
1999-04-11 Tim Waugh <tim@cyberelk.demon.co.uk>
* posix/wordexp.c (wordexp): Fix a leak when an invalid character
is seen, as well as fixing semantics. Don't reset the word count
to zero when an invalid character is seen, but leave it as it was
(this makes a difference with WRDE_APPEND).
* posix/wordexp-test.c: More test cases.
* posix/wordexp.c (parse_param): In words like ${var#pattern},
always expand pattern when it is needed. Also, handle quoting in
pattern properly.
1998-10-30 18:11 Ulrich Drepper <drepper@cygnus.com>
* iconv/gconv_conf.c (__gconv_read_conf): Don't define as
internal_function since it is called through a pointer.
* iconv/gconv_db.c (free_derivation): Likewise.
* iconv/gconv_int.h: Adjust prototype od __gconv_read_conf.
* posix/wordexp.c: Add internal_function to parse_backtick definition.
* rt/aio_misc.c: Add internal_function to __aio_free_request,
__aio_find_req, __aio_find_req_fd, and __aio_enqueue_request
definitions.
* rt/aio_notify.c: Add internal_function to __aio_notify_only and
__aio_notify definitions.
* wcsmbsload.c: Add internal_function to __wcsmbs_load_conv definition.
1998-09-17 19:34 Ulrich Drepper <drepper@cygnus.com>
* sysdeps/unix/sysv/sysv4/bits/utsname.h: Fix typo.
Patch by John Tobey <jtobey@banta-im.com>.
1998-09-17 Mark Kettenis <kettenis@phys.uva.nl>
* login/pty-internal.h: Removed. Moved constants related to the
`grantpt' helper program protocol to ...
* login/pty-private.h: ... here. New file.
* sysdeps/unix/sysv/linux/ptsname.c (ptsname): Reimplementation
to make the function work with kernels >= 2.1.115.
* sysdeps/unix/sysv/linux/getpt.c (getpt): Reimplement to call BSD
version if using the cloning device fails.
* sysdeps/unix/sysv/linux/grantpt.c: New file.
* sysdeps/unix/sysv/linux/unlockpt.c: General cleanup.
* sysdeps/unix/bsd/getpt.c (__getpt): Largely rewritten to allow
use by Linux specific code.
* sysdeps/unix/bsd/unlockpt.c: General cleanup.
* sysdeps/unix/grantpt.c: Largely rewritten. (pts_name): New
function. (grantpt): Use pts_name, check group and permission
mode in addition to owner. Try to set the owner, group and
permission mode first without invoking the helper program.
* login/programs/pt_chown.c: Largely rewritten. Add argp and
internationalization support. Use symbolic constants instead of
hardwired numbers for permission mode.
* sysdeps/unix/bsd/ptsname.c: New file.
1998-09-17 22:04 Tim Waugh <tim@cyberelk.demon.co.uk>
* posix/wordexp-test.c: Undo last change.
* posix/wordexp.c: Undo last change.
1998-09-14 Andreas Jaeger <aj@arthur.rhein-neckar.de>
* sysdeps/mach/hurd/dl-cache.c (_dl_unload_cache): New dummy
function. Reported by okuji@kuicr.kyoto-u.ac.jp [PR libc/789].
1998-09-15 David S. Miller <davem@pierdol.cobaltmicro.com>
* sysdeps/sparc/sparc32/dl-machine.h (elf_machine_runtime_setup):
Add profiling support.
(TRAMPOLINE_TEMPLATE): New macro.
(ELF_MACHINE_RUNTIME_TRAMPOLINE): Define in terms of that.
(RTLD_START): Prettify, and set __libc_stack_end properly.
(elf_machine_rela) [R_SPARC_COPY]: Remove RTLD_BOOTSTRAP ifndef
and check for sym being NULL instead.
* sysdeps/sparc/sparc64/addmul_1.S: Adjust to allocate 192 bytes
of stack space.
* sysdeps/sparc/sparc64/lshift.S: Likewise.
* sysdeps/sparc/sparc64/mul_1.S: Likewise.
* sysdeps/sparc/sparc64/rshift.S: Likewise.
