bug#47412: env: fragile argument parsing

bug-coreutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#47412: env: fragile argument parsing

From:	Frank Busse
Subject:	bug#47412: env: fragile argument parsing
Date:	Fri, 26 Mar 2021 15:00:17 +0000

Hi,


env crashes for some nonsensical command line arguments (reported by
KLEE), e.g.:

---
> python3 -c "import os; os.execl('./src/env', 'env', b'--s=\"\"\t\x0b')"

=================================================================
==140651==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x603000000028 at pc 0x562e1cc1078a bp 0x7ffd59964dd0 sp 0x7ffd59964dc0
WRITE of size 8 at 0x603000000028 thread T0
 #0 0x562e1cc10789 in build_argv src/env.c:511
 #1 0x562e1cc10982 in parse_split_string src/env.c:548
 #2 0x562e1cc127bc in main src/env.c:849
 #3 0x7f1c167e3b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
 #4 0x562e1cc0e54d in _start (coreutils-8.32/src/env+0x654d)

0x603000000028 is located 0 bytes to the right of 24-byte region
[0x603000000010,0x603000000028)
allocated by thread T0 here:
 #0 0x7f1c16a3b459 in __interceptor_malloc 
/build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
 #1 0x562e1cc19463 in xmalloc lib/xmalloc.c:41
 #2 0x562e1cc0ff54 in build_argv src/env.c:404
 #3 0x562e1cc10982 in parse_split_string src/env.c:548
 #4 0x562e1cc127bc in main src/env.c:849
 #5 0x7f1c167e3b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)

SUMMARY: AddressSanitizer: heap-buffer-overflow src/env.c:511 in build_argv
---

or

---
> python3 -c "import os; os.execl('./src/env', 'env', b'--s=\xff 
> \r\x0b\t\x0b-')"

=================================================================
==140886==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x603000000030 at pc 0x55821372878a bp 0x7ffdd6e4bc40 sp 0x7ffdd6e4bc30
WRITE of size 8 at 0x603000000030 thread T0
 #0 0x558213728789 in build_argv src/env.c:511
 #1 0x558213728982 in parse_split_string src/env.c:548
 #2 0x55821372a7bc in main src/env.c:849
 #3 0x7f5b05ec5b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
 #4 0x55821372654d in _start (coreutils-8.32/src/env+0x654d)

0x603000000030 is located 0 bytes to the right of 32-byte region
[0x603000000010,0x603000000030) allocated by thread T0 here:
 #0 0x7f5b0611d459 in 
__interceptor_malloc/build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
 #1 0x558213731463 in xmalloc lib/xmalloc.c:41
 #2 0x558213727f54 in build_argv src/env.c:404
 #3 0x558213728982 in parse_split_string src/env.c:548
 #4 0x55821372a7bc in main src/env.c:849
 #5 0x7f5b05ec5b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)

SUMMARY: AddressSanitizer: heap-buffer-overflow src/env.c:511 in build_argv
---


Version: 8.32
Configure: CFLAGS="-ggdb -O0 -fsanitize=address" ./configure --without-selinux 
--without-gmp --disable-acl --disable-largefile --disable-libsmack 
--disable-xattr --disable-libcap --disable-nls


Kind regards,

Frank

[Prev in Thread]

Current Thread

[Next in Thread]

bug#47412: env: fragile argument parsing, Frank Busse <=
- bug#47412: env: fragile argument parsing, Pádraig Brady, 2021/03/26
  - bug#47412: env: fragile argument parsing, Paul Eggert, 2021/03/26
- bug#47412: env: fragile argument parsing, Paul Eggert, 2021/03/26
  - bug#47412: env: fragile argument parsing, Paul Eggert, 2021/03/26
    - bug#47412: env: fragile argument parsing, Paul Eggert, 2021/03/30
  - bug#47412: env: fragile argument parsing, Pádraig Brady, 2021/03/29

Prev by Date: bug#47324: Missing information in documentation
Next by Date: bug#47412: env: fragile argument parsing
Previous by thread: bug#47384: [PATCH 1/2] hostname: fix a memory leak with -Dlint
Next by thread: bug#47412: env: fragile argument parsing
Index(es):
- Date
- Thread