| 1 |
On 5/26/20 1:43 AM, Alec Warner wrote: |
| 2 |
> On Mon, May 25, 2020 at 9:34 PM Zac Medico <zmedico@g.o |
| 3 |
> <mailto:zmedico@g.o>> wrote: |
| 4 |
> |
| 5 |
> Since variables like A and AA can contain extremely large values which |
| 6 |
> may trigger E2BIG errors during attempts to execute subprocesses, delay |
| 7 |
> export until the last moment, and unexport when appropriate. |
| 8 |
> |
| 9 |
> |
| 10 |
> So I think if you want to do this because PMS says: |
| 11 |
> AA should not be visible in EAPI > 3. |
| 12 |
> A should only be visible in src_*, pkg_nofetch. |
| 13 |
> |
| 14 |
> That part of the patch makes sense to me. The part that is confusing to |
| 15 |
> me is the 'delay' part; can you explain that further? When you say |
| 16 |
> "delay until the last moment" what do you mean by that and what value is |
| 17 |
> it delivering? |
| 18 |
|
| 19 |
If we export an environment variable which contains an extremely large |
| 20 |
value, then there's a vulnerability in execve which causes it to fail |
| 21 |
with an E2BIG error. Since A and AA values can easily grow large enough |
| 22 |
to trigger this vulnerability, portage can protect itself from execve |
| 23 |
failures by delaying the export until the moment that it hands control |
| 24 |
to the ebuild phase. |
| 25 |
|
| 26 |
> Is it simply that we don't export these variables on the python side, |
| 27 |
> and we only use them in the shell portion? |
| 28 |
|
| 29 |
That's correct. Here's a test case which demonstrates the E2BIG error, |
| 30 |
and shows that 'export -n A' can suppress it: |
| 31 |
|
| 32 |
$ A=$(dd if=/dev/zero bs=1M count=1 | tr '\0' ' ') |
| 33 |
10+0 records in |
| 34 |
10+0 records out |
| 35 |
10485760 bytes (10 MB, 10 MiB) copied, 0.086557 s, 121 MB/s |
| 36 |
$ echo ${#A} |
| 37 |
10485760 |
| 38 |
$ export A |
| 39 |
$ ls |
| 40 |
bash: /bin/ls: Argument list too long |
| 41 |
$ export -n A |
| 42 |
$ /bin/echo hello world |
| 43 |
hello world |
| 44 |
|
| 45 |
-- |
| 46 |
Thanks, |
| 47 |
Zac |
Archives