283d985122
Current posix_spawnp implementation wrongly tries to execute invalid
binaries (for instance script without shebang) as a shell script in
non compat mode. It was a regression introduced by
9ff72da471
when __spawni started to use
__execvpe instead of __execve (glibc __execvpe try to execute ENOEXEC
as shell script regardless).
This patch fixes it by using an internal symbol (__execvpex) with the
faulty semantic (since compat mode is handled by spawni.c itself).
It was reported by Daniel Drake on libc-help [1].
Checked on x86_64-linux-gnu and i686-linux-gnu.
[BZ #23264]
* include/unistd.h (__execvpex): New prototype.
* posix/Makefile (tests): Add tst-spawn4.
(tests-internal): Add tst-spawn4-compat.
* posix/execvpe.c (__execvpe_common, __execvpex): New functions.
* posix/tst-spawn4-compat.c: New file.
* posix/tst-spawn4.c: Likewise.
* sysdeps/unix/sysv/linux/spawni.c (__spawni): Do not interpret invalid
binaries as shell scripts.
* sysdeps/posix/spawni.c (__spawni): Likewise.
[1] https://sourceware.org/ml/libc-help/2018-06/msg00012.html
200 lines
5.9 KiB
C
200 lines
5.9 KiB
C
/* Copyright (C) 1991-2018 Free Software Foundation, Inc.
|
|
This file is part of the GNU C Library.
|
|
|
|
The GNU C Library is free software; you can redistribute it and/or
|
|
modify it under the terms of the GNU Lesser General Public
|
|
License as published by the Free Software Foundation; either
|
|
version 2.1 of the License, or (at your option) any later version.
|
|
|
|
The GNU C Library is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Lesser General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Lesser General Public
|
|
License along with the GNU C Library; if not, see
|
|
<http://www.gnu.org/licenses/>. */
|
|
|
|
#include <unistd.h>
|
|
#include <stdarg.h>
|
|
#include <stdbool.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <errno.h>
|
|
#include <paths.h>
|
|
#include <confstr.h>
|
|
#include <sys/param.h>
|
|
|
|
#ifndef PATH_MAX
|
|
# ifdef MAXPATHLEN
|
|
# define PATH_MAX MAXPATHLEN
|
|
# else
|
|
# define PATH_MAX 1024
|
|
# endif
|
|
#endif
|
|
|
|
/* The file is accessible but it is not an executable file. Invoke
|
|
the shell to interpret it as a script. */
|
|
static void
|
|
maybe_script_execute (const char *file, char *const argv[], char *const envp[])
|
|
{
|
|
ptrdiff_t argc;
|
|
for (argc = 0; argv[argc] != NULL; argc++)
|
|
{
|
|
if (argc == INT_MAX - 1)
|
|
{
|
|
errno = E2BIG;
|
|
return;
|
|
}
|
|
}
|
|
|
|
/* Construct an argument list for the shell based on original arguments:
|
|
1. Empty list (argv = { NULL }, argc = 1 }: new argv will contain 3
|
|
arguments - default shell, script to execute, and ending NULL.
