Hi,
The
getenv() library call can trap under certain conditions.
It compares the passed in environment variable name (var) with the name=variables (*ep) in the environment area and returns a pointer to the value in the environment if it exists.
To accomplish this, it does a memcmp() using the length of the passed in name (len) for each environment variable (*ep) against the passed in name (var).
So memcmp will attempt to scan both strings for
len bytes. However, if for some reason,
len is equal to or greater than 16 and
longer than the length of the *ep in the environment and the *ep resides near the end of a page boundary while the next page is not present or mapped, the
memcmp could trap with a sigsegv error while continuing the scan with the optimization read-ahead. However, if
strncmp is used instead, there is no problem since both source and destination scanning will stop when either reaches a terminating NULL
Test case: We are using
gcc 4.8.5 and uclibc 1.0.31. With a small environment area, attempt to do a
getenv() using a variable name such as “1234567890123456”. Example: file
run.c contains:
#include <stdlib.h>
#include <stdio.h>
int main()
{
char *n;
n = getenv("1234567890123456");
printf("Return val: \"%s\"\n", n);
return 0;
}
Then
<sh> cc
run.c -o run
<sh>
env –i 123=123 ./run.
Segmentation fault
Proposed fix:
--- uclibc/libc/stdlib/getenv.c
2019-11-13 17:22:26.260187664 -0500
+++ uclibc/libc/stdlib/getenv.c
2019-11-13 17:22:39.376111771 -0500
@@ -20,7 +20,7 @@
return NULL;
len = strlen(var);
while(*ep) {
-
if (memcmp(var, *ep,
len) == 0 && (*ep)[len] == '=') {
+
if (strncmp(var, *ep,
len) == 0 && (*ep)[len] == '=') {
return *ep + len + 1;
}
ep++;
Then
<sh>
env –i 123=123 ./run.
<sh>
Can we get this patch upstream?
Thanks,
----
John Ata,
CISSP
Senior Principal Software Engineer
Electronics Systems
STOP Operating System Software
Development
T 703-563-8115 | F 703-668-4359 |
john.ata@baesystems.com
