[perl #123748] Calls to getenv are buggy in core C code

# New Ticket Created by  karl williamson 
# Please include the string:  [perl #123748]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=123748 >


This is a bug report for perl from khw@khw,
generated with the help of perlbug 1.40 running under perl 5.20.1.


-----------------------------------------------------------------
A bug that is showing up in os390 appears to be caused by a general
problem.  Calls to libc getenv() return a pointer to static storage
in libc.  That storage can be overwritten by another call to one of the
environment handling functions, including getenv.  If you do
something like

     s = PerlEnv_getenv("PERL5OPT")

and then parse 's', 's' could be corrupted by any other call to one of
the C environment routines, including a getenv.  One might not expect
that a read acess to the environment would destroy something else, but
it could.  There are a bunch of these in the core.  In the example 
above,from perl.c,  while parsing, it can call moreswitches(), which 
actually does a putenv() in some circumstances.  I haven't investigated 
to see if the flow actually permits to this happen, but if not, it's 
just by luck.

If the result of a getenv is saved for later use, it should be copied,
savepv(), or else the results are undefined.

The core should be audited for occurrences of this issue.

Thanks to ilmari and alh for discussing this with me on #p5p

-----------------------------------------------------------------
---
Flags:
     category=core
     severity=high
---
Site configuration information for perl 5.21.9:

Configured by khw at Thu Feb  5 08:31:14 MST 2015.

Summary of my perl5 (revision 5 version 21 subversion 9) configuration:
   Commit id: a9b5431bbad036dcb9773ff97b10a02d6cf706a0
   Platform:
     osname=linux, osvers=3.16.0-30-generic, 
archname=x86_64-linux-thread-multi-ld
     uname='linux khw 3.16.0-30-generic #40-ubuntu smp mon jan 12 
22:06:37 utc 2015 x86_64 x86_64 x86_64 gnulinux '
     config_args='-des -Uversiononly -Dprefix=/home/khw/blead -Dusedevel 
-D'optimize=-ggdb3' -A'optimize=-ggdb3' -A'optimize=-O0' 
-Accflags='-DPERL_BOOL_AS_CHAR' -Dman1dir=none -Dman3dir=none 
-DDEBUGGING -Dcc=g++ -Dusemorebits -Dusethreads'
     hint=recommended, useposix=true, d_sigaction=define
     useithreads=define, usemultiplicity=define
     use64bitint=define, use64bitall=define, uselongdouble=define
     usemymalloc=n, bincompat5005=undef
   Compiler:
     cc='g++', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DPERL_BOOL_AS_CHAR 
-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong 
-I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 
-D_FORTIFY_SOURCE=2',
     optimize=' -ggdb3 -O0',
     cppflags='-D_REENTRANT -D_GNU_SOURCE -DPERL_BOOL_AS_CHAR -fwrapv 
-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong 
-I/usr/local/include'
     ccversion='', gccversion='4.9.1', gccosandvers=''
     intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, 
doublekind=3
     d_longlong=define, longlongsize=8, d_longdbl=define, 
longdblsize=16, longdblkind=3
     ivtype='long', ivsize=8, nvtype='long double', nvsize=16, 
Off_t='off_t', lseeksize=8
     alignbytes=16, prototype=define
   Linker and Libraries:
     ld='g++', ldflags =' -fstack-protector-strong -L/usr/local/lib'
     libpth=/usr/include/c++/4.9 /usr/include/x86_64-linux-gnu/c++/4.9 
/usr/include/c++/4.9/backward /usr/local/lib 
/usr/lib/gcc/x86_64-linux-gnu/4.9/include-fixed 
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib 
/usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
     libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
     perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
     libc=libc-2.19.so, so=so, useshrplib=false, libperl=libperl.a
     gnulibc_version='2.19'
   Dynamic Linking:
     dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
     cccdlflags='-fPIC', lddlflags='-shared -ggdb3 -ggdb3 -O0 
-L/usr/local/lib -fstack-protector-strong'


---
@INC for perl 5.21.9:
     /home/khw/blead/lib/perl5/site_perl/5.21.9/x86_64-linux-thread-multi-ld
     /home/khw/blead/lib/perl5/site_perl/5.21.9
     /home/khw/blead/lib/perl5/5.21.9/x86_64-linux-thread-multi-ld
     /home/khw/blead/lib/perl5/5.21.9
     /home/khw/blead/lib/perl5/site_perl/5.21.8
     /home/khw/blead/lib/perl5/site_perl/5.21.7
     /home/khw/blead/lib/perl5/site_perl/5.21.6
     /home/khw/blead/lib/perl5/site_perl/5.21.5
     /home/khw/blead/lib/perl5/site_perl/5.21.4
     /home/khw/blead/lib/perl5/site_perl/5.21.3
     /home/khw/blead/lib/perl5/site_perl/5.21.2
     /home/khw/blead/lib/perl5/site_perl/5.21.1
     /home/khw/blead/lib/perl5/site_perl/5.20.0
     /home/khw/blead/lib/perl5/site_perl/5.19.12
     /home/khw/blead/lib/perl5/site_perl/5.19.11
     /home/khw/blead/lib/perl5/site_perl/5.19.10
     /home/khw/blead/lib/perl5/site_perl
     .

---
Environment for perl 5.21.9:
     HOME=/home/khw
     LANG=en_US.UTF-8
     LANGUAGE (unset)
     LD_LIBRARY_PATH (unset)
     LOGDIR (unset)
 
PATH=/home/khw/bin:/home/khw/perl5/perlbrew/bin:/home/khw/print/bin:/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/usr/games:/usr/local/games:/home/khw/cxoffice/bin
     PERL5OPT=-w
     PERL_BADLANG (unset)
     PERL_POD_PEDANTIC=1
     SHELL=/bin/ksh

• [perl #123748] Calls to getenv are buggy in core C code by karl williamson
• Re: [perl #123748] Calls to getenv are buggy in core C code by wolfsage
• Re: [perl #123748] Calls to getenv are buggy in core C code by bulk88
• [perl #123748] Calls to getenv are buggy in core C code by lissacoffey via RT
• Re: [perl #123748] Calls to getenv are buggy in core C code by Craig A. Berry
• Re: [perl #123748] Calls to getenv are buggy in core C code by wolfsage
• Re: [perl #123748] Calls to getenv are buggy in core C code by Karl Williamson