Bug 11571

Summary: getlogin_r (NULL, 0) segfaults
Product: glibc Reporter: Richard Jones <rjones>
Component: libcAssignee: Ulrich Drepper <drepper.fsp>
Status: RESOLVED FIXED    
Severity: normal CC: glibc-bugs
Priority: P2 Flags: fweimer: security-
Version: unspecified   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:

Description Richard Jones 2010-05-05 16:01:24 UTC
#include <unistd.h>

main ()
{
  getlogin_r (NULL, 0);
}
----
$ gcc -g test.c -o test
$ ./test 
Segmentation fault (core dumped)
----

This seems to be a regression in glibc 2.12, since glibc 2.11.90
did not segfault under these conditions.

The stack trace is:

Program received signal SIGSEGV, Segmentation fault.
__strncpy_sse2 (s1=0x0, s2=0x7fffffffdee1 "jones", n=18446744073709551615)
    at ./strncpy.c:43
43		  *++s1 = c;
(gdb) bt
#0  __strncpy_sse2 (s1=0x0, s2=0x7fffffffdee1 "jones", n=18446744073709551615)
    at ./strncpy.c:43
#1  0x00007ffff7b071d2 in __getlogin_r_loginuid (name=0x0, namesize=0)
    at ../sysdeps/unix/sysv/linux/getlogin_r.c:84
#2  0x00007ffff7b07299 in getlogin_r (name=0x0, namesize=0)
    at ../sysdeps/unix/sysv/linux/getlogin_r.c:103
#3  0x00000000004004d7 in main () at test.c:5
Comment 1 Richard Jones 2010-05-05 16:03:25 UTC
Note the problem is the zero length, not the
NULL pointer.  For example this also segfaults:

#include <unistd.h>

main ()
{
  char buffer[10000];
  getlogin_r (buffer, 0);
}
Comment 2 Richard Jones 2010-05-05 16:08:43 UTC
Problem is:

  getlogin_r.c:84   strncpy (name, pwd.pw_name, namesize - 1);

http://sourceware.org/git/?
p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/getlogin_r.c;h=d9c66fe2598fb9dbc0fe1a6577f5db420598
0392;hb=HEAD#l84

namesize == 0, so it calls strncpy with -1 as the 3rd parameter.
Comment 3 Ulrich Drepper 2010-05-05 16:45:22 UTC
Fixed in git.