Re: Bug#527171: [zsh] segfaults on long environment variables

Re: Bug#527171: [zsh] segfaults on long environment variables

[Clint Adams]

On Wed, May 06, 2009 at 02:35:05AM +0200, Nico Golde wrote:
> export BLA=$(perl -e "print 'A' x 100000000;")
> 
> results in zsh segfaulting:
> [335969.515454] zsh[29005]: segfault at 7fff1b357858 ip 7fb5184a5855 sp 7fff1b357860 error 6 in libc-2.9.so[7fb518471000+149000]

The segfault is not in the assignment but in the export (zputenv).

Re: Bug#527171: [zsh] segfaults on long environment variables

[Nico Golde]

[-- Attachment #1: Type: text/plain, Size: 1250 bytes --]

Hi,
* Clint Adams <schizo@debian.org> [2009-05-06 04:12]:
> On Wed, May 06, 2009 at 02:35:05AM +0200, Nico Golde wrote:
> > export BLA=$(perl -e "print 'A' x 100000000;")
> > 
> > results in zsh segfaulting:
> > [335969.515454] zsh[29005]: segfault at 7fff1b357858 ip 7fb5184a5855 sp 7fff1b357860 error 6 in libc-2.9.so[7fb518471000+149000]
> 
> The segfault is not in the assignment but in the export (zputenv).

Yes:
gdb> bt
#0  0x00007f7d977fb855 in ?? () from /lib/libc.so.6
#1  0x0000000000470725 in zputenv ()
#2  0x0000000000470853 in addenv ()
#3  0x000000000046b2b5 in export_param ()
#4  0x000000000046b879 in setstrvalue ()
#5  0x000000000046cd3a in assignsparam ()
#6  0x00000000004170d5 in ?? ()
#7  0x00000000004194b2 in bin_typeset ()
#8  0x0000000000410418 in execbuiltin ()
#9  0x0000000000430668 in ?? ()
#10 0x000000000042bf65 in ?? ()
#11 0x000000000042b15f in ?? ()
#12 0x000000000042a867 in execlist ()
#13 0x000000000042a2f2 in execode ()
#14 0x0000000000445bfa in loop ()
#15 0x0000000000448a62 in zsh_main ()
#16 0x000000000040f9b7 in main ()

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]

Re: Bug#527171: [zsh] segfaults on long environment variables

[Peter Stephenson]

On Wed, 6 May 2009 01:38:28 +0000
Clint Adams <schizo@debian.org> wrote:
> On Wed, May 06, 2009 at 02:35:05AM +0200, Nico Golde wrote:
> > export BLA=$(perl -e "print 'A' x 100000000;")
> > 
> > results in zsh segfaulting:
> > [335969.515454] zsh[29005]: segfault at 7fff1b357858 ip 7fb5184a5855 sp 7fff1b357860 error 6 in libc-2.9.so[7fb518471000+149000]
> 
> The segfault is not in the assignment but in the export (zputenv).

This appears to be failing within setenv() which (as far as I can tell)
is being passed a perfectly valid string.  setenv() is supposed to fail
gracefully and set errno to ENOMEM if it doesn't fit in the environment
but apparently isn't.  I believe the environment size is limited by
ARG_MAX on POSIX-like systems, but it's not usually tested by the caller
(which doesn't know how much space is left).

-- 
Peter Stephenson <p.w.stephenson@ntlworld.com>
Web page now at http://homepage.ntlworld.com/p.w.stephenson/