tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom
nixpkgs / pkgs / by-name / pr / prctl / prctl-strcpy-overflow.patch
at python-updates 4.0 kB view raw
1From 079877486d9bbe170de2fbc3cba37713d11ab224 Mon Sep 17 00:00:00 2001 2From: Mikael Voss <mvs@nyantec.com> 3Date: Wed, 23 Jul 2025 17:33:04 +0200 4Subject: [PATCH 1/2] Avoid unnecessary copy of argv[0] 5MIME-Version: 1.0 6Content-Type: text/plain; charset=UTF-8 7Content-Transfer-Encoding: 8bit 8 9The programme is copying the contents of *argv[0] into a fixed‐size 10buffer of 512 bytes using strcpy(). This might result in a buffer 11overflow and is unnecessary as the contents are never modified. 12--- 13 prctl.c | 12 +++++------- 14 1 file changed, 5 insertions(+), 7 deletions(-) 15 16diff --git a/prctl.c b/prctl.c 17index 38cbcd1..b8cb85b 100644 18--- a/prctl.c 19+++ b/prctl.c 20@@ -51,13 +51,13 @@ struct option longopts[] = { 21 int verbose=0; 22 23 void 24-print_version(char *progname) 25+print_version(char const *progname) 26 { 27 printf("%s version %s\n", progname, VERSION); 28 } 29 30 void 31-usage(char *progname) 32+usage(char const *progname) 33 { 34 print_version(progname); 35 printf("Usage: %s [-v] [-h|--help] [--version]\n", progname); 36@@ -273,8 +273,7 @@ int 37 main(int argc, char **argv) 38 { 39 int opt, cmd_start; 40- char *progname; 41- char fullpath[512]; 42+ char const *progname; 43 char shellname[128]; 44 int unaligned_val = -99; 45 int fpemu_val = -99; 46@@ -284,11 +283,10 @@ main(int argc, char **argv) 47 int display_all = 0; 48 int umask; 49 50- strcpy(fullpath, argv[0]); 51- if ((progname = strrchr(fullpath, '/')) != NULL) { 52+ if ((progname = strrchr(argv[0], '/')) != NULL) { 53 progname++; 54 } else { 55- progname = fullpath; 56+ progname = argv[0]; 57 } 58 59 /* 60 61From c233d083cec389e10dc9e85b3a835cf81246c275 Mon Sep 17 00:00:00 2001 62From: Mikael Voss <mvs@nyantec.com> 63Date: Wed, 23 Jul 2025 17:57:59 +0200 64Subject: [PATCH 2/2] Avoid unnecessary copy of shell path 65MIME-Version: 1.0 66Content-Type: text/plain; charset=UTF-8 67Content-Transfer-Encoding: 8bit 68 69The programme tries getenv("SHELL") and getpwuid(getuid())->pw_shell to 70determine the preferred shell, falling back to DEFAULT_SHELL, and 71copies the contents pointed to into a fixed‐sized buffer of 128 bytes 72using strcpy(). 73 74This could result in a buffer overflow and is not necessary: While both 75getenv() and getpwuid() return pointers to locations which might get 76modified by subsequent calls to their respective function families, 77they are only called once, so that these pointers can be aliased safely. 78 79In addition, getenv("SHELL") would return a null pointer if the variable 80is unset in the environment, resulting in a null pointer dereference in 81the enclosing strcpy() call. 82--- 83 prctl.c | 22 +++++++++------------- 84 1 file changed, 9 insertions(+), 13 deletions(-) 85 86diff --git a/prctl.c b/prctl.c 87index b8cb85b..342419c 100644 88--- a/prctl.c 89+++ b/prctl.c 90@@ -274,7 +274,7 @@ main(int argc, char **argv) 91 { 92 int opt, cmd_start; 93 char const *progname; 94- char shellname[128]; 95+ char const *shellname; 96 int unaligned_val = -99; 97 int fpemu_val = -99; 98 int mcekill_val = -99; 99@@ -443,31 +443,27 @@ main(int argc, char **argv) 100 } 101 102 printf("Starting a shell\n"); 103- strcpy(shellname, getenv("SHELL")); 104- 105+ shellname = getenv("SHELL"); 106+ 107 /* 108 * Make sure SHELL environment variable is not unset. If it 109- * is, start bash. 110+ * is, start user login shell or bash. 111 */ 112- if (shellname[0] == 0) { 113+ if (shellname == NULL) { 114 struct passwd *pwd_entry; 115 116 pwd_entry = getpwuid(getuid()); 117- if (pwd_entry == NULL) { 118- strcpy(shellname, DEFAULT_SHELL); 119+ if (pwd_entry != NULL && pwd_entry->pw_shell != NULL) { 120+ shellname = pwd_entry->pw_shell; 121 } else { 122- if (pwd_entry->pw_shell != NULL) { 123- strcpy(shellname, pwd_entry->pw_shell); 124- } else { 125- strcpy(shellname, DEFAULT_SHELL); 126- } 127+ shellname = DEFAULT_SHELL; 128 } 129 } 130 131 /* 132 * Now exec the shell 133 */ 134- if (execlp(shellname, (char *)shellname, (char *) 0) == -1) { 135+ if (execlp(shellname, shellname, (char *) 0) == -1) { 136 fprintf(stderr, "Failed to exec the shell: %s\n", 137 strerror(errno)); 138 exit(1);