-
Notifications
You must be signed in to change notification settings - Fork 560
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Calls to getenv are buggy in core C code #14476
Comments
From @khwilliamsonThis is a bug report for perl from khw@khw, A bug that is showing up in os390 appears to be caused by a general s = PerlEnv_getenv("PERL5OPT") and then parse 's', 's' could be corrupted by any other call to one of If the result of a getenv is saved for later use, it should be copied, The core should be audited for occurrences of this issue. Thanks to ilmari and alh for discussing this with me on #p5p Flags: Site configuration information for perl 5.21.9: Configured by khw at Thu Feb 5 08:31:14 MST 2015. Summary of my perl5 (revision 5 version 21 subversion 9) configuration: @INC for perl 5.21.9: Environment for perl 5.21.9: PATH=/home/khw/bin:/home/khw/perl5/perlbrew/bin:/home/khw/print/bin:/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/usr/games:/usr/local/games:/home/khw/cxoffice/bin |
From @wolfsageOn Thu, Feb 5, 2015 at 5:31 PM, karl williamson
I've added a test case for this particular issue with I can get this, and locale.t... not ok 30 - LANG is used if LC_ALL, LC_NUMERIC are invalid ...to fail by LD_PRELOADING replacements for *env functions that share The locale.t failures are because of in locale.c, we do 3 getenvs and char * const lc_all = PerlEnv_getenv("LC_ALL"); It's not an ideal testing scenario but I believe it behaves as the If I switch the problematic PerlEnv_getenv calls to something like: char *s, *sx; The problem goes away with my test setup (but now we leak memory?). There are a number of other suspicious calls that don't seem to fail -- Matthew Horsfall (alh) |
The RT System itself - Status changed from 'new' to 'open' |
From editor.buzzfeed@yahoo.comIn the example above,from perl.c, while parsing, it can call moreswitches(), which actually does a putenv() in some circumstances. I haven't investigated to see if the flow actually permits to this happen, but if not, it's just by luck. If the result of a getenv is saved for later use, it should be copied, savepv(), or else the results are undefined. The core should be audited for occurrences of this issue. -- |
From [Unknown Contact. See original ticket]In the example above,from perl.c, while parsing, it can call moreswitches(), which actually does a putenv() in some circumstances. I haven't investigated to see if the flow actually permits to this happen, but if not, it's just by luck. If the result of a getenv is saved for later use, it should be copied, savepv(), or else the results are undefined. The core should be audited for occurrences of this issue. -- |
From @bulk88Matthew Horsfall (alh) wrote:
background http://man7.org/linux/man-pages/man3/getenv.3.html Indiscriminately duplicating the memory block is not something I support. One way of implementing getenv is storing the environment as double null Implementation 2, to stop the "security exploit" of getenv's ptr Implementation 3, you supply your own buffer and its length, Win32 Perl uses a combination of #1 |
From @craigberryOn Thu, Feb 5, 2015 at 4:31 PM, karl williamson
I think in this particular case (S_parse_body), whenever moreswitches popt_copy = SvPVX(sv_2mortal(newSVpv(d,0))); so in other words it's already following your advice. Not sure if
And obviously mortalized to prevent memory leaks. Or copied to
I agree.
|
From @wolfsageOn Fri, Feb 6, 2015 at 10:30 AM, Craig A. Berry <craig.a.berry@gmail.com> wrote:
That's only if PERL5OPT contains a space after the '-', like: PERL5OPT="- d:Trace" But if it's: PERL5OPT="-d:Trace", popt_copy never happens: if (!*s) -- Matthew Horsfall (alh) |
From @khwilliamsonlocale.c has now been fixed in this regard, and now passes on os390 Attached is a list of potential problematic places to audit, based on a |
From @khwilliamson |
From @khwilliamsonI looked through the list and found only one place where I thought it was problematic, which I fixed in commit 9e0b0d6 I didn't look at the specific platform files, like os2 ones. Feel free to look at the list, or generate your own. But I am satisfied enough that I'm closing this ticket. I will add some textin the next day or two mentioning this issue in perlhacktips |
@khwilliamson - Status changed from 'open' to 'resolved' |
Migrated from rt.perl.org#123748 (status was 'resolved')
Searchable as RT123748$
The text was updated successfully, but these errors were encountered: