Stop at the first `NULL` argument when iterating `argv` by sdroege · Pull Request #106001 · rust-lang/rust

sdroege · 2022-12-21T14:05:56Z

Some C commandline parsers (e.g. GLib and Qt) are replacing already handled arguments in argv with NULL and move them to the end. That means that argc might be bigger than the actual number of non-NULL pointers in argv at this point.

To handle this we simply stop iterating at the first NULL argument.

argv is also guaranteed to be NULL-terminated so any non-NULL arguments after the first NULL can safely be ignored.

Fixes #105999

rustbot · 2022-12-21T14:06:04Z

r? @joshtriplett

(rustbot has picked a reviewer for you, use r? to override)

rustbot · 2022-12-21T14:06:06Z

Hey! It looks like you've submitted a new PR for the library teams!

If this PR contains changes to any rust-lang/rust public library APIs then please comment with @rustbot label +T-libs-api -T-libs to tag it appropriately. If this PR contains changes to any unstable APIs please edit the PR description to add a link to the relevant API Change Proposal or create one if you haven't already. If you're unsure where your change falls no worries, just leave it as is and the reviewer will take a look and make a decision to forward on if necessary.

Examples of T-libs-api changes:

Stabilizing library features
Introducing insta-stable changes such as new implementations of existing stable traits on existing stable types
Introducing new or changing existing unstable library APIs (excluding permanently unstable features / features without a tracking issue)
Changing public documentation in ways that create new stability guarantees
Changing observable runtime behavior of library APIs

library/std/src/sys/unix/args.rs

Some C commandline parsers (e.g. GLib and Qt) are replacing already handled arguments in `argv` with `NULL` and move them to the end. That means that `argc` might be bigger than the actual number of non-`NULL` pointers in `argv` at this point. To handle this we simply stop iterating at the first `NULL` argument. `argv` is also guaranteed to be `NULL`-terminated so any non-`NULL` arguments after the first `NULL` can safely be ignored. Fixes rust-lang#105999

sdroege · 2023-01-25T21:21:14Z

Is there anything I can help to move this forward? It would be great if this wouldn't cause crashes anymore 😅

sdroege · 2023-02-06T11:25:56Z

@joshtriplett As this basically implements what you suggested in the issues and this is assigned to you for review, is there anything I can help with to get this reviewed faster?

RalfJung · 2023-02-10T14:28:48Z

Might be worth re-rolling the reviewer dice.

r? libs

ChrisDenton · 2023-02-10T23:52:37Z

Code looks good to me. I happy to accept this given this is a potential safety issue (or at least this PR is better than crashing). And josh's opinion that it's a perfectly valid way to parse argv:

To the best of my knowledge, it's completely valid to parse argv by stopping at the first NULL; if an argument parser is replacing an argument with NULL, it should not expect that arguments after that point will be seen. I've seen plenty of C programs that just do for (char **arg = argv; *arg; arg++) or equivalent.

Argument parsers mutating argv sounds like a very dicey situation and Rust's std should play it safe.

@bors r+

bors · 2023-02-10T23:52:39Z

📌 Commit e97203c has been approved by ChrisDenton

It is now in the queue for this repository.

Rollup of 9 pull requests Successful merges: - rust-lang#105019 (Add parentheses properly for borrowing suggestion) - rust-lang#106001 (Stop at the first `NULL` argument when iterating `argv`) - rust-lang#107098 (Suggest function call on pattern type mismatch) - rust-lang#107490 (rustdoc: remove inconsistently-present sidebar tooltips) - rust-lang#107855 (Add a couple random projection tests for new solver) - rust-lang#107857 (Add ui test for implementation on projection) - rust-lang#107878 (Clarify `new_size` for realloc means bytes) - rust-lang#107888 (revert rust-lang#107074, add regression test) - rust-lang#107900 (Zero the `REPARSE_MOUNTPOINT_DATA_BUFFER` header) Failed merges: r? `@ghost` `@rustbot` modify labels: rollup

sdroege · 2023-02-11T17:48:16Z

Can this also be backported to beta so it ends up in 1.68?

RalfJung · 2023-02-11T17:49:24Z

We usually only backport regression fixes I think. @Mark-Simulacrum do you think this qualifies for a backport?

Mark-Simulacrum · 2023-02-11T20:49:38Z

It's up to T-libs, but I would lean towards no. We land bugfixes routinely and don't typically backport them. This is a soundness fix I guess, but only in edge cases, so I don't think it should merit special consideration.

RalfJung · 2023-02-11T20:53:35Z

@rust-lang/libs should this be backported to beta?

ChrisDenton · 2023-02-12T01:28:22Z

I've added the "beta-nominated" label to make sure it gets discussed. This will indeed need t-libs sign off before being accepted (or not).

Do it like rust-lang/rust#106001

rustbot assigned joshtriplett Dec 21, 2022

rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-libs Relevant to the library team, which will review and decide on the PR/issue. labels Dec 21, 2022

sdroege mentioned this pull request Dec 21, 2022

glibc .init_array usage for std::env::args is not safe #105999

Closed

bjorn3 reviewed Dec 21, 2022

View reviewed changes

library/std/src/sys/unix/args.rs Outdated Show resolved Hide resolved

sdroege force-pushed the glibc-skip-over-null-argv branch from 18e14d5 to ec1c6cf Compare December 21, 2022 15:40

sdroege force-pushed the glibc-skip-over-null-argv branch from ec1c6cf to e97203c Compare December 23, 2022 07:34

sdroege changed the title ~~Skip over NULL arguments on Linux/glibc when iterating argv~~ Stop at the first NULL argument when iterating argv Dec 23, 2022

rustbot assigned thomcc and unassigned joshtriplett Feb 10, 2023

bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Feb 10, 2023

Dylan-DPC mentioned this pull request Feb 11, 2023

Rollup of 9 pull requests #107919

Merged

bors merged commit 0e8f0b0 into rust-lang:master Feb 11, 2023

rustbot added this to the 1.69.0 milestone Feb 11, 2023

sdroege deleted the glibc-skip-over-null-argv branch February 11, 2023 17:47

ChrisDenton added the beta-nominated Nominated for backporting to the compiler in the beta channel. label Feb 12, 2023

m-ou-se removed the beta-nominated Nominated for backporting to the compiler in the beta channel. label Feb 22, 2023

unknowndevQwQ added a commit to unknowndevQwQ/killmyargv that referenced this pull request Feb 7, 2024

fix: iterating stop at the first NULL argument

b10937f

Do it like rust-lang/rust#106001

madsmtm mentioned this pull request May 19, 2024

Use functions from crt_externs.h on iOS/tvOS/watchOS/visionOS #125225

Merged

dtolnay mentioned this pull request Aug 19, 2025

Look for args set to null by a C library dtolnay/argv#21

Merged

Uh oh!

Conversation

sdroege commented Dec 21, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

rustbot commented Dec 21, 2022

Uh oh!

rustbot commented Dec 21, 2022

Uh oh!

Uh oh!

sdroege commented Jan 25, 2023

Uh oh!

sdroege commented Feb 6, 2023

Uh oh!

RalfJung commented Feb 10, 2023

Uh oh!

ChrisDenton commented Feb 10, 2023

Uh oh!

bors commented Feb 10, 2023

Uh oh!

sdroege commented Feb 11, 2023

Uh oh!

RalfJung commented Feb 11, 2023

Uh oh!

Mark-Simulacrum commented Feb 11, 2023

Uh oh!

RalfJung commented Feb 11, 2023

Uh oh!

ChrisDenton commented Feb 12, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

11 participants

sdroege commented Dec 21, 2022 •

edited

Loading