[Bug 2154651] Re: memory corruption in /usr/bin/env

Mon, 01 Jun 2026 02:20:50 -0700 

The first invalid read with symbols installed:

==487880== Invalid read of size 1
==487880==    at 0x532A306: strlen (vg_replace_strmem.c:506)
==487880==    by 0x41C323C: runtime (c_str.rs:745)
==487880==    by 0x41C323C: strlen (mod.rs:2449)
==487880==    by 0x41C323C: from_ptr (c_str.rs:256)
==487880==    by 0x41C323C: linux_execfn (auxv.rs:100)
==487880==    by 0x41C323C: linux_execfn (auxv.rs:109)
==487880==    by 0x41C323C: 
binary_path<core::iter::adapters::cloned::Cloned<core::slice::iter::Iter<std::ffi::os_str::OsString>>>
 (validation.rs:92)
==487880==    by 0x41C323C: coreutils::main (coreutils.rs:57)
==487880==    by 0x417E2C6: call_once<fn(), ()> (function.rs:250)
==487880==    by 0x417E2C6: std::sys::backtrace::__rust_begin_short_backtrace 
(backtrace.rs:160)
==487880==    by 0x417E215: std::rt::lang_start::{{closure}} (rt.rs:206)
==487880==    by 0x4318F5C: call_once<(), (dyn core::ops::function::Fn<(), 
Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> 
(function.rs:287)
==487880==    by 0x4318F5C: do_call<&(dyn core::ops::function::Fn<(), 
Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), 
i32> (panicking.rs:581)
==487880==    by 0x4318F5C: catch_unwind<i32, &(dyn core::ops::function::Fn<(), 
Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe)> 
(panicking.rs:544)
==487880==    by 0x4318F5C: catch_unwind<&(dyn core::ops::function::Fn<(), 
Output=i32> + core::marker::Sync + core::panic::unwind_safe::RefUnwindSafe), 
i32> (panic.rs:359)
==487880==    by 0x4318F5C: {closure#0} (rt.rs:175)
==487880==    by 0x4318F5C: 
do_call<std::rt::lang_start_internal::{closure_env#0}, isize> (panicking.rs:581)
==487880==    by 0x4318F5C: catch_unwind<isize, 
std::rt::lang_start_internal::{closure_env#0}> (panicking.rs:544)
==487880==    by 0x4318F5C: 
catch_unwind<std::rt::lang_start_internal::{closure_env#0}, isize> 
(panic.rs:359)
==487880==    by 0x4318F5C: std::rt::lang_start_internal (rt.rs:171)
==487880==    by 0x417E203: std::rt::lang_start (rt.rs:205)
==487880==    by 0x54C58C0: (below main) (libc_start_call_main.h:59)
==487880==  Address 0x7fffe76cbfcd is not stack'd, malloc'd or (recently) free'd


The corresponding code in rustix/src/backend/linux_raw/param/auxv.rs:98-100:

    // SAFETY: We assume the `AT_EXECFN` value provided by the kernel is a
    // valid pointer to a valid NUL-terminated array of bytes.
    unsafe { CStr::from_ptr(execfn.cast()) }

Valgrind incorrectly seems to manipulate that value (which is not a
sized string) to contain a string without a 0 byte or not being properly
initialized.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2154651

Title:
  memory corruption in /usr/bin/env

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/valgrind/+bug/2154651/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to