mirror of
https://sourceware.org/git/glibc.git
synced 2024-11-25 22:40:05 +00:00
8047e7cf71
Commit 6c9e1be87a
wrongly fixes BZ#20847 by lefting the else branch
on maybe_script_execute to still being able to invalid write on stack
allocated buffer. It happens if execvp{e} is executed with an empty
arguments list ({ NULL }) and although manual states first argument
should be the script name itself, by convention, old and current
implementation allows it.
This patch fixes the issue by just account for arguments and not the
final 'NULL' (since the 'argv + 1' will indeed ignored the script name).
The empty argument list is handled in a special case with a minimum
allocated size. The patch also adds extra tests for such case in
tst-vfork3.
Tested on x86_64.
[BZ #20847]
* posix/execvpe.c (maybe_script_execute): Remove write past allocated
array bounds for else branch.
(__execvpe): Style fixes.
* posix/tst-vfork3.c (run_script): New function.
(create_script): Likewise.
(do_test): Use run_script internal function.
(do_prepare): Use create_script internal function.
188 lines
5.5 KiB
C
188 lines
5.5 KiB
C
/* Copyright (C) 1991-2016 Free Software Foundation, Inc.
|
|
This file is part of the GNU C Library.
|
|
|
|
The GNU C Library is free software; you can redistribute it and/or
|
|
modify it under the terms of the GNU Lesser General Public
|
|
License as published by the Free Software Foundation; either
|
|
version 2.1 of the License, or (at your option) any later version.
|
|
|
|
The GNU C Library is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Lesser General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Lesser General Public
|
|
License along with the GNU C Library; if not, see
|
|
<http://www.gnu.org/licenses/>. */
|
|
|
|
#include <unistd.h>
|
|
#include <stdarg.h>
|
|
#include <stdbool.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <errno.h>
|
|
#include <paths.h>
|
|
#include <confstr.h>
|
|
#include <sys/param.h>
|
|
|
|
#ifndef PATH_MAX
|
|
# ifdef MAXPATHLEN
|
|
# define PATH_MAX MAXPATHLEN
|
|
# else
|
|
# define PATH_MAX 1024
|
|
# endif
|
|
#endif
|
|
|
|
/* The file is accessible but it is not an executable file. Invoke
|
|
the shell to interpret it as a script. */
|
|
static void
|
|
maybe_script_execute (const char *file, char *const argv[], char *const envp[])
|
|
{
|
|
ptrdiff_t argc;
|
|
for (argc = 0; argv[argc] != NULL; argc++)
|
|
{
|
|
if (argc == INT_MAX - 1)
|
|
{
|
|
errno = E2BIG;
|
|
return;
|
|
}
|
|
}
|
|
|
|
/* Construct an argument list for the shell based on original arguments:
|
|
1. Empty list (argv = { NULL }, argc = 1 }: new argv will contain 3
|
|
arguments - default shell, script to execute, and ending NULL.
