From b1d026a39b71db9ae2b81f3ace5f93db8dfa2202 Mon Sep 17 00:00:00 2001 From: l-pt <88390968+l-pt@users.noreply.github.com> Date: Fri, 5 Jul 2024 20:01:03 +0200 Subject: [PATCH 1/2] Fix buffer overflows when argv[0] or env variables are longer than PATH_MAX --- src/runtime/runtime.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/src/runtime/runtime.c b/src/runtime/runtime.c index 5e24191..a19a7af 100644 --- a/src/runtime/runtime.c +++ b/src/runtime/runtime.c @@ -1482,10 +1482,18 @@ int main(int argc, char* argv[]) { */ if (getenv("TARGET_APPIMAGE") == NULL) { strcpy(appimage_path, "/proc/self/exe"); - strcpy(argv0_path, argv[0]); + char *res = memccpy(argv0_path, argv[0], '\0', sizeof(argv0_path)); + if (res == NULL) { + fprintf(stderr, "Program name too big\n"); + exit(EXIT_EXECERROR); + } } else { - strcpy(appimage_path, getenv("TARGET_APPIMAGE")); - strcpy(argv0_path, getenv("TARGET_APPIMAGE")); + char *res1 = memccpy(appimage_path, getenv("TARGET_APPIMAGE"), '\0', sizeof(appimage_path)); + char *res2 = memccpy(argv0_path, getenv("TARGET_APPIMAGE"), '\0', sizeof(argv0_path)); + if (res1 == NULL || res2 == NULL) { + fprintf(stderr, "TARGET_APPIMAGE environment variable too big\n"); + exit(EXIT_EXECERROR); + } } // temporary directories are required in a few places @@ -1494,8 +1502,13 @@ int main(int argc, char* argv[]) { { const char* const TMPDIR = getenv("TMPDIR"); - if (TMPDIR != NULL) - strcpy(temp_base, getenv("TMPDIR")); + if (TMPDIR != NULL) { + char *res = memccpy(temp_base, TMPDIR, '\0', sizeof(temp_base)); + if (res == NULL) { + fprintf(stderr, "TMPDIR environemnt variable too big\n"); + exit(EXIT_EXECERROR); + } + } } fs_offset = appimage_get_elf_size(appimage_path); From 52cea7380faaa5f463437a6ca440a8dbb1504a5d Mon Sep 17 00:00:00 2001 From: l-pt <88390968+l-pt@users.noreply.github.com> Date: Mon, 8 Jul 2024 23:23:24 +0200 Subject: [PATCH 2/2] Extract TARGET_APPIMAGE variable, initialize argv0_path to avoid strcpy --- src/runtime/runtime.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/runtime/runtime.c b/src/runtime/runtime.c index a19a7af..7e44e70 100644 --- a/src/runtime/runtime.c +++ b/src/runtime/runtime.c @@ -1470,7 +1470,7 @@ int main(int argc, char* argv[]) { fprintf(stderr, "Running in verbose mode\n"); } - char appimage_path[PATH_MAX]; + char appimage_path[PATH_MAX] = "/proc/self/exe"; char argv0_path[PATH_MAX]; char* arg; @@ -1480,16 +1480,16 @@ int main(int argc, char* argv[]) { * change any time. Do not rely on it being present. We might even limit this * functionality specifically for builds used by appimaged. */ - if (getenv("TARGET_APPIMAGE") == NULL) { - strcpy(appimage_path, "/proc/self/exe"); + const char* const TARGET_APPIMAGE = getenv("TARGET_APPIMAGE"); + if (TARGET_APPIMAGE == NULL) { char *res = memccpy(argv0_path, argv[0], '\0', sizeof(argv0_path)); if (res == NULL) { fprintf(stderr, "Program name too big\n"); exit(EXIT_EXECERROR); } } else { - char *res1 = memccpy(appimage_path, getenv("TARGET_APPIMAGE"), '\0', sizeof(appimage_path)); - char *res2 = memccpy(argv0_path, getenv("TARGET_APPIMAGE"), '\0', sizeof(argv0_path)); + char *res1 = memccpy(appimage_path, TARGET_APPIMAGE, '\0', sizeof(appimage_path)); + char *res2 = memccpy(argv0_path, TARGET_APPIMAGE, '\0', sizeof(argv0_path)); if (res1 == NULL || res2 == NULL) { fprintf(stderr, "TARGET_APPIMAGE environment variable too big\n"); exit(EXIT_EXECERROR);