[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] progname: don't segfault when argv is NULL
From: |
Jim Meyering |
Subject: |
Re: [PATCH] progname: don't segfault when argv is NULL |
Date: |
Sat, 05 Dec 2009 09:14:25 +0100 |
Bruno Haible wrote:
>> Ok to apply the patch below?
>> Without it, anyone can make nearly any coreutils program segfault
>> with this simple recipe:
>>
>> printf '%s\n' '#include <unistd.h>' 'int main(int c, char**v)' \
>> '{ execve (v[1], 0, 0); }' > k.c && gcc k.c && ./a.out /bin/cat
>>
>> While that usage of execve is in violation of POSIX
>
> One of the purposes of specifications is to avoid redundant checking
> of arguments. Imagine, if strlen, strcpy, etc. would have to handle NULL
> pointers, how many extra conditional statements a CPU would have to
> execute.
Hi Bruno,
If you're convinced it should be like the str* functions,
then I suggest you declare those functions with the "nonnull" attribute.
> It makes sense to be "lenient in what you accept", for example when the
> spec is unclear, or the violation can easily occur without clear programming
> error. But this is not the case here. POSIX's execve spec:
> "The argument arg0 should point to a filename that is associated with
> the process being started by one of the exec functions."
>
> In summary, one can argue for bug-tolerant behaviour, within limits.
> This case here is way off-limits.
"way off-limits"? Yes, I was reluctant to propose this change --
for the same reason you're reluctant to accept it.
Sure, it's annoying, but the compromise would be for a good cause.
The added code is tiny and non-invasive, and would save over 100 known
calling programs from having to add similar code.
I hope you reconsider.
The idea of carrying the identical progname.c.diff patch in 6 different
packages is not appealing. *Everyone* uses set_program_name -- or should.
Why do I care?
Just 3 days ago I received a private report of sleep segfaulting.
Unfortunately, it was not reproducible. I would like to be able
to eliminate set_program_name as a possible point of NULL-dereference.
- [PATCH] progname: don't segfault when argv is NULL, Jim Meyering, 2009/12/04
- Re: [PATCH] progname: don't segfault when argv is NULL, Bruno Haible, 2009/12/04
- Re: [PATCH] progname: don't segfault when argv is NULL, Pádraig Brady, 2009/12/04
- Re: [PATCH] progname: don't segfault when argv is NULL, Eric Blake, 2009/12/04
- Re: [PATCH] progname: don't segfault when argv is NULL,
Jim Meyering <=
- Re: [PATCH] progname: don't segfault when argv is NULL, Jim Meyering, 2009/12/06
- __nonnull__ declarations, Bruno Haible, 2009/12/06
- Re: __nonnull__ declarations, Jim Meyering, 2009/12/07
- Re: __nonnull__ declarations, Bruno Haible, 2009/12/10
- Re: [PATCH] progname: don't segfault when argv is NULL, Bruno Haible, 2009/12/06
- Re: [PATCH] progname: don't segfault when argv is NULL, Jim Meyering, 2009/12/09
- Re: [PATCH] progname: don't segfault when argv is NULL, Bruno Haible, 2009/12/09