|
|
2. Non empty argument list (argc = { ..., NULL }, argc > 1}: new argv
|
|
will contain also the default shell and the script to execute. It
|
|
will also skip the script name in arguments and only copy script
|
|
arguments. */
|
|
char *new_argv[argc > 1 ? 2 + argc : 3];
|
|
new_argv[0] = (char *) _PATH_BSHELL;
|
|
new_argv[1] = (char *) file;
|
|
if (argc > 1)
|
|
memcpy (new_argv + 2, argv + 1, argc * sizeof(char *));
|
|
else
|
|
new_argv[2] = NULL;
|
|
|
|
/* Execute the shell. */
|
|
__execve (new_argv[0], new_argv, envp);
|
|
}
|
|
|
|
|
|
/* Execute FILE, searching in the `PATH' environment variable if it contains
|
|
no slashes, with arguments ARGV and environment from ENVP. */
|
|
int
|
|
__execvpe (const char *file, char *const argv[], char *const envp[])
|
|
{
|
|
/* We check the simple case first. */
|
|
if (*file == '\0')
|
|
{
|
|
__set_errno (ENOENT);
|
|
return -1;
|
|
}
|
|
|
|
/* Don't search when it contains a slash. */
|
|
if (strchr (file, '/') != NULL)
|
|
{
|
|
__execve (file, argv, envp);
|
|
|
|
if (errno == ENOEXEC)
|
|
maybe_script_execute (file, argv, envp);
|
|
|
|
return -1;
|
|
}
|
|
|
|
const char *path = getenv ("PATH");
|
|
if (!path)
|
|
path = CS_PATH;
|
|
/* Although GLIBC does not enforce NAME_MAX, we set it as the maximum
|
|
size to avoid unbounded stack allocation. Same applies for
|
|
PATH_MAX. */
|
|
size_t file_len = __strnlen (file, NAME_MAX) + 1;
|
|
size_t path_len = __strnlen (path, PATH_MAX - 1) + 1;
|
|
|
|
/* NAME_MAX does not include the terminating null character. */
|
|
if ((file_len - 1 > NAME_MAX)
|
|
|| !__libc_alloca_cutoff (path_len + file_len + 1))
|
|
{
|
|
errno = ENAMETOOLONG;
|
|
return -1;
|
|
}
|
|
|
|
const char *subp;
|
|
bool got_eacces = false;
|
|
/* The resulting string maximum size would be potentially a entry
|
|
in PATH plus '/' (path_len + 1) and then the the resulting file name
|
|
plus '\0' (file_len since it already accounts for the '\0'). */
|
|
char buffer[path_len + file_len + 1];
|
|
for (const char *p = path; ; p = subp)
|
|
{
|
|
subp = __strchrnul (p, ':');
|
|
|
|
/* PATH is larger than PATH_MAX and thus potentially larger than
|
|
the stack allocation. */
|
|
if (subp - p >= path_len)
|
|
{
|
|
/* If there is only one path, bail out. */
|
|
if (*subp == '\0')
|
|
break;
|
|
/* Otherwise skip to next one. */
|
|
continue;
|
|
}
|
|
|
|
/* Use the current path entry, plus a '/' if nonempty, plus the file to
|
|
execute. */
|
|
char *pend = mempcpy (buffer, p, subp - p);
|
|
*pend = '/';
|
|
memcpy (pend + (p < subp), file, file_len);
|
|
|
|
__execve (buffer, argv, envp);
|
|
|
|
if (errno == ENOEXEC)
|
|
/* This has O(P*C) behavior, where P is the length of the path and C
|
|
is the argument count. A better strategy would be allocate the
|
|
substitute argv and reuse it each time through the loop (so it
|
|
behaves as O(P+C) instead. */
|
|
maybe_script_execute (buffer, argv, envp);
|
|
|
|
switch (errno)
|
|
{
|
|
case EACCES:
|
|
/* Record that we got a 'Permission denied' error. If we end
|
|
up finding no executable we can use, we want to diagnose
|
|
that we did find one but were denied access. */
|
|
got_eacces = true;
|
|
case ENOENT:
|
|
case ESTALE:
|
|
case ENOTDIR:
|
|
/* Those errors indicate the file is missing or not executable
|
|
by us, in which case we want to just try the next path
|
|
directory. */
|
|
case ENODEV:
|
|
case ETIMEDOUT:
|
|
/* Some strange filesystems like AFS return even
|
|
stranger error numbers. They cannot reasonably mean
|
|
anything else so ignore those, too. */
|
|
break;
|
|
|
|
default:
|
|
/* Some other error means we found an executable file, but
|
|
something went wrong executing it; return the error to our
|
|
caller. */
|
|
return -1;
|
|
}
|
|
|
|
if (*subp++ == '\0')
|
|
break;
|
|
}
|
|
|
|
/* We tried every element and none of them worked. */
|
|
if (got_eacces)
|
|
/* At least one failure was due to permissions, so report that
|
|
error. */
|
|
__set_errno (EACCES);
|
|
|
|
return -1;
|
|
}
|
|
|
|
weak_alias (__execvpe, execvpe)
|