This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/17048] New: posix_spawn_file_actions_addopen fails to copy the path argument
- From: "alex.gaynor at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Wed, 11 Jun 2014 20:19:32 +0000
- Subject: [Bug libc/17048] New: posix_spawn_file_actions_addopen fails to copy the path argument
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=17048
Bug ID: 17048
Summary: posix_spawn_file_actions_addopen fails to copy the
path argument
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: alex.gaynor at gmail dot com
CC: drepper.fsp at gmail dot com
Per the specification
(http://pubs.opengroup.org/onlinepubs/000095399/functions/posix_spawn_file_actions_addclose.html)
it is supposed to. The result of not copying is that programs can easily
trigger use-after-free bugs, or other situations where the path is mutated. The
following program demonstrates this issue:
#include <string.h>
#include <assert.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <stdlib.h>
#include <spawn.h>
#include <stdio.h>
extern char *const *environ;
int main() {
int res;
posix_spawn_file_actions_t fa;
posix_spawn_file_actions_init(&fa);
char *orig_path = "/tmp/afddsa";
char *path = malloc(strlen(orig_path) + 1);
strcpy(path, orig_path);
path[strlen(orig_path)] = '\0';
res = posix_spawn_file_actions_addopen(
&fa, 1, path, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR);
assert(res == 0);
memset(path, 0, strlen(orig_path));
free(path);
char *argv[] = {"/bin/echo", NULL};
pid_t pid;
res = posix_spawn(
&pid,
"/bin/echo",
&fa,
NULL,
argv,
environ
);
assert(res == 0);
int status;
wait4(pid, &status, 0, NULL);
printf("%d\n", WEXITSTATUS(status));
}
This bug was jointly discovered by David Reid, Alex Gaynor, and Glyph
Lefkowitz.
--
You are receiving this mail because:
You are on the CC list for the bug.