From patchwork Mon Nov 12 12:53:37 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ron Yorston X-Patchwork-Id: 10678623 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F27DA109C for ; Mon, 12 Nov 2018 12:53:41 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D728F29E0D for ; Mon, 12 Nov 2018 12:53:41 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CB80029E1D; Mon, 12 Nov 2018 12:53:41 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4BAAF29E0D for ; Mon, 12 Nov 2018 12:53:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727103AbeKLWqt (ORCPT ); Mon, 12 Nov 2018 17:46:49 -0500 Received: from balrog.mythic-beasts.com ([46.235.227.24]:46647 "EHLO balrog.mythic-beasts.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726717AbeKLWqt (ORCPT ); Mon, 12 Nov 2018 17:46:49 -0500 Received: from [2a00:1098:0:86:1000:33:864d:59c6] (port=39246 helo=frippery.frippery.org) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1gMBil-0007VB-3c; Mon, 12 Nov 2018 12:53:39 +0000 Received: by frippery.frippery.org (Postfix, from userid 1000) id DBACE1FC43; Mon, 12 Nov 2018 12:53:37 +0000 (GMT) Date: Mon, 12 Nov 2018 12:53:37 +0000 From: Ron Yorston To: dash@vger.kernel.org Subject: [PATCH] var: ensure variables are fully initialised when unset Message-ID: <5be977d1.kOQ/st5GzBzGJ5of%rmy@frippery.org> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Sender: dash-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: dash@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP When a variable is unset by calling setvar(name, 0, 0) the code to initialise the new, empty variable omits the trailing '='. Attempts to read the contents of the unset variable will result in the uninitialised character at the end of the string being accessed. For example, running dash under Valgrind and unsetting PATH: $ valgrind ./src/dash ==9117== Memcheck, a memory error detector ==9117== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==9117== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==9117== Command: ./src/dash ==9117== $ unset PATH ==9117== Conditional jump or move depends on uninitialised value(s) ==9117== at 0x40642C: changepath (exec.c:578) ==9117== by 0x411EEB: setvareq (var.c:269) ==9117== by 0x41201B: setvar (var.c:215) ==9117== by 0x4128D4: unsetvar (var.c:628) This issue was reported for BusyBox ash: https://bugs.busybox.net/show_bug.cgi?id=8721 Signed-off-by: Ron Yorston --- src/var.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/var.c b/src/var.c index 0d7e1db..d4d8bd2 100644 --- a/src/var.c +++ b/src/var.c @@ -207,8 +207,8 @@ struct var *setvar(const char *name, const char *val, int flags) } INTOFF; p = mempcpy(nameeq = ckmalloc(namelen + vallen + 2), name, namelen); + *p++ = '='; if (val) { - *p++ = '='; p = mempcpy(p, val, vallen); } *p = '\0';