| commit | 8047e7cf7152a356510f51c18c5a198865470af2 | |
| author | Adhemerval Zanella <adhemerval.zanella@linaro.org> | |
| Tue, 22 Nov 2016 18:23:28 +0000 (22 16:23 -0200) | ||
| committer | Adhemerval Zanella <adhemerval.zanella@linaro.org> | |
| Wed, 7 Dec 2016 11:48:26 +0000 (7 09:48 -0200) | ||
| tree | dc3656c24e086b0d8d5af68355c68ed6896ca843 | treesnapshot (tar.gz zip) |
| parent | 657c084cd6f69d6cc880c2ae65129a0723d053c5 | commitdiff |
Fix writes past the allocated array bounds in execvpe (BZ#20847)
Commit 6c9e1be87a37bf wrongly fixes BZ#20847 by lefting the else branch
on maybe_script_execute to still being able to invalid write on stack
allocated buffer. It happens if execvp{e} is executed with an empty
arguments list ({ NULL }) and although manual states first argument
should be the script name itself, by convention, old and current
implementation allows it.
This patch fixes the issue by just account for arguments and not the
final 'NULL' (since the 'argv + 1' will indeed ignored the script name).
The empty argument list is handled in a special case with a minimum
allocated size. The patch also adds extra tests for such case in
tst-vfork3.
Tested on x86_64.
[BZ #20847]
* posix/execvpe.c (maybe_script_execute): Remove write past allocated
array bounds for else branch.
(__execvpe): Style fixes.
* posix/tst-vfork3.c (run_script): New function.
(create_script): Likewise.
(do_test): Use run_script internal function.
(do_prepare): Use create_script internal function.
Commit 6c9e1be87a37bf wrongly fixes BZ#20847 by lefting the else branch
on maybe_script_execute to still being able to invalid write on stack
allocated buffer. It happens if execvp{e} is executed with an empty
arguments list ({ NULL }) and although manual states first argument
should be the script name itself, by convention, old and current
implementation allows it.
This patch fixes the issue by just account for arguments and not the
final 'NULL' (since the 'argv + 1' will indeed ignored the script name).
The empty argument list is handled in a special case with a minimum
allocated size. The patch also adds extra tests for such case in
tst-vfork3.
Tested on x86_64.
[BZ #20847]
* posix/execvpe.c (maybe_script_execute): Remove write past allocated
array bounds for else branch.
(__execvpe): Style fixes.
* posix/tst-vfork3.c (run_script): New function.
(create_script): Likewise.
(do_test): Use run_script internal function.
(do_prepare): Use create_script internal function.
| ChangeLog | diffblobblamehistory | |
| posix/execvpe.c | diffblobblamehistory | |
| posix/tst-vfork3.c | diffblobblamehistory |