This patch restricts characters you could use in environment variable
names passed via execve(2). Note that values are not affected, you're
still allowed to pass anything there.
Everything starts fine like before for me as of now, including
a couple of daemons and Iridium browser.
okay? Or we do want environment variables named in UTF-8?
--
WBR,
Vadim Zhukov
Index: sys/kern/kern_exec.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_exec.c,v
retrieving revision 1.169
diff -u -p -r1.169 kern_exec.c
--- sys/kern/kern_exec.c 10 Oct 2015 14:46:15 -0000 1.169
+++ sys/kern/kern_exec.c 25 Oct 2015 15:32:36 -0000
@@ -270,6 +270,7 @@ sys_execve(struct proc *p, void *v, regi
#endif
char *pathbuf = NULL;
struct vnode *otvp;
+ unsigned char ch;
/* get other threads to stop */
if ((error = single_thread_set(p, SINGLE_UNWIND, 1)))
@@ -404,6 +405,25 @@ sys_execve(struct proc *p, void *v, regi
error = E2BIG;
goto bad;
}
+ /* validate envvar name */
+ for (sp = dp; *sp; sp++) {
+ ch = (unsigned char)*sp;
+ if (ch == '=') {
+ if (sp == dp) {
+ error = EINVAL;
+ goto bad;
+ }
+ goto envname_checked;
+ }
+ if ((ch & 0x80) || ch < 32) {
+ error = EINVAL;
+ goto bad;
+ }
+ }
+ /* didn't find a '=' */
+ error = EINVAL;
+ goto bad;
+envname_checked:
dp += len;
cpp++;
envc++;
Index: lib/libc/sys/execve.2
===================================================================
RCS file: /cvs/src/lib/libc/sys/execve.2,v
retrieving revision 1.47
diff -u -p -r1.47 execve.2
--- lib/libc/sys/execve.2 11 Oct 2015 09:51:26 -0000 1.47
+++ lib/libc/sys/execve.2 25 Oct 2015 15:32:36 -0000
@@ -290,6 +290,11 @@ to an illegal address.
.It Bq Er EINVAL
.Fa argv
did not contain at least one element.
+.It Bq Er EINVAL
+.Fa envp
+contained variable with forbidden character in its name.
+Forbidden characters are control characters (with code 31 and less) and
+those with high bit set (non-ASCII ones).
.It Bq Er EIO
An I/O error occurred while reading from the file system.
.It Bq Er ENFILE
