From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H2,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 3294 invoked from network); 17 Aug 2022 10:05:09 -0000 Received: from second.openwall.net (193.110.157.125) by inbox.vuxu.org with ESMTPUTF8; 17 Aug 2022 10:05:09 -0000 Received: (qmail 13616 invoked by uid 550); 17 Aug 2022 10:05:04 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 12168 invoked from network); 17 Aug 2022 05:45:59 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=edgedb.com; s=google; h=content-transfer-encoding:mime-version:organization:message-id:date :subject:cc:to:from:from:to:cc; bh=wTotnZhoerEwa7rzgozi3OMjhIbRlmMWSH05WjgNaAw=; b=T1Ui/eDHQpLEvYGCvbbHftB55v6g4YqC+FUigrGZ+IdtSq4iGH8AVhiwAC4yY1ieoe xQ2qHbgeHe/JF03kq9LyFi3P/tvtZE0F13JaKamY0hgB7gmnRAbxGETA/7uQ8lrL9OjX bMAGkl4H2rMalDdjAoAI6qV48R403JM7kr6sw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:organization:message-id:date :subject:cc:to:from:x-gm-message-state:from:to:cc; bh=wTotnZhoerEwa7rzgozi3OMjhIbRlmMWSH05WjgNaAw=; b=TFh7ZAw2hhiHegk+S6AF3fS2KJM3w6a155ApIV2iUs+kV0nVipf9zXWalG6ktYo8lu UQnYphvFX/YFoyVPd1C/nbH3kOY+7ALziedaYmxA3Ei+N90Cg3XUK0naCxnNIBwyZJYL pmjJVj0cw90ax2oRkJUt5chwiHlkZuBX/eDeOOe/yY42nD/O9ZAatlQ0zrrYYooSpSbX fBdIAxhXbHk9HDBW14b7DJ+WW8q9qQi9wmR8jnT/cCrQwCH9RDecFTH6VE9DYAkUjZY0 rSkkbO5i5GPMNdgY+OYVQFweb5hrhWc4ZihPYB7zPiAPRZfLuOztFgx12kKqe6USCJcN MTXQ== X-Gm-Message-State: ACgBeo3zWhN3CsNuNvHAaMcBYsrmWtrQ7WkpkAq/GGXNfW45jgKzulxI 4riYXRNg6Hlu91z3rlpTzPPkEVcuy0Wpvw== X-Google-Smtp-Source: AA6agR5l+1HYlUABle3LFc1yNMgD8NuZCOyTFwhT/MVCd1rukUZHLcOoLQ0WR1Lwqd2m2gw7Ecmeog== X-Received: by 2002:a17:90b:1d0d:b0:1f5:2e80:d8c8 with SMTP id on13-20020a17090b1d0d00b001f52e80d8c8mr2089650pjb.206.1660715147478; Tue, 16 Aug 2022 22:45:47 -0700 (PDT) From: Elvis Pranskevichus To: musl@lists.openwall.com Cc: elvis@edgedb.com Date: Tue, 16 Aug 2022 22:45:45 -0700 Message-ID: <3818608.tdWV9SEqCh@vulcan.edgedb.net> Organization: EdgeDB Inc. MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Subject: [musl] [PATCH] ldso/dynlink: Protect LD_ env vars from getting clobbered by apps There is no guarantee that the environment block will remain intact. For example, PostgreSQL clobbers argv/environ area to implement its "setproctitle" emulation on non-BSD [1], and there is a popular Python library inspired by it [2]. As a result, setting `LD_LIBRARY_PATH` or `LD_PRELOAD` has no effect on Postgres subprocesses when linking against musl. Protect against this by making a copies instead of storing the original pointers directly. (please CC me, I'm not subscribed to the list) --- ldso/dynlink.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ldso/dynlink.c b/ldso/dynlink.c index cc677952..703342b8 100644 --- a/ldso/dynlink.c +++ b/ldso/dynlink.c @@ -1756,8 +1756,8 @@ void __dls3(size_t *sp, size_t *auxv) /* Only trust user/env if kernel says we're not suid/sgid */ if (!libc.secure) { - env_path = getenv("LD_LIBRARY_PATH"); - env_preload = getenv("LD_PRELOAD"); + env_path = strdup(getenv("LD_LIBRARY_PATH")); + env_preload = strdup(getenv("LD_PRELOAD")); } /* Activate error handler function */