Bug 19534 - execle, execlp may use malloc
Summary: execle, execlp may use malloc
Status: RESOLVED FIXED
Alias: None
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: 2.24
: P2 normal
Target Milestone: 2.24
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-29 13:42 UTC by Adhemerval Zanella
Modified: 2016-03-07 05:40 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Adhemerval Zanella 2016-01-29 13:42:05 UTC
GLIBC execl{e,p} implementation might use malloc if the total number of arguments exceed initial assumption size (1024).  This might lead to issue in two situations:

1. If execl/execle is stated to be async-signal-safe by POSIX [1].  However if execl is used in a signal handler with a large argument set (that may call malloc internally) and the resulting call fails, it might lead malloc in the program in a bad state.

2. If the functions are used in a vfork/clone(VFORK) situation it also might issue malloc internal bad state.

The straightforward fix is to avoid dynamic memory allocation and rather just use stack one for argument handling.

[1] http://pubs.opengroup.org/onlinepubs/9699919799/functions/V2_chap02.html
Comment 1 Sourceware Commits 2016-02-09 10:29:14 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, rth/execl has been created
        at  81e2801f2a185a7e9e21c15176270d99da5ebc6e (commit)

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=81e2801f2a185a7e9e21c15176270d99da5ebc6e

commit 81e2801f2a185a7e9e21c15176270d99da5ebc6e
Author: Richard Henderson <rth@twiddle.net>
Date:   Tue Feb 9 13:43:08 2016 +1100

    alpha: Implement execl{,e,p} without double stack allocation

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4577d8457637adac28ed34bc3f9ce0a936dc786e

commit 4577d8457637adac28ed34bc3f9ce0a936dc786e
Author: Richard Henderson <rth@twiddle.net>
Date:   Tue Feb 9 15:19:32 2016 +1100

    x32: Implement execl{,e,p} without double stack allocation

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=072dce81771f971f49f2480630842a2874a2c860

commit 072dce81771f971f49f2480630842a2874a2c860
Author: Richard Henderson <rth@twiddle.net>
Date:   Tue Feb 9 13:12:33 2016 +1100

    i386: Implement execl{,e,p} without double stack allocation

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=447f711575e70c09fd883f28d86e175993025277

commit 447f711575e70c09fd883f28d86e175993025277
Author: Richard Henderson <rth@twiddle.net>
Date:   Tue Feb 9 12:53:17 2016 +1100

    x86_64: Implement execl{,e,p} without double stack allocation

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f685eeedc6d7baf1bf822ef058e06bc1bcae4541

commit f685eeedc6d7baf1bf822ef058e06bc1bcae4541
Author: Richard Henderson <rth@twiddle.net>
Date:   Tue Feb 9 11:53:32 2016 +1100

    Move posix/execl files to sysdeps/
    
    This will allow them to be overridable.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c4c95c53bbb6d41b56ad56921f1e14fa43b3e997

commit c4c95c53bbb6d41b56ad56921f1e14fa43b3e997
Author: Adhemerval Zanella <adhemerval dot zanella at linaro dot org>
Date:   Mon Feb 1 14:21:03 2016 -0200

    posix: Remove dynamic memory allocation from execl{e,p}
    
    GLIBC execl{e,p} implementation might use malloc if the total number of i
    arguments exceed initial assumption size (1024).  This might lead to
    issue in two situations:
    
    1. execl/execle is stated to be async-signal-safe by POSIX [1].  However
       if execl is used in a signal handler with a large argument set (that
       may call malloc internally) and the resulting call fails, it might
       lead malloc in the program in a bad state.
    
    2. If the functions are used in a vfork/clone(VFORK) situation it also
       might issue malloc internal bad state.
    
    This patch fixes it by using stack allocation instead.  It also fixes
    BZ#19534.
    
    Tested on x86_64.
    
