From 1303a4a4517260def862ce7fe97e6b28dd8005e1 Mon Sep 17 00:00:00 2001
From: Ludovic Courtès <ludo@gnu.org>
Date: Mon, 11 May 2015 22:21:31 +0200
Subject: daemon: Fix possible use-after-free.

This is essentially a backport of
<https://github.com/NixOS/nix/commit/f52b6c944e90b3e35925122779175705fdc02e12>
by Eelco Dolstra <eelco.dolstra@logicblox.com>.

The use-after-free bug would typically manifest when building with
GCC 5.1.
---
 nix/libutil/util.cc | 20 ++++++++++++++------
 nix/libutil/util.hh |  5 +++++
 2 files changed, 19 insertions(+), 6 deletions(-)

(limited to 'nix/libutil')

diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc
index 846674a29d..024cea83d1 100644
--- a/nix/libutil/util.cc
+++ b/nix/libutil/util.cc
@@ -852,16 +852,20 @@ void killUser(uid_t uid)
 //////////////////////////////////////////////////////////////////////
 
 
+std::vector<const char *> stringsToCharPtrs(const Strings & ss)
+{
+    std::vector<const char *> res;
+    foreach (Strings::const_iterator, i, ss)
+        res.push_back(i->c_str());
+    res.push_back(0);
+    return res;
+}
+
+
 string runProgram(Path program, bool searchPath, const Strings & args)
 {
     checkInterrupt();
 
-    std::vector<const char *> cargs; /* careful with c_str()! */
-    cargs.push_back(program.c_str());
-    for (Strings::const_iterator i = args.begin(); i != args.end(); ++i)
-        cargs.push_back(i->c_str());
-    cargs.push_back(0);
-
     /* Create a pipe. */
     Pipe pipe;
     pipe.create();
@@ -880,6 +884,10 @@ string runProgram(Path program, bool searchPath, const Strings & args)
             if (dup2(pipe.writeSide, STDOUT_FILENO) == -1)
                 throw SysError("dupping stdout");
 
+	    Strings args_(args);
+	    args_.push_front(program);
+	    auto cargs = stringsToCharPtrs(args_);
+
             if (searchPath)
                 execvp(program.c_str(), (char * *) &cargs[0]);
             else
diff --git a/nix/libutil/util.hh b/nix/libutil/util.hh
index ce2d77c19a..a70981877b 100644
--- a/nix/libutil/util.hh
+++ b/nix/libutil/util.hh
@@ -257,6 +257,11 @@ void killUser(uid_t uid);
 string runProgram(Path program, bool searchPath = false,
     const Strings & args = Strings());
 
+/* Convert a list of strings to a null-terminated vector of char
+   *'s. The result must not be accessed beyond the lifetime of the
+   list of strings. */
+std::vector<const char *> stringsToCharPtrs(const Strings & ss);
+
 /* Close all file descriptors except stdin, stdout, stderr, and those
    listed in the given set.  Good practice in child processes. */
 void closeMostFDs(const set<int> & exceptions);
-- 
cgit v1.2.3