|
|
2. Non empty argument list (argc = { ..., NULL }, argc > 1}: new argv
|
|
will contain also the default shell and the script to execute. It
|
|
will also skip the script name in arguments and only copy script
|
|
arguments. */
|
|
char *new_argv[argc > 1 ? 2 + argc : 3];
|
|
new_argv[0] = (char *) _PATH_BSHELL;
|
|
new_argv[1] = (char *) file;
|
|
if (argc > 1)
|
|
memcpy (new_argv + 2, argv + 1, argc * sizeof(char *));
|
|
else
|
|
new_argv[2] = NULL;
|
|
|
|
/* Execute the shell. */
|
|
__execve (new_argv[0], new_argv, envp);
|
|
}
|
|
|
|
static int
|
|
__execvpe_common (const char *file, char *const argv[], char *const envp[],
|
|
bool exec_script)
|
|
{
|
|
/* We check the simple case first. */
|
|
if (*file == '\0')
|
|
{
|
|
__set_errno (ENOENT);
|
|
return -1;
|
|
}
|
|
|
|
/* Don't search when it contains a slash. */
|
|
if (strchr (file, '/') != NULL)
|
|
{
|
|
__execve (file, argv, envp);
|
|
|
|
if (errno == ENOEXEC && exec_script)
|
|
maybe_script_execute (file, argv, envp);
|
|
|
|
return -1;
|
|
}
|
|
|
|
const char *path = getenv ("PATH");
|
|
if (!path)
|
|
path = CS_PATH;
|
|
/* Although GLIBC does not enforce NAME_MAX, we set it as the maximum
|
|
size to avoid unbounded stack allocation. Same applies for
|
|
PATH_MAX. */
|
|
size_t file_len = __strnlen (file, NAME_MAX) + 1;
|
|
size_t path_len = __strnlen (path, PATH_MAX - 1) + 1;
|
|
|
|
/* NAME_MAX does not include the terminating null character. */
|
|
if ((file_len - 1 > NAME_MAX)
|
|
|| !__libc_alloca_cutoff (path_len + file_len + 1))
|
|
{
|
|
errno = ENAMETOOLONG;
|
|
return -1;
|
|
}
|
|
|
|
const char *subp;
|
|
bool got_eacces = false;
|
|
/* The resulting string maximum size would be potentially a entry
|
|
in PATH plus '/' (path_len + 1) and then the the resulting file name
|
|
plus '\0' (file_len since it already accounts for the '\0'). */
|
|
char buffer[path_len + file_len + 1];
|
|
for (const char *p = path; ; p = subp)
|
|
{
|
|
subp = __strchrnul (p, ':');
|
|
|
|
/* PATH is larger than PATH_MAX and thus potentially larger than
|
|
the stack allocation. */
|
|
if (subp - p >= path_len)
|
|
{
|
|
/* If there is only one path, bail out. */
|
|
if (*subp == '\0')
|
|
break;
|
|
/* Otherwise skip to next one. */
|
|
continue;
|
|
}
|
|
|
|
/* Use the current path entry, plus a '/' if nonempty, plus the file to
|
|
execute. */
|
|
char *pend = mempcpy (buffer, p, subp - p);
|
|
*pend = '/';
|
|
memcpy (pend + (p < subp), file, file_len);
|
|
|
|
__execve (buffer, argv, envp);
|
|
|
|
if (errno == ENOEXEC && exec_script)
|
|
/* This has O(P*C) behavior, where P is the length of the path and C
|
|
is the argument count. A better strategy would be allocate the
|
|
substitute argv and reuse it each time through the loop (so it
|
|
behaves as O(P+C) instead. */
|
|
maybe_script_execute (buffer, argv, envp);
|
|
|
|
switch (errno)
|
|
{
|
|
case EACCES:
|
|
/* Record that we got a 'Permission denied' error. If we end
|
|
up finding no executable we can use, we want to diagnose
|
|
that we did find one but were denied access. */
|
|
got_eacces = true;
|
|
case ENOENT:
|
|
case ESTALE:
|
|
case ENOTDIR:
|
|
/* Those errors indicate the file is missing or not executable
|
|
by us, in which case we want to just try the next path
|
|
directory. */
|
|
case ENODEV:
|
|
case ETIMEDOUT:
|
|
/* Some strange filesystems like AFS return even
|
|
stranger error numbers. They cannot reasonably mean
|
|
anything else so ignore those, too. */
|
|
break;
|
|
|
|
default:
|
|
/* Some other error means we found an executable file, but
|
|
something went wrong executing it; return the error to our
|
|
caller. */
|
|
return -1;
|
|
}
|
|
|
|
if (*subp++ == '\0')
|
|
break;
|
|
}
|
|
|
|
/* We tried every element and none of them worked. */
|
|
if (got_eacces)
|
|
/* At least one failure was due to permissions, so report that
|
|
error. */
|
|
__set_errno (EACCES);
|
|
|
|
return -1;
|
|
}
|
|
|
|
/* Execute FILE, searching in the `PATH' environment variable if it contains
|
|
no slashes, with arguments ARGV and environment from ENVP. */
|
|
int
|
|
__execvpe (const char *file, char *const argv[], char *const envp[])
|
|
{
|
|
return __execvpe_common (file, argv, envp, true);
|
|
}
|
|
weak_alias (__execvpe, execvpe)
|
|
|
|
/* Same as __EXECVPE, but does not try to execute NOEXEC files. */
|
|
int
|
|
__execvpex (const char *file, char *const argv[], char *const envp[])
|
|
{
|
|
return __execvpe_common (file, argv, envp, false);
|
|
}
|