    Changes from previous version:
    
    - Remove arbitrary limit on stack allocation for argument handling
      (it is arbitrary and does no impose any limit since it does not
      consider current stack size neither stack size limit).
    
    [1] http://pubs.opengroup.org/onlinepubs/9699919799/functions/V2_chap02.html
    
    	[BZ #19534]
    	* posix/execl.c (execl): Remove dynamic memory allocation.
    	* posix/execle.c (execle): Likewise.
    	* posix/execlp.c (execlp): Likewise.
    Message-Id: <1454343665-1706-2-git-send-email-adhemerval.zanella@linaro.org>

-----------------------------------------------------------------------
Comment 2 Sourceware Commits 2016-02-09 11:29:17 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, rth/execl has been created
        at  5b78856069a21550d4b67b4c0a269915f37fce0f (commit)

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5b78856069a21550d4b67b4c0a269915f37fce0f

commit 5b78856069a21550d4b67b4c0a269915f37fce0f
Author: Richard Henderson <rth@twiddle.net>
Date:   Tue Feb 9 13:43:08 2016 +1100

    alpha: Implement execl{,e,p} without double stack allocation

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4577d8457637adac28ed34bc3f9ce0a936dc786e

commit 4577d8457637adac28ed34bc3f9ce0a936dc786e
Author: Richard Henderson <rth@twiddle.net>
Date:   Tue Feb 9 15:19:32 2016 +1100

    x32: Implement execl{,e,p} without double stack allocation

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=072dce81771f971f49f2480630842a2874a2c860

commit 072dce81771f971f49f2480630842a2874a2c860
Author: Richard Henderson <rth@twiddle.net>
Date:   Tue Feb 9 13:12:33 2016 +1100

    i386: Implement execl{,e,p} without double stack allocation

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=447f711575e70c09fd883f28d86e175993025277

commit 447f711575e70c09fd883f28d86e175993025277
Author: Richard Henderson <rth@twiddle.net>
Date:   Tue Feb 9 12:53:17 2016 +1100

    x86_64: Implement execl{,e,p} without double stack allocation

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f685eeedc6d7baf1bf822ef058e06bc1bcae4541

commit f685eeedc6d7baf1bf822ef058e06bc1bcae4541
Author: Richard Henderson <rth@twiddle.net>
Date:   Tue Feb 9 11:53:32 2016 +1100

    Move posix/execl files to sysdeps/
    
    This will allow them to be overridable.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c4c95c53bbb6d41b56ad56921f1e14fa43b3e997

commit c4c95c53bbb6d41b56ad56921f1e14fa43b3e997
Author: Adhemerval Zanella <adhemerval dot zanella at linaro dot org>
Date:   Mon Feb 1 14:21:03 2016 -0200

    posix: Remove dynamic memory allocation from execl{e,p}
    
    GLIBC execl{e,p} implementation might use malloc if the total number of i
    arguments exceed initial assumption size (1024).  This might lead to
    issue in two situations:
    
    1. execl/execle is stated to be async-signal-safe by POSIX [1].  However
       if execl is used in a signal handler with a large argument set (that
       may call malloc internally) and the resulting call fails, it might
       lead malloc in the program in a bad state.
    
    2. If the functions are used in a vfork/clone(VFORK) situation it also
       might issue malloc internal bad state.
    
    This patch fixes it by using stack allocation instead.  It also fixes
    BZ#19534.
    
    Tested on x86_64.
    
    Changes from previous version:
    
    - Remove arbitrary limit on stack allocation for argument handling
      (it is arbitrary and does no impose any limit since it does not
      consider current stack size neither stack size limit).
    
