[uclibc-ng-devel] getenv() bug

14 Nov 2019

Hi,

The getenv() library call can trap under certain conditions.  It compares the passed in
environment variable name (var) with the name=variables (*ep) in the environment area and
returns a pointer to the value in the environment if it exists.  To accomplish this, it
does a memcmp() using the length of the passed in name (len) for each environment variable
(*ep) against the passed in name (var).  So memcmp will attempt to scan both strings for
len bytes. However, if for some reason, len is equal to or greater than 16 and  longer
than the length of  the *ep in the environment and the *ep resides near the end of a page
boundary while the next page is not present or mapped, the memcmp could trap with a
sigsegv error while continuing the scan with the optimization read-ahead. However, if
strncmp is used instead, there is no problem since both source and destination scanning
will stop when either reaches a terminating NULL

Test case: We are using gcc 4.8.5 and uclibc 1.0.31. With a small environment area,
attempt to do a getenv() using a variable name such as "1234567890123456".
Example: file run.c contains:

#include <stdlib.h>
#include <stdio.h>

int main()
{
   char *n;

    n = getenv("1234567890123456");
    printf("Return val: \"%s\"\n", n);
    return 0;
}

Then

<sh> cc run.c -o run
<sh> env -i 123=123 ./run.
Segmentation fault

Proposed fix:

--- uclibc/libc/stdlib/getenv.c  2019-11-13 17:22:26.260187664 -0500
+++ uclibc/libc/stdlib/getenv.c  2019-11-13 17:22:39.376111771 -0500
@@ -20,7 +20,7 @@
        return NULL;
     len = strlen(var);
     while(*ep) {
-       if (memcmp(var, *ep, len) == 0 && (*ep)[len] == '=') {
+       if (strncmp(var, *ep, len) == 0 && (*ep)[len] == '=') {
            return *ep + len + 1;
        }
        ep++;


Then

<sh> env -i 123=123 ./run.
<sh>

Can we get this patch upstream?

Thanks,
----
John Ata, CISSP
Senior Principal Software Engineer
Electronics Systems
STOP Operating System<http://www.baesystems.com/en-us/product/stop> Software
Development

T 703-563-8115 | F 703-668-4359 |
john.ata@baesystems.com<mailto:john.ata@baesystems.com>
http://www.baesystems.com/csp

[cid:image001.png@01D138BC.8E54E330][cid:image003.png@01D138BC.8E54E330]<http://www.twitter.com/baesystemsinc>[cid:image004.png@01D138BC.8E54E330]<http://www.youtube.com/baesystemsinc>[cid:image006.png@01D138BC.8E54E330]<http://www.flickr.com/photos/baesystemsinc/>




    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

[uclibc-ng-devel] getenv() bug