segfault bb_make_directory + dirname with musl
Daniel Sabogal
dsabogalcc at gmail.com
Sun Dec 4 02:45:18 UTC 2016
On Thu, Dec 1, 2016 at 3:13 PM, Daniel Sabogal <dsabogalcc at gmail.com> wrote:
> On Wed, Nov 30, 2016 at 5:52 PM, Denys Vlasenko
> <vda.linux at googlemail.com> wrote:
>> On Wed, Nov 30, 2016 at 3:46 AM, Daniel Sabogal <dsabogalcc at gmail.com> wrote:
>>> The following commands cause busybox to segfault on musl-based systems.
>>>
>>> $ install -D a /
>>> $ install -D a /b
>>> $ install -D a /b/
>>>
>>> This happens because the code in
>>>
>>> https://git.busybox.net/busybox/tree/coreutils/install.c?h=1_25_1#n196
>>>
>>> passes the result of dirname() to bb_make_directory() which modifies its
>>> contents. For paths of the above forms, musl's dirname returns a string
>>> literal "/" which shouldn't be modified.
>>>
>>> See http://git.musl-libc.org/cgit/musl/tree/src/misc/dirname.c
>>>
>>> There are a few other occurrences of the code shown above, but I've not
>>> checked to see if they could be made to segfault.
>>
>> Does this fix the problem?
>>
>> /* Bypass leading non-'/'s and then subsequent '/'s */
>> while (*s) {
>> if (*s == '/') {
>> do {
>> ++s;
>> } while (*s == '/');
>> c = *s; /* Save the current char */
>> ====added line==> if (c)
>> *s = '\0'; /* and
>> replace it with nul */
>> break;
>
> This does prevent the segfault, but I'm not sure if depending on being able to
> modify the result of dirname() is reliable.
https://git.busybox.net/busybox/commit/?id=cf2600c3661c11491a838ef29733583afb6ad968
There are other occurrences of dirname + bb_make_directory that may have
this issue.
The following also segfaults.
$ cp --parents a /
More information about the busybox
mailing list