    [1] http://pubs.opengroup.org/onlinepubs/9699919799/functions/V2_chap02.html
    
    	[BZ #19534]
    	* posix/execl.c (execl): Remove dynamic memory allocation.
    	* posix/execle.c (execle): Likewise.
    	* posix/execlp.c (execlp): Likewise.
    Message-Id: <1454343665-1706-2-git-send-email-adhemerval.zanella@linaro.org>

-----------------------------------------------------------------------
Comment 3 Sourceware Commits 2016-03-07 04:59:12 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  9ff72da471a509a8c19791efe469f47fa6977410 (commit)
       via  1eb8930608705702d5746e5491bab4e4429fcb83 (commit)
       via  f83bb9b8e97656ae0d3e2a31e859363e2d4d5832 (commit)
      from  fee9eb6200f0e44a4b684903bc47fde36d46f1a5 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9ff72da471a509a8c19791efe469f47fa6977410

commit 9ff72da471a509a8c19791efe469f47fa6977410
Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date:   Tue Jan 19 17:33:32 2016 -0200

    posix: New Linux posix_spawn{p} implementation
    
    This patch implements a new posix_spawn{p} implementation for Linux.  The main
    difference is it uses the clone syscall directly with CLONE_VM and CLONE_VFORK
    flags and a direct allocated stack.  The new stack and start function solves
    most the vfork limitation (possible parent clobber due stack spilling).  The
    remaning issue are related to signal handling:
    
      1. That no signal handlers must run in child context, to avoid corrupt
         parent's state.
      2. Child must synchronize with parent to enforce stack deallocation and
         to possible return execv issues.
    
    The first one is solved by blocking all signals in child, even NPTL-internal
    ones (SIGCANCEL and SIGSETXID).  The second issue is done by a stack allocation
    in parent and a synchronization with using a pipe or waitpid (in case or error).
    The pipe has the advantage of allowing the child signal an exec error (checked
    with new tst-spawn2 test).
    
    There is an inherent race condition in pipe2 usage for architectures that do not
    support the syscall directly.  In such cases the a pipe plus fctnl is used
    instead and it may lead to file descriptor leak in parent (as decribed by fcntl
    documentation).
    
    The child process stack is allocate with a mmap with MAP_STACK flag using
    default architecture stack size.  Although it is slower than use a stack buffer
    from parent, it allows some slack for the compatibility code to run scripts
    with no shebang (which may use a buffer with size depending of argument list
    count).
    
    Performance should be similar to the vfork default posix implementation and
    way faster than fork path (vfork on mostly linux ports are basically
    clone with CLONE_VM plus CLONE_VFORK).  The only difference is the syscalls
    required for the stack allocation/deallocation.
    
    It fixes BZ#10354, BZ#14750, and BZ#18433.
    
    Tested on i386, x86_64, powerpc64le, and aarch64.
    
    	[BZ #14750]
    	[BZ #10354]
    	[BZ #18433]
    	* include/sched.h (__clone): Add hidden prototype.
    	(__clone2): Likewise.
    	* include/unistd.h (__dup): Likewise.
    	* posix/Makefile (tests): Add tst-spawn2.
    	* posix/tst-spawn2.c: New file.
    	* sysdeps/posix/dup.c (__dup): Add hidden definition.
    	* sysdeps/unix/sysv/linux/aarch64/clone.S (__clone): Likewise.
    	* sysdeps/unix/sysv/linux/alpha/clone.S (__clone): Likewise.
    	* sysdeps/unix/sysv/linux/arm/clone.S (__clone): Likewise.
    	* sysdeps/unix/sysv/linux/hppa/clone.S (__clone): Likewise.
    	* sysdeps/unix/sysv/linux/i386/clone.S (__clone): Likewise.
    	* sysdeps/unix/sysv/linux/ia64/clone2.S (__clone): Likewise.
    	* sysdeps/unix/sysv/linux/m68k/clone.S (__clone): Likewise.
    	* sysdeps/unix/sysv/linux/microblaze/clone.S (__clone): Likewise.
    	* sysdeps/unix/sysv/linux/mips/clone.S (__clone): Likewise.
    	* sysdeps/unix/sysv/linux/nios2/clone.S (__clone): Likewise.
    	* sysdeps/unix/sysv/linux/powerpc/powerpc32/clone.S (__clone):
    	Likewise.
    	* sysdeps/unix/sysv/linux/powerpc/powerpc64/clone.S (__clone):
    	Likewise.
    	* sysdeps/unix/sysv/linux/s390/s390-32/clone.S (__clone): Likewise.
    	* sysdeps/unix/sysv/linux/s390/s390-64/clone.S (__clone): Likewise.
    	* sysdeps/unix/sysv/linux/sh/clone.S (__clone): Likewise.
    	* sysdeps/unix/sysv/linux/sparc/sparc32/clone.S (__clone): Likewise.
    	* sysdeps/unix/sysv/linux/sparc/sparc64/clone.S (__clone): Likewise.
    	* sysdeps/unix/sysv/linux/tile/clone.S (__clone): Likewise.
    	* sysdeps/unix/sysv/linux/x86_64/clone.S (__clone): Likewise.
    	* sysdeps/unix/sysv/linux/nptl-signals.h
    	(____nptl_is_internal_signal): New function.
    	* sysdeps/unix/sysv/linux/spawni.c: New file.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1eb8930608705702d5746e5491bab4e4429fcb83

