segfault bb_make_directory + dirname with musl

Daniel Sabogal dsabogalcc at gmail.com
Mon Dec 5 15:00:17 UTC 2016


On Sun, Dec 4, 2016 at 4:43 AM, Denys Vlasenko <vda.linux at googlemail.com> wrote:
> On Sun, Dec 4, 2016 at 3:45 AM, Daniel Sabogal <dsabogalcc at gmail.com> wrote:
>> On Thu, Dec 1, 2016 at 3:13 PM, Daniel Sabogal <dsabogalcc at gmail.com> wrote:
>>> On Wed, Nov 30, 2016 at 5:52 PM, Denys Vlasenko
>>> <vda.linux at googlemail.com> wrote:
>>>> On Wed, Nov 30, 2016 at 3:46 AM, Daniel Sabogal <dsabogalcc at gmail.com> wrote:
>>>>> The following commands cause busybox to segfault on musl-based systems.
>>>>>
>>>>> $ install -D a /
>>>>> $ install -D a /b
>>>>> $ install -D a /b/
>>>>>
>>>>> This happens because the code in
>>>>>
>>>>> https://git.busybox.net/busybox/tree/coreutils/install.c?h=1_25_1#n196
>>>>>
>>>>> passes the result of dirname() to bb_make_directory() which modifies its
>>>>> contents. For paths of the above forms, musl's dirname returns a string
>>>>> literal "/" which shouldn't be modified.
>>>>>
>>>>> See http://git.musl-libc.org/cgit/musl/tree/src/misc/dirname.c
>>>>>
>>>>> There are a few other occurrences of the code shown above, but I've not
>>>>> checked to see if they could be made to segfault.
>>>>
>>>> Does this fix the problem?
>>>>
>>>>                         /* Bypass leading non-'/'s and then subsequent '/'s */
>>>>                         while (*s) {
>>>>                                 if (*s == '/') {
>>>>                                         do {
>>>>                                                 ++s;
>>>>                                         } while (*s == '/');
>>>>                                         c = *s; /* Save the current char */
>>>> ====added line==>                       if (c)
>>>>                                                 *s = '\0'; /* and
>>>> replace it with nul */
>>>>                                         break;
>>>
>>> This does prevent the segfault, but I'm not sure if depending on being able to
>>> modify the result of dirname() is reliable.
>>
>> https://git.busybox.net/busybox/commit/?id=cf2600c3661c11491a838ef29733583afb6ad968
>>
>> There are other occurrences of dirname + bb_make_directory that may have
>> this issue.
>>
>> The following also segfaults.
>>
>> $ cp --parents a /
>
> Indeed.
>
> I moved the check into bb_make_directory(), please try now.

I suppose the issue is fixed. The above commands no longer result in a segfault.

Thanks,


More information about the busybox mailing list