summary refs log tree commit diff
path: root/LICENSES
diff options
context:
space:
mode:
authorAdhemerval Zanella <adhemerval.zanella@linaro.org>2016-11-21 11:06:15 -0200
committerAdhemerval Zanella <adhemerval.zanella@linaro.org>2016-11-22 10:23:07 -0200
commit6c9e1be87a37bfac0bf6c80a38171383ac3527e6 (patch)
treea4fdb77792ddb9d0e865b1ee988eab569808a400 /LICENSES
parent5ee1a4443a3eb0868cef1fe506ae6fb6af33d4ad (diff)
downloadglibc-6c9e1be87a37bfac0bf6c80a38171383ac3527e6.tar.gz
glibc-6c9e1be87a37bfac0bf6c80a38171383ac3527e6.tar.xz
glibc-6c9e1be87a37bfac0bf6c80a38171383ac3527e6.zip
Fix writes past the allocated array bounds in execvpe (BZ#20847)
This patch fixes an invalid write out or stack allocated buffer in
2 places at execvpe implementation:

  1. On 'maybe_script_execute' function where it allocates the new
     argument list and it does not account that a minimum of argc
     plus 3 elements (default shell path, script name, arguments,
     and ending null pointer) should be considered.  The straightforward
     fix is just to take account of the correct list size on argument
     copy.

  2. On '__execvpe' where the executable file name lenght may not
     account for ending '\0' and thus subsequent path creation may
     write past array bounds because it requires to add the terminating
     null.  The fix is to change how to calculate the executable name
     size to add the final '\0' and adjust the rest of the code
     accordingly.

As described in GCC bug report 78433 [1], these issues were masked off by
GCC because it allocated several bytes more than necessary so that many
off-by-one bugs went unnoticed.

Checked on x86_64 with a latest GCC (7.0.0 20161121) with -O3 on CFLAGS.

	[BZ #20847]
	* posix/execvpe.c (maybe_script_execute): Remove write past allocated
	array bounds.
	(__execvpe): Likewise.

[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78433
Diffstat (limited to 'LICENSES')
0 files changed, 0 insertions, 0 deletions