Bug 7058 - ash will get segfault if the expend pathname length exceed 2048.
Summary: ash will get segfault if the expend pathname length exceed 2048.
Status: RESOLVED FIXED
Alias: None
Product: Busybox
Classification: Unclassified
Component: Other (show other bugs)
Version: 1.22.x
Hardware: PC Linux
: P5 minor
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-23 20:20 UTC by frank chen
Modified: 2020-01-25 11:28 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:

Attachments
use 4096 buffer size, and check the expend before doing it. (566 bytes, application/octet-stream)
2014-04-23 20:20 UTC, frank chen 		Details
recheck the code, this seems better (1.13 KB, patch)
2014-04-25 12:40 UTC, frank chen 		Details
another check (2.03 KB, patch)
2014-05-19 15:09 UTC, frank chen 		Details
here is the corrent one (1.57 KB, patch)
2014-05-19 15:17 UTC, frank chen 		Details
Show Obsolete (3) Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description frank chen 2014-04-23 20:20:09 UTC 
Created attachment 5360 [details]
use 4096 buffer size, and check the expend before doing it.

The setup:
using perl under ash.

while true; do mkdir `perl -e 'print "A" x 255'`; cd A* || break; done
cd (to the top root directory)

issue:
ls A*/A*/A*/A*/A*/A*/A*/A*/A*  (deep 9, which pathname is more than 8x256)

shell will die for segfault.

I have the fix for us, which our PATH_MAX is 4096.
Comment 1 frank chen 2014-04-25 12:40:39 UTC 
Created attachment 5366 [details]
recheck the code, this seems better
Comment 2 frank chen 2014-05-19 15:09:07 UTC 
Created attachment 5390 [details]
another check
Comment 3 frank chen 2014-05-19 15:17:42 UTC 
Created attachment 5396 [details]
here is the corrent one
Comment 4 Ron Yorston 2020-01-25 11:28:01 UTC 
Fixed by commit d5f5045b43 (ash: expand: Fix buffer overflow in expandmeta). The first release containing this commit is 1.29.0.