On Thu, Dec 1, 2016 at 3:13 PM, Daniel Sabogal <dsaboga...@gmail.com> wrote: > On Wed, Nov 30, 2016 at 5:52 PM, Denys Vlasenko > <vda.li...@googlemail.com> wrote: >> On Wed, Nov 30, 2016 at 3:46 AM, Daniel Sabogal <dsaboga...@gmail.com> wrote: >>> The following commands cause busybox to segfault on musl-based systems. >>> >>> $ install -D a / >>> $ install -D a /b >>> $ install -D a /b/ >>> >>> This happens because the code in >>> >>> https://git.busybox.net/busybox/tree/coreutils/install.c?h=1_25_1#n196 >>> >>> passes the result of dirname() to bb_make_directory() which modifies its >>> contents. For paths of the above forms, musl's dirname returns a string >>> literal "/" which shouldn't be modified. >>> >>> See http://git.musl-libc.org/cgit/musl/tree/src/misc/dirname.c >>> >>> There are a few other occurrences of the code shown above, but I've not >>> checked to see if they could be made to segfault. >> >> Does this fix the problem? >> >> /* Bypass leading non-'/'s and then subsequent '/'s >> */ >> while (*s) { >> if (*s == '/') { >> do { >> ++s; >> } while (*s == '/'); >> c = *s; /* Save the current char */ >> ====added line==> if (c) >> *s = '\0'; /* and >> replace it with nul */ >> break; > > This does prevent the segfault, but I'm not sure if depending on being able to > modify the result of dirname() is reliable.
https://git.busybox.net/busybox/commit/?id=cf2600c3661c11491a838ef29733583afb6ad968 There are other occurrences of dirname + bb_make_directory that may have this issue. The following also segfaults. $ cp --parents a / _______________________________________________ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox