From patchwork Wed Mar 11 16:11:59 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Paul Pluzhnikov <ppluzhnikov@google.com>
X-Patchwork-Id: 5582
Received: (qmail 95437 invoked by alias); 11 Mar 2015 16:12:38 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 95027 invoked by uid 89); 11 Mar 2015 16:12:38 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-2.6 required=5.0 tests=AWL, BAYES_00,
	RCVD_IN_DNSWL_LOW, SPF_PASS,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.2
X-HELO: mail-ob0-f178.google.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:mime-version:from:date:message-id:subject:to
	:content-type;
	bh=I6xMh1vY3awlhJtAHB70+fXFSm2YmVsVJBYvy1h+lT8=;
	b=DYAiQFNbzhmbvepD1uTSGR1A9IlY/MhX0Uuzt/K1RX+eVvYVL7O+ALs9h2ZXG/UnDI
	L5DT6uXmwngxdSwSjC0hkPm19cay7VRBVY9vhjOagwHqFvkCitcvt+GydK1OBCDkM0/d
	rEiDctd3u9Jzj/pj8yvTHWr3uoCWfbJXAkPlpRvmbBnk2UOo0OZQmi5hAWi1yJb++Fpx
	p2D+0SiTKtgAoZjxzlnRx/Hu4gvUb3IDR47Gwh66Zju20+qSYA1X9Pt82TWgRfdt+avP
	l1AyJOxAQ/02FkIX4ORlpxCFLdFEsapXxvDVvCnCUroAzJx+7LcL2DTfr8vetYXDkr9E
	ibzw==
X-Gm-Message-State: 
 ALoCoQna3igkdaZ9BTJPg0HYDnGtiGKIkYjF/iDKBZxPZ05Jl+6U9VU7XeU7eoMd3tu9HKq4cOiu
X-Received: by 10.182.230.132 with SMTP id sy4mr30862205obc.29.1426090349579;
	Wed, 11 Mar 2015 09:12:29 -0700 (PDT)
MIME-Version: 1.0
From: Paul Pluzhnikov <ppluzhnikov@google.com>
Date: Wed, 11 Mar 2015 09:11:59 -0700
Message-ID: 
 <CALoOobNSbWUkd_i-L6U0ovbqPYnJY-h=ftX1K61yb19pmJj6aw@mail.gmail.com>
Subject: [patch] Error on setenv(..., NULL, ...)
To: GLIBC Devel <libc-alpha@sourceware.org>

Greetings,

The following test program:

#include <stdlib.h>
#include <stdio.h>

int main() {
  setenv("ZZZ", NULL, 1);
  char *p = getenv("ZZZ");
  printf("%c\n", p[0]);
  return 0;
}

produces "unusable" environment, in which getenv("ZZZ") succeeds, but
you can't look at any bytes of the resulting pointer:

gcc -g t.c
t.c: In function ‘main’:
t.c:5:3: warning: null argument where non-null required (argument 2) [-Wnonnull]
   setenv("ZZZ", NULL, 1);
   ^

valgrind ./a.out

==27832== Invalid read of size 1
==27832==    at 0x4005FB: main (/tmp/t.c:7)
==27832==  Address 0x4dea3e4 is 0 bytes after a block of size 4 alloc'd
==27832==    at 0x40307C4: malloc
(valgrind/coregrind/m_replacemalloc/vg_replace_malloc.c:270)
==27832==    by 0x4A60C59: __add_to_environ
(/build/buildd/eglibc-2.19/stdlib/setenv.c:193)
==27832==    by 0x40344BF: setenv (valgrind/memcheck/mc_replace_strmem.c:1643)
==27832==    by 0x4005E8: main (/tmp/t.c:5)


See also https://sourceware.org/ml/libc-alpha/2015-03/msg00402.html,
where GLIBC performed the bad setenv() itself.

Attached trivial patch makes setenv(..., NULL, ...) fail instead of
producing "bad" environment. Tested on Linux/x86_64, no new failures.

Thanks,


2015-03-11  Paul Pluzhnikov  <ppluzhnikov@google.com>

        * stdlib/setenv.c (setenv): Reject NULL value in setenv.

diff --git a/stdlib/setenv.c b/stdlib/setenv.c
index b60c4f0..63a95cf 100644
--- a/stdlib/setenv.c
+++ b/stdlib/setenv.c
@@ -240,7 +240,8 @@ setenv (name, value, replace)
      const char *value;
      int replace;
 {
-  if (name == NULL || *name == '\0' || strchr (name, '=') != NULL)
+  if (name == NULL || *name == '\0' || strchr (name, '=') != NULL
+      || value == NULL)
     {
       __set_errno (EINVAL);
       return -1;