diff options
author | Adhemerval Zanella <adhemerval.zanella@linaro.org> | 2016-11-21 11:06:15 -0200 |
---|---|---|
committer | Adhemerval Zanella <adhemerval.zanella@linaro.org> | 2016-11-22 10:23:07 -0200 |
commit | 6c9e1be87a37bfac0bf6c80a38171383ac3527e6 (patch) | |
tree | a4fdb77792ddb9d0e865b1ee988eab569808a400 /sysdeps/unix/sysv/linux | |
parent | 5ee1a4443a3eb0868cef1fe506ae6fb6af33d4ad (diff) | |
download | glibc-6c9e1be87a37bfac0bf6c80a38171383ac3527e6.tar.gz glibc-6c9e1be87a37bfac0bf6c80a38171383ac3527e6.tar.xz glibc-6c9e1be87a37bfac0bf6c80a38171383ac3527e6.zip |
Fix writes past the allocated array bounds in execvpe (BZ#20847)
This patch fixes an invalid write out or stack allocated buffer in 2 places at execvpe implementation: 1. On 'maybe_script_execute' function where it allocates the new argument list and it does not account that a minimum of argc plus 3 elements (default shell path, script name, arguments, and ending null pointer) should be considered. The straightforward fix is just to take account of the correct list size on argument copy. 2. On '__execvpe' where the executable file name lenght may not account for ending '\0' and thus subsequent path creation may write past array bounds because it requires to add the terminating null. The fix is to change how to calculate the executable name size to add the final '\0' and adjust the rest of the code accordingly. As described in GCC bug report 78433 [1], these issues were masked off by GCC because it allocated several bytes more than necessary so that many off-by-one bugs went unnoticed. Checked on x86_64 with a latest GCC (7.0.0 20161121) with -O3 on CFLAGS. [BZ #20847] * posix/execvpe.c (maybe_script_execute): Remove write past allocated array bounds. (__execvpe): Likewise. [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78433
Diffstat (limited to 'sysdeps/unix/sysv/linux')
0 files changed, 0 insertions, 0 deletions