* sysdeps/sparc/sparc64/submul_1.S: Likewise.
* sysdeps/sparc/sparc64/elf/crtbegin.S: Likewise and remove old
MEDANY code model %g4 usage.
* sysdeps/sparc/sparc64/elf/crtend.S: Likewise and remove old
MEDANY code model %g4 usage.
* sysdeps/sparc/sparc64/elf/start.S: Rework to not use old FULLANY
code model address formation.
* sysdeps/sparc/sparc64/dl-machine.h: Don't include link.h, do
include elf/ldsodefs.h
(DT_SPARC): Remove.
(elf_machine_matches_host): It is now EM_SPARCV9.
(elf_machine_dynamic): Clean up to remove ugly cast.
(elf_machine_fixup_plt): Rework for new V9 ABI, add support for
new PLT formats.
(elf_machine_rela): Don't do anything at all for R_SPARC_NONE.
Prettify rest of function.
[R_SPARC_COPY]: Check for sym being NULL.
[R_SPARC_32]: Handle it.
[R_SPARC_H44, R_SPARC_M44, R_SPARC_L44]: Handle them for the
MEDMID code model.
[R_SPARC_HH22, R_SPARC_HM10, R_SPARC_LM22]: Handle them for the
MEDANY code model.
[R_SPARC_NONE]: Remove this case, as it is now checked earlier.
(elf_machine_runtime_setup): Rewrite for new V9 ABI plt formats.
Add profiling support.
(TRAMPOLINE_TEMPLATE): New macro.
(ELF_MACHINE_RUNTIME_TRAMPOLINE): Define in terms of that.
(RTLD_START): Prettify and set __libc_stack_end.
* sysdeps/unix/sysv/linux/sparc/bits/sigaction.h (SA_SIGINFO):
Define.
* sysdeps/unix/sysv/linux/sparc/bits/signum.h (_NSIG): Set to 64.
(SIGRTMIN, SIGRTMAX, __SIGRTMIN, __SIGRTMAX): Define.
* sysdeps/unix/sysv/linux/sparc/sparc32/brk.c (__brk): Remove
unused variable scratch.
* sysdeps/unix/sysv/linux/sparc/sparc32/sigaction.c
(__syscall_rt_sigaction, __rt_sigreturn_stub, __sigreturn_stub):
Declare.
(__sigaction): Rewrite rt_sigaction case to pass correct sigreturn
stub to rt_sigaction syscalls. Rewrite non-rt case to use correct
old format kernel sigaction structures.
* sysdeps/unix/sysv/linux/sparc/sparc64/ucontext.h: Move...
* sysdeps/unix/sysv/linux/sparc/sparc64/sys/ucontext.h: to here.
* sysdeps/unix/sysv/linux/sparc/sparc64/Dist: Remove ucontext.h
* sysdeps/unix/sysv/linux/sparc/sparc64/bits/setjmp.h: Fix
ucontext include.
(_JMPBUF_UNWINDS): Define.
* sysdeps/unix/sysv/linux/sparc/sparc64/bits/statfs.h: Declare
statfs64 structure, which is exactly the same as the normal one.
* sysdeps/unix/sysv/linux/sparc/sparc64/brk.S: Allocate 192 bytes
of stack. Use correct syscall trap number. Add branch prediction
settings to branch instructions. Remove old MEDANY code model %g4
referneces for non-PIC.
* sysdeps/unix/sysv/linux/sparc/sparc64/clone.S: Likewise.
* sysdeps/unix/sysv/linux/sparc/sparc64/init-first.h: Likewise.
* sysdeps/unix/sysv/linux/sparc/sparc64/pipe.S: Likewise.
* sysdeps/unix/sysv/linux/sparc/sparc64/syscall.S: Likewise.
* sysdeps/unix/sysv/linux/sparc/sparc64/sysdep.h: Likewise.
* sysdeps/unix/sysv/linux/sparc/sparc64/longjmp.S: Add
__libc_longjmp and __libc_siglongjmp strong aliases.
* sysdeps/unix/sysv/linux/sparc/sparc64/readdir.c (__readdir64):
Also define to __no__readdir64_decl around readdir.c inclusion.
