From: Rich Felker <dalias@libc.org>
To: musl@lists.openwall.com
Subject: Re: [PATCH] fix use of pointer after free in unsetenv
Date: Mon, 4 Jan 2016 16:53:15 -0500 [thread overview]
Message-ID: <20160104215315.GY238@brightrain.aerifal.cx> (raw)
In-Reply-To: <alpine.LNX.2.20.1601050020380.30584@monopod.intra.ispras.ru>
On Tue, Jan 05, 2016 at 12:28:12AM +0300, Alexander Monakov wrote:
> On Mon, 4 Jan 2016, Rich Felker wrote:
> > On Mon, Jan 04, 2016 at 06:47:36PM +0300, Alexander Monakov wrote:
> > > On Mon, 4 Jan 2016, Alexander Monakov wrote:
> > > > To me the implementation looks weird due to how it restarts scanning __environ
> > > > with 'goto again' from position 0 instead of current position. I can propose
> > > > the following rewrite (untested):
> >
> > The "goto again" is for the rare (generally malicious) case of
> > duplicate definitions, to ensure that unsetenv removes them all.
>
> Yes, but my point was that rewinding all the way back to i=0 looks odd -- I
> understood the need to scan all entries.
Oh. In that case I guess it's unnecessary to rewind, yes.
BTW what might be best to do is something like:
char *tmp = __environ[i];
for (j=i ; __environ[j]; j++)
__environ[j] = __environ[j+1];
__env_free(tmp);
where __env_free has a weak def as a nop and gets its strong def from
setenv.c or putenv.c. This refactoring would make it possible for
unsetenv not to pull in free, and the reordering might make it less
likely for dangerous things to happen in a broken program that reads
the environment concurrently with unsetenv.
> > > Hm, there's no need to preserve relative order of env entries, is there?
> >
> > Yes, there is. If FOO=x and FOO=y both appear in environ[],
> > unsetenv("BAR") must not cause getenv("FOO") to change from "x" to
> > "y".
>
> Thanks, I did not consider that. I'm curious, is that just from QoI
> perspective, or also required somewhere?
It is a requirement, and it's simply a consequence of the fact that
functions cannot have random side effects they're not specified to
have. unsetenv can't change the value of FOO from x to y any more than
calling strlen can. The fact that the issue arises at all when
environ[] was not setup manually by the program is a consequence of
the kernel not enforcing uniqueness of env var names, which (AFAIK) is
an implementation detail anyway.
Rich
next prev parent reply other threads:[~2016-01-04 21:53 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-03 23:09 Alexander Cherepanov
2016-01-04 3:05 ` Rich Felker
2016-01-04 10:52 ` Alexander Cherepanov
2016-01-04 11:56 ` Alexander Monakov
2016-01-04 15:47 ` Alexander Monakov
2016-01-04 21:05 ` Rich Felker
2016-01-04 21:28 ` Alexander Monakov
2016-01-04 21:53 ` Rich Felker [this message]
2016-01-04 7:42 ` Markus Wichmann
2016-01-04 11:58 ` Alexander Cherepanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160104215315.GY238@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).