From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RDNS_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: (qmail 6598 invoked from network); 29 Mar 2020 02:54:55 -0000 Received-SPF: pass (mother.openwall.net: domain of lists.openwall.com designates 195.42.179.200 as permitted sender) receiver=inbox.vuxu.org; client-ip=195.42.179.200 envelope-from= Received: from unknown (HELO mother.openwall.net) (195.42.179.200) by inbox.vuxu.org with ESMTP; 29 Mar 2020 02:54:55 -0000 Received: (qmail 11438 invoked by uid 550); 29 Mar 2020 02:54:49 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 11420 invoked from network); 29 Mar 2020 02:54:48 -0000 Date: Sat, 28 Mar 2020 22:54:36 -0400 From: Rich Felker To: musl@lists.openwall.com Message-ID: <20200329025436.GS11469@brightrain.aerifal.cx> References: <1585441168-23444-1-git-send-email-rcombs@rcombs.me> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1585441168-23444-1-git-send-email-rcombs@rcombs.me> User-Agent: Mutt/1.5.21 (2010-09-15) Subject: Re: [musl] [PATCH 1/4] ldso: add option to rewrite the argv block On Sat, Mar 28, 2020 at 07:19:25PM -0500, rcombs wrote: > --- > ldso/dynlink.c | 19 +++++++++++++++++++ > 1 file changed, 19 insertions(+) > > diff --git a/ldso/dynlink.c b/ldso/dynlink.c > index 6468f20..c378f00 100644 > --- a/ldso/dynlink.c > +++ b/ldso/dynlink.c > @@ -1698,6 +1698,7 @@ void __dls3(size_t *sp, size_t *auxv) > char **argv = (void *)(sp+1); > char **argv_orig = argv; > char **envp = argv+argc+1; > + int replace_argv = 0; > > /* Find aux vector just past environ[] and use it to initialize > * global data that may be needed before we can make syscalls. */ > @@ -1771,6 +1772,8 @@ void __dls3(size_t *sp, size_t *auxv) > if (opt[5]=='=') replace_argv0 = opt+6; > else if (opt[5]) *argv = 0; > else if (*argv) replace_argv0 = *argv++; > + } else if (!memcmp(opt, "replace-argv", 12)) { > + replace_argv = 1; > } else { > argv[0] = 0; > } > @@ -1949,6 +1952,22 @@ void __dls3(size_t *sp, size_t *auxv) > debug.state = 0; > _dl_debug_state(); > > + if (replace_argv) { > + char *argv_end = argv_orig[0]; > + char *orig_ptr = argv_orig[0]; > + int i; > + for (i = 0; i < (int)(argc - (argv-argv_orig)); i++) { > + char *src = (i == 0 && replace_argv0) ? replace_argv0 : argv[i]; > + int len = strlen(src) + 1; > + memmove(orig_ptr, src, len); > + argv_end = argv[i] + strlen(argv[i]); > + argv[i] = orig_ptr; > + orig_ptr += len; > + } > + for (; orig_ptr < argv_end; orig_ptr++) > + *orig_ptr = 0; > + } > + > if (replace_argv0) argv[0] = replace_argv0; > > errno = 0; > -- > 2.7.4 Can you clarify what the purpose of this patch/option is? It seems unrelated to the rest of the series and looks like it's doing something really sketchy. It looks like it's making assumption about the layout of the original strings, which is not an interface contract, and like it happily overflows and clobbers unrelated memory if replace_argv0 is longer than the original string pointed to by argv[0]. Rich