(__readdir64): Add strong alias.
* sysdeps/unix/sysv/linux/sparc/sparc64/socket.S: New file.
* sysdeps/unix/sysv/linux/sparc/sparc64/syscalls.list (getrlimit):
Set strong and weak names properly.
1998-09-16 11:25 Andreas Schwab <schwab@issan.informatik.uni-dortmund.de>
* manual/Makefile (AWK): Default to gawk if standalone.
1998-09-15 Andreas Schwab <schwab@issan.informatik.uni-dortmund.de>
* Makefile (distribute): Undo last change.
* Make-dist (+tsrc) [not subdir]: Also include indirection headers
for sysdep headers.
(+subdir-headers): Removed, unused.
1998-09-15 Andreas Schwab <schwab@issan.informatik.uni-dortmund.de>
* stdio-common/Makefile ($(inst_includedir)/bits/stdio_lim.h): Use
$(do-install).
1998-09-15 Andreas Schwab <schwab@issan.informatik.uni-dortmund.de>
* Makerules ($(+sysdir_pfx)sysd-Makefile): Don't check for
absolute name in $(config-sysdirs), can never happen.
($(+sysdir_pfx)sysd-rules): Likewise.
* Makeconfig (full-config-sysdirs): Likewise.
(all-Subdirs-files): Prepend $(..).
* configure.in: Don't check for absolute name in $add_ons_pfx, can
not happen. Let --enable-add-ons=yes work if no add-ons actually
exist.
1998-09-15 Andreas Schwab <schwab@issan.informatik.uni-dortmund.de>
* Rules ($(common-objpfx)bits/stdio_%.h): Remove extra
continuations in command.
1998-09-15 Andreas Schwab <schwab@issan.informatik.uni-dortmund.de>
* libio/oldstdfiles.c (_IO_stdin_used): Update declaration.
1998-09-16 00:47 Tim Waugh <tim@cyberelk.demon.co.uk>
* posix/wordexp-test.c: If expansion or substitution occurs
anywhere in a word, the entire word is subject to field-splitting.
* posix/wordexp.c (parse_glob): Look for end of word instead of
end of field when deciding what to glob.
(field_split_word): New function, now the only place where
field-splitting is performed.
(parse_dollars): New parameter - tell the caller if
field-splitting should be performed on this word.
* posix/wordexp-test.c (testit): Only call wordfree if wordexp
succeeded (or failed with WRDE_NOSPACE).
1998-09-15 19:53 1998 Tim Waugh <tim@cyberelk.demon.co.uk>
* posix/wordexp.c (wordexp): Don't convert IFS characters to
blanks.
* posix/wordexp-test.c: Words not the result of expansion or
substitution should remain unchanged.
1998-09-14 22:46 Tim Waugh <tim@cyberelk.demon.co.uk>
* posix/wordexp-test.c: Chet Ramey confirmed that bash's behaviour
for field-splitting 🔤 is correct, and that two fields should
result. Revert tests to reflect this.
* posix/wordexp.c (w_emptyword): Remove function.
(exec_comm): Don't use w_emptyword.
(parse_param): Likewise.
1998-09-13 14:53 Tim Waugh <tim@cyberelk.demon.co.uk>
* posix/wordexp-test.c: Field-splitting '🔤' with IFS=: should
yield three fields, not two. Test both parameter expansion and
command substitution for correct field-splitting behaviour.
* posix/wordexp.c (w_emptyword): New function.
(parse_param): Use it.
(exec_comm): Likewise, for consistency with the way parse_param
splits fields.
(parse_param): Fix some memory leaks.
1998-09-12 01:09 Tim Waugh <tim@cyberelk.demon.co.uk>
* posix/wordexp-test.c: Fix wrong tests. Add new tests.
* posix/wordexp.c (wordexp): Perform word-splitting instead of
field-splitting here.
(wordexp): If out of memory mid-word, free the word (but still
leave pwordexp alone for caller to see).
(parse_param): Allow for zero-length fields (smarter checking of
memory allocation failure).
(w_addword): Convert NULL words to "".
(wordexp): Convert left-over IFS characters to blanks (like bash).
