Re: bin/55979 (sh single quotes removes nul characters)

[Justine Tunney <jtunney%gmail.com@localhost>]

This could be a memory corruption issue. /bin/sh behaves unpredictably when it encounters nul characters inside single quotes. Sometimes scripts that do this will work and sometimes they don't. When they don't work it'll usually prints garbled data:

    -bash-5.0# sh
    netbsd# ./hello.com
    ./hello.com: r���PQ������1۰��YXr�ƃ�: not found
    ./hello.com: xec: not found
    ./hello.com: 6: Syntax error: "else" unexpected

ktrace reveals that $PATH search uses clobbered memory after parsing a single quoted string with NUL characters:

    ktrace sh -c ./hello.com

    kdump -f ktrace.out

     11172      1 sh       CALL  read(0xc,0x11f62e180,0x3f8)
     11172      1 sh       GIO   fd 12 read 1016 bytes
           "MZqFpD='\n\0\0\^P\0\M-x\0\0\0... etc.
            \M-L\M-{\^N\^_\M-h\0\0^\M^A\M... etc.
            \0U\M-*'\n#'\"\no=\"$(command -v \"... etc.
     11172      1 sh       RET   read 1016/0x3f8
     11172      1 sh       CALL  mmap(0,0x1000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
     11172      1 sh       RET   mmap 126131311058944/0x72b73bfda000
     11172      1 sh       CALL  __stat50(0x11f62e7f0,0x7f7fffbbe840)
     11172      1 sh       NAMI  "/root/bin/r���PQ<86>�����1۰^A�^B�^SYXr^]<8C>�<83>�"
     11172      1 sh       RET   __stat50 -1 errno 2 No such file or directory
     11172      1 sh       CALL  __stat50(0x11f62e7f0,0x7f7fffbbe840)
     11172      1 sh       NAMI  "/sbin/r���PQ<86>�����1۰^A�^B�^SYXr^]<8C>�<83>�"
     11172      1 sh       RET   __stat50 -1 errno 2 No such file or directory
     11172      1 sh       CALL  __stat50(0x11f62e7f0,0x7f7fffbbe840)
     11172      1 sh       NAMI  "/usr/sbin/r���PQ<86>�����1۰^A�^B�^SYXr^]<8C>�<83>�"
     11172      1 sh       RET   __stat50 -1 errno 2 No such file or directory

Can we fix this?

I misdiagnosed the issue earlier. Please disregard what I said about needing NULs in strings. I don't care if NUL is filtered out. What I need is for the shell to safely ignore binary data inside single quotes. For more background on this executable format, see the following screenshot https://justine.lol/apeheader.png and the design doc https://justine.lol/ape.html

As for execve() + ENOEXEC safety restrictions, I have no opinion or need for those.

If NetBSD wants to implement them, then I'd recommend doing what FreeBSD did:

check that a line exists before the first NUL character containing a lowercase letter.

APE binaries always start with "MZqFpD=\n" so it won't impact this use case. See:

https://github.com/freebsd/freebsd-src/commit/e0f5c1387df23c8c4811f5b24a7ef6ecac51a71a

https://github.com/jart/zsh/commit/94a4bc14bb2e415ec3d10cf716512bd3e0d99f48

On Sun, Feb 7, 2021 at 3:20 AM Robert Elz <kre%munnari.oz.au@localhost> wrote:

The following reply was made to PR bin/55979; it has been noted by GNATS.

From: Robert Elz <kre%munnari.OZ.AU@localhost>
To: Christos Zoulas <christos%zoulas.com@localhost>
Cc: gnats-bugs%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost,
        jtunney%gmail.com@localhost
Subject: Re: bin/55979 (sh single quotes removes nul characters)
Date: Sun, 07 Feb 2021 18:15:03 +0700

     Date:        Sat, 6 Feb 2021 21:13:47 -0500
     From:        Christos Zoulas <christos%zoulas.com@localhost>
     Message-ID:  <07BE2947-3B90-463F-B8D9-532A15FA0FED%zoulas.com@localhost>

   | Weird, it seems to be working for me.
   |
   | $ ./hello.com
   | hello world

 That works, Justine said it was working on NetBSD, what doesn't
 work is "sh hello.com" which I think is what is wanted.

 Justine, to change the shell we'd need a different heuristic that
 works as well, or at least close to it, to avoid executing files
 that should not be executed.   And support from the users.

 kre