[uclibc-ng-devel] getenv() bug

Ata, John (US) john.ata at baesystems.com
Thu Nov 14 22:32:46 CET 2019


Hi,

The getenv() library call can trap under certain conditions.  It compares the passed in environment variable name (var) with the name=variables (*ep) in the environment area and returns a pointer to the value in the environment if it exists.  To accomplish this, it does a memcmp() using the length of the passed in name (len) for each environment variable (*ep) against the passed in name (var).  So memcmp will attempt to scan both strings for len bytes. However, if for some reason, len is equal to or greater than 16 and  longer than the length of  the *ep in the environment and the *ep resides near the end of a page boundary while the next page is not present or mapped, the memcmp could trap with a sigsegv error while continuing the scan with the optimization read-ahead. However, if strncmp is used instead, there is no problem since both source and destination scanning will stop when either reaches a terminating NULL

Test case: We are using gcc 4.8.5 and uclibc 1.0.31. With a small environment area, attempt to do a getenv() using a variable name such as "1234567890123456". Example: file run.c contains:

#include <stdlib.h>
#include <stdio.h>

int main()
{
   char *n;

    n = getenv("1234567890123456");
    printf("Return val: \"%s\"\n", n);
    return 0;
}

Then

<sh> cc run.c -o run
<sh> env -i 123=123 ./run.
Segmentation fault

Proposed fix:

--- uclibc/libc/stdlib/getenv.c  2019-11-13 17:22:26.260187664 -0500
+++ uclibc/libc/stdlib/getenv.c  2019-11-13 17:22:39.376111771 -0500
@@ -20,7 +20,7 @@
        return NULL;
     len = strlen(var);
     while(*ep) {
-       if (memcmp(var, *ep, len) == 0 && (*ep)[len] == '=') {
+       if (strncmp(var, *ep, len) == 0 && (*ep)[len] == '=') {
            return *ep + len + 1;
        }
        ep++;


Then

<sh> env -i 123=123 ./run.
<sh>

Can we get this patch upstream?

Thanks,
----
John Ata, CISSP
Senior Principal Software Engineer
Electronics Systems
STOP Operating System<http://www.baesystems.com/en-us/product/stop> Software Development

T 703-563-8115 | F 703-668-4359 | john.ata at baesystems.com<mailto:john.ata at baesystems.com>
http://www.baesystems.com/csp

[cid:image001.png at 01D138BC.8E54E330][cid:image003.png at 01D138BC.8E54E330]<http://www.twitter.com/baesystemsinc>[cid:image004.png at 01D138BC.8E54E330]<http://www.youtube.com/baesystemsinc>[cid:image006.png at 01D138BC.8E54E330]<http://www.flickr.com/photos/baesystemsinc/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.uclibc-ng.org/pipermail/devel/attachments/20191114/24f50d2e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 2889 bytes
Desc: image001.png
URL: <http://mailman.uclibc-ng.org/pipermail/devel/attachments/20191114/24f50d2e/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1171 bytes
Desc: image002.png
URL: <http://mailman.uclibc-ng.org/pipermail/devel/attachments/20191114/24f50d2e/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1393 bytes
Desc: image003.png
URL: <http://mailman.uclibc-ng.org/pipermail/devel/attachments/20191114/24f50d2e/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 968 bytes
Desc: image004.png
URL: <http://mailman.uclibc-ng.org/pipermail/devel/attachments/20191114/24f50d2e/attachment-0003.png>


More information about the devel mailing list