commit 1eb8930608705702d5746e5491bab4e4429fcb83
Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date:   Fri Jan 22 09:58:49 2016 -0200

    posix: execvpe cleanup
    
    This patch removes all the dynamic allocation on execvpe code and
    instead use direct stack allocation.  This is QoI approach to make
    it possible use in scenarios where memory is shared with parent
    (vfork or clone with CLONE_VM).
    
    For default process spawn (script file without a shebang), stack
    allocation is bounded by NAME_MAX plus PATH_MAX plus 1.  Large
    file arguments returns an error (ENAMETOOLONG).  This differs than
    current GLIBC pratice in general, but it used to limit stack
    allocation for large inputs.  Also, path in PATH environment variable
    larger than PATH_MAX are ignored.
    
    The shell direct execution exeception, where execve returns ENOEXEC,
    might requires a large stack allocation due large input argument list.
    
    Tested on i686, x86_64, powerpc64le, and aarch64.
    
    	* posix/execvpe.c (__execvpe): Remove dynamic allocation.
    	* posix/Makefile (tests): Add tst-execvpe{1,2,3,4,5,6}.
    	* posix/tst-execvp1.c (do_test): Use a macro to call execvp.
    	* posix/tst-execvp2.c (do_test): Likewise.
    	* posix/tst-execvp3.c (do_test): Likewise.
    	* posix/tst-execvp4.c (do_test): Likewise.
    	* posix/tst-execvpe1.c: New file.
    	* posix/tst-execvpe2.c: Likewise.
    	* posix/tst-execvpe3.c: Likewise.
    	* posix/tst-execvpe4.c: Likewise.
    	* posix/tst-execvpe5.c: Likewise.
    	* posix/tst-execvpe6.c: Likewise.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f83bb9b8e97656ae0d3e2a31e859363e2d4d5832

commit f83bb9b8e97656ae0d3e2a31e859363e2d4d5832
Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date:   Fri Jan 29 11:43:40 2016 -0200

    posix: Remove dynamic memory allocation from execl{e,p}
    
    GLIBC execl{e,p} implementation might use malloc if the total number of
    arguments exceed initial assumption size (1024).  This might lead to
    issues in two situations:
    
    1. execl/execle is stated to be async-signal-safe by POSIX [1].  However
       if execl is used in a signal handler with a large argument set (that
       may call malloc internally) and if the resulting call fails it might
       lead malloc in the program in a bad state.
    
    2. If the functions are used in a vfork/clone(VFORK) situation it also
       might issue malloc internal bad state.
    
    This patch fixes it by using stack allocation instead.  It also fixes
    BZ#19534.
    
