Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 15 Sep 2017 10:17:42 -0400
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Re: posix_spawnp stack overflow/corruption by child when PATH
 is large?

On Thu, Sep 14, 2017 at 03:39:35PM -0500, Will Dietz wrote:
> Hi,
> 
> I believe there is a bug in posix_spawn/execvpe, please take a look and confirm
> or kindly let me know if I'm mistaken and accept my apologies :).
> 
> It looks like __posix_spawnx calls clone() with a 1024-byte stack buffer
> (allocated from its own stack), which is insufficient to handle stack
> allocations performed
> in execvpe which are something around a few bytes more than NAME_MAX+PATH_MAX.
> 
> This path is taken when using posix_spawnp, and the problem exists on
> 1.1.16 and latest git.
> 
> For what it's worth I tracked this down from a crash in 'bison' when
> invoking m4,
> but I've had success reproducing it with the following demo program
> and driver script:
> 
> -------------------------------------------
> #include <spawn.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <sys/types.h>
> #include <sys/wait.h>
> 
> extern char **environ;
> 
> int main() {
> 
>   pid_t p;
>   char *argv[] = {"sh", "-c", "echo Hello", NULL};
>   int s, status;
>   s = posix_spawnp(&p, "sh", NULL, NULL, argv, environ);
>   if (s) {
>     perror("posix_spawn");
>     exit(1);
>   }
> 
>   s = waitpid(p, &status, 0);
> 
>   printf("pid: %d, s: %d, status: %d\n", p, s, status);
> 
>   return 0;
> }
> --------------
> 
> And little shell script to create a suitably large PATH (mostly to
> demonstrate what I mean, not for unmodified use):
> ---------------
> #!/bin/sh
> 
> SLASH_100_As="/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
> SUFFIX="/123456789012345678901234567" #1234567890" #1234567890"
> 
> VAR="/bin:$SUFFIX"
> for x in `seq 10`; do
>   VAR="${SLASH_100_As}:$VAR"
> done
> 
> echo $VAR
> echo $VAR|wc -c
> 
> # Works fine with normal PATH
> ~/cur/musl-spawn/test
> ~/cur/musl-spawn/test
> 
> # Crashes when PATH is ~1050 characters
> PATH=$VAR \
> ~/cur/musl-spawn/test
> --------------
> 
> Where "~/cur/musl-spawn/test" is the test program compiled against musl.
> 
> I cannot speak regarding any security implications, but since this may
> grant some measure of stack-scribbling-powers it seems to warrant
> being given brief attention in this context.
> 
> An easy fix is to bump the size of the 'char stack[1024]' in
> src/process/posix_spawn.c to a suitable value-- 8096 is overkill but
> does the trick, for example.
> 
> Please let me know if I'm missing something or if details are not clear.

It's very clear, and this seems pretty serious. 1024+PATH_MAX would
probably be a safe limit. If we care about minimal stack usage when
plain posix_spawn (not spawnp) is called, it could be something like
"exec==execve ? 1024 : 1024+PATH_MAX", perhaps.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.