From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/11929
Path: news.gmane.org!.POSTED!not-for-mail
From: Will Dietz <w@wdtz.org>
Newsgroups: gmane.linux.lib.musl.general
Subject: posix_spawnp stack overflow/corruption by child when PATH is large?
Date: Thu, 14 Sep 2017 15:39:35 -0500
Message-ID: <CAKGWAO_8tuo52gy3CwH3VGE764RzjGOhObi=fsS84Y0nSqkfDQ@mail.gmail.com>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
X-Trace: blaine.gmane.org 1505421591 2794 195.159.176.226 (14 Sep 2017 20:39:51 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Thu, 14 Sep 2017 20:39:51 +0000 (UTC)
To: musl@lists.openwall.com
Original-X-From: musl-return-11942-gllmg-musl=m.gmane.org@lists.openwall.com Thu Sep 14 22:39:46 2017
Return-path: <musl-return-11942-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@m.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by blaine.gmane.org with smtp (Exim 4.84_2)
	(envelope-from <musl-return-11942-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1dsavJ-0000Zn-Fm
	for gllmg-musl@m.gmane.org; Thu, 14 Sep 2017 22:39:45 +0200
Original-Received: (qmail 18327 invoked by uid 550); 14 Sep 2017 20:39:48 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
List-ID: <musl.lists.openwall.com>
Original-Received: (qmail 18303 invoked from network); 14 Sep 2017 20:39:48 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=wdtz.org; s=google;
        h=mime-version:from:date:message-id:subject:to;
        bh=GF4Q0ue8DIztwrN5C1pH2nb4NIgslRLRwtSgKlLF3RM=;
        b=LvpNvTJdv2ejTSGY+KUHXEaS+nJ2S4ZaK8pAHo6ngHIoqwLi1SPRVFrykerk9WI4dx
         FFY/L0MVnBIFXKmusyPHH93xwsv2zKzEswZPMfuxTvpgtcaHEe+vy5KrxAsDt4OQbLjJ
         mcv2MmGdZLSYR0y0mKte8kVDUz10iFP618MAc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=GF4Q0ue8DIztwrN5C1pH2nb4NIgslRLRwtSgKlLF3RM=;
        b=jEgEqoMDmxIppA8HH5nxLMrtz86hBo+XgHA81pFxE+PyEpeH98cPywVP5MmRJq9RaU
         QWr8e49DqW/t7ZiFE2wM6DxEsiiNPxmUhWv4WqJCQyYOq/MTau7okllK79MuA39XIo6j
         VDIj2ZXizTdBsttw/zhWDiLYNZBCOqlCMIQJXbZohBpZRPt2h9ja3RQRgyxfAlRQ9TIN
         mgjAACkDhL7BiEI6xgsLzlB+C3A5QkgThyOfbILM2IjUYb6wd+6S+SaTYTuNwFwakrG5
         2cfbCTFriP6rqO5OAenxjfKBaDZ+IMy4HHjrmRdU10UCxSHUAi4m1XSLU7DZQIEoS9Ko
         qy/w==
X-Gm-Message-State: AHPjjUhpEprpMXwWPP25bzpYOt1nVudFwRzCqSIyKklMDZIjMke1L/SQ
	dzwBD5alXW4ZLDBm8x8oXXEUW3UW8cD8osGHUwLvk8Cupw==
X-Google-Smtp-Source: AOwi7QDvdjDFWeQh1Yvyh0AqXHxgFEUmzzSr/vBv5biSqMIP3tVtJdwwQm8OCy5TrW9raa3K0LkYlBb8vw8veo/MmYI=
X-Received: by 10.202.77.86 with SMTP id a83mr10150020oib.219.1505421575871;
 Thu, 14 Sep 2017 13:39:35 -0700 (PDT)
X-Originating-IP: [99.4.166.28]
Xref: news.gmane.org gmane.linux.lib.musl.general:11929
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/11929>

Hi,

I believe there is a bug in posix_spawn/execvpe, please take a look and confirm
or kindly let me know if I'm mistaken and accept my apologies :).

It looks like __posix_spawnx calls clone() with a 1024-byte stack buffer
(allocated from its own stack), which is insufficient to handle stack
allocations performed
in execvpe which are something around a few bytes more than NAME_MAX+PATH_MAX.

This path is taken when using posix_spawnp, and the problem exists on
1.1.16 and latest git.

For what it's worth I tracked this down from a crash in 'bison' when
invoking m4,
but I've had success reproducing it with the following demo program
and driver script:

-------------------------------------------
#include <spawn.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/wait.h>

extern char **environ;

int main() {

  pid_t p;
  char *argv[] = {"sh", "-c", "echo Hello", NULL};
  int s, status;
  s = posix_spawnp(&p, "sh", NULL, NULL, argv, environ);
  if (s) {
    perror("posix_spawn");
    exit(1);
  }

  s = waitpid(p, &status, 0);

  printf("pid: %d, s: %d, status: %d\n", p, s, status);

  return 0;
}
--------------

And little shell script to create a suitably large PATH (mostly to
demonstrate what I mean, not for unmodified use):
---------------
#!/bin/sh

SLASH_100_As="/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
SUFFIX="/123456789012345678901234567" #1234567890" #1234567890"

VAR="/bin:$SUFFIX"
for x in `seq 10`; do
  VAR="${SLASH_100_As}:$VAR"
done

echo $VAR
echo $VAR|wc -c

# Works fine with normal PATH
~/cur/musl-spawn/test
~/cur/musl-spawn/test

# Crashes when PATH is ~1050 characters
PATH=$VAR \
~/cur/musl-spawn/test
--------------

Where "~/cur/musl-spawn/test" is the test program compiled against musl.

I cannot speak regarding any security implications, but since this may
grant some measure of stack-scribbling-powers it seems to warrant
being given brief attention in this context.

An easy fix is to bump the size of the 'char stack[1024]' in
src/process/posix_spawn.c to a suitable value-- 8096 is overkill but
does the trick, for example.

Please let me know if I'm missing something or if details are not clear.

Thanks!

~Will