    Tested on x86_64.
    
    [1] http://pubs.opengroup.org/onlinepubs/9699919799/functions/V2_chap02.html
    
    	[BZ #19534]
    	* posix/execl.c (execl): Remove dynamic memory allocation.
    	* posix/execle.c (execle): Likewise.
    	* posix/execlp.c (execlp): Likewise.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                         |   54 +++
 include/sched.h                                   |    2 +
 include/unistd.h                                  |    1 +
 posix/Makefile                                    |    5 +-
 posix/execl.c                                     |   68 ++---
 posix/execle.c                                    |   70 ++---
 posix/execlp.c                                    |   66 ++--
 posix/execvpe.c                                   |  255 ++++++--------
 posix/tst-execvp1.c                               |    6 +-
 posix/tst-execvp2.c                               |    5 +-
 posix/tst-execvp3.c                               |    5 +-
 posix/tst-execvp4.c                               |    6 +-
 posix/tst-execvpe1.c                              |   20 +
 posix/tst-execvpe2.c                              |   20 +
 posix/tst-execvpe3.c                              |   20 +
 posix/tst-execvpe4.c                              |   20 +
 posix/tst-execvpe5.c                              |  157 ++++++++
 posix/tst-execvpe6.c                              |  150 ++++++++
 posix/tst-spawn2.c                                |   72 ++++
 sysdeps/posix/dup.c                               |    2 +-
 sysdeps/unix/sysv/linux/aarch64/clone.S           |    1 +
 sysdeps/unix/sysv/linux/alpha/clone.S             |    1 +
 sysdeps/unix/sysv/linux/arm/clone.S               |    1 +
 sysdeps/unix/sysv/linux/hppa/clone.S              |    1 +
 sysdeps/unix/sysv/linux/i386/clone.S              |    1 +
 sysdeps/unix/sysv/linux/ia64/clone2.S             |    2 +
 sysdeps/unix/sysv/linux/m68k/clone.S              |    1 +
 sysdeps/unix/sysv/linux/microblaze/clone.S        |    1 +
 sysdeps/unix/sysv/linux/mips/clone.S              |    1 +
 sysdeps/unix/sysv/linux/nios2/clone.S             |    1 +
 sysdeps/unix/sysv/linux/nptl-signals.h            |   10 +
 sysdeps/unix/sysv/linux/powerpc/powerpc32/clone.S |    1 +
 sysdeps/unix/sysv/linux/powerpc/powerpc64/clone.S |    1 +
 sysdeps/unix/sysv/linux/s390/s390-32/clone.S      |    2 +
 sysdeps/unix/sysv/linux/s390/s390-64/clone.S      |    2 +
 sysdeps/unix/sysv/linux/sh/clone.S                |    1 +
 sysdeps/unix/sysv/linux/sparc/sparc32/clone.S     |    1 +
 sysdeps/unix/sysv/linux/sparc/sparc64/clone.S     |    1 +
 sysdeps/unix/sysv/linux/spawni.c                  |  404 +++++++++++++++++++++
 sysdeps/unix/sysv/linux/tile/clone.S              |    1 +
 sysdeps/unix/sysv/linux/x86_64/clone.S            |    1 +
 41 files changed, 1162 insertions(+), 278 deletions(-)
 create mode 100644 posix/tst-execvpe1.c
 create mode 100644 posix/tst-execvpe2.c
 create mode 100644 posix/tst-execvpe3.c
 create mode 100644 posix/tst-execvpe4.c
 create mode 100644 posix/tst-execvpe5.c
 create mode 100644 posix/tst-execvpe6.c
 create mode 100644 posix/tst-spawn2.c
 create mode 100644 sysdeps/unix/sysv/linux/spawni.c
Comment 4 Adhemerval Zanella 2016-03-07 05:39:22 UTC
Fixed by 9ff72da471a509a8c19791efe469f47fa6977410.