From owner-freebsd-current@FreeBSD.ORG Fri Jul 13 16:27:45 2007 Return-Path: X-Original-To: freebsd-current@FreeBSD.org Delivered-To: freebsd-current@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EC3C716A406; Fri, 13 Jul 2007 16:27:45 +0000 (UTC) (envelope-from ache@nagual.pp.ru) Received: from nagual.pp.ru (nagual.pp.ru [194.87.13.69]) by mx1.freebsd.org (Postfix) with ESMTP id 4704113C4C2; Fri, 13 Jul 2007 16:27:45 +0000 (UTC) (envelope-from ache@nagual.pp.ru) Received: from nagual.pp.ru (ache@localhost [127.0.0.1]) by nagual.pp.ru (8.14.1/8.14.1) with ESMTP id l6DGRhg0016540; Fri, 13 Jul 2007 20:27:43 +0400 (MSD) (envelope-from ache@nagual.pp.ru) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nagual.pp.ru; s=default; t=1184344063; bh=OR0cSVkSmfSKcCSMdifUDuYelylZJDOBZzoHoBx JgkM=; l=1458; h=Received:Date:From:To:Subject:Message-ID: Mail-Followup-To:References:MIME-Version:Content-Type: Content-Disposition:In-Reply-To:User-Agent; b=EKrxemhQu6rhAn02iNsh nMc8vNJzHy71di1ArltjXpxsJwLApJr9U88Er9lKsj6HXcKo6hEKvvD2Voih7WsaIol ZlduhH0VBpSLjp3YS4AxfiNLnvMt19Cj2YNj/znbOfpl4ggnaOlBV6XjCP92sCUleJu +2le7L8ts8wbM+6fI= Received: (from ache@localhost) by nagual.pp.ru (8.14.1/8.14.1/Submit) id l6DGRhtr016539; Fri, 13 Jul 2007 20:27:43 +0400 (MSD) (envelope-from ache) Date: Fri, 13 Jul 2007 20:27:42 +0400 From: Andrey Chernov To: "Sean C. Farley" , Robert Watson , freebsd-current , Michal Mertl Message-ID: <20070713162742.GA16260@nagual.pp.ru> Mail-Followup-To: Andrey Chernov , "Sean C. Farley" , Robert Watson , freebsd-current , Michal Mertl References: <20070704215154.O77978@thor.farley.org> <20070705115816.GA50506@nagual.pp.ru> <20070705105922.F98700@thor.farley.org> <20070707130859.GA96605@nagual.pp.ru> <20070707131359.GB96605@nagual.pp.ru> <20070707133102.C14065@thor.farley.org> <20070707191835.GA4368@nagual.pp.ru> <20070707205410.B14065@thor.farley.org> <20070708020940.GA80166@nagual.pp.ru> <20070708171727.GA90490@nagual.pp.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070708171727.GA90490@nagual.pp.ru> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: Subject: Re: Environment handling broken in /bin/sh with changes to {get,set,put}env() X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jul 2007 16:27:46 -0000 On Sun, Jul 08, 2007 at 09:17:27PM +0400, Andrey Chernov wrote: > Hmm. I just think a bit more and feel worry about that place in the merge > code: > > *equals = '\0'; > if (setenv(*env, equals + 1, 1) == -1) > return (-1); > *equals = '='; > because it modifies memory which may be treated like const one. > > Consider following scenario: getenv() is not thread-safe, but may be [snip] I found another breakage case not covered by your last getenv() fix. Take this simple program: -- a.c ------------------------------------------------------------------- #include extern char **environ; main () { static char *nenv[2]; nenv[0] = "PATH=/bin"; nenv[1] = NULL; /* environ = nenv; unsetenv("PATH"); or somethig like which touch '=' char in nenv[0] */ nenv[0][4] = '\0'; } -- a.c ------------------------------------------------------------------- Look at assembler code first: cc -S a.c cat a.s .file "a.c" .local nenv.1948 .comm nenv.1948,8,4 .section .rodata .LC0: .string "PATH=/bin" .text [skipped] As you may see, compiler puts "PATH=/bin" to the program's .rodata section which is placed to read only memory. If later you'll modify this single "PATH=/bin" (comes from "nenv" now) by *equals = '\0'; ... *equals = '='; core dump happens, which simulated in my simple a.c example by nenv[0][4] = '\0'; Just run it and got code dump. -- http://ache.pp.ru/