Description
.Net segfaults when TMPDIR environment variable includes a printf format specifier (e.g. "%d").
Reproduction Steps
All that is required is for TMPDIR env var to contain a valid printf format specifier. A minimal example just uses the dotnet --info cli command:
TMPDIR="/tmp/%d" dotnet --info
Expected behavior
Program runs without exception.
Actual behavior
Segmentation fault (core dumped) TMPDIR="/tmp/%d" dotnet --info
Regression?
No response
Known Workarounds
Change the value of the TMPDIR env var to not include valid printf format specifiers.
Configuration
- .Net version 9.0.112
- OS/version is NixOS 25.11.3202.30a3c519afcf (Xantusia). Though I've also tried this on macOS, so I'm pretty sure this at least a reproducible problem on anything unix-like
Other information
The core dump points to the problem being in process.cpp in PAL_GetTransportPipeName, where we read in the value of the TMPDIR env var and use it as part of a format string in a call to snprintf. Specifically, I believe the probem is caused by:
This line reads in TMPDIR into formatBuffer. In the problematic case, this is something like "/tmp/%d":
|
dwRetVal = ::GetTempPathA(MAX_DEBUGGER_TRANSPORT_PIPE_NAME_LENGTH, formatBuffer); |
This line concatenates a constant string to formatBuffer. In the probmeatic case, this yields "tmp/%d/clr-debug-pipe-%d-%llu-%s":
|
if (strncat_s(formatBuffer, _countof(formatBuffer), PipeNameFormat, strlen(PipeNameFormat)) == STRUNCATE) |
This line interprets formatBuffer as a format string. In the problematic case, this segfaults because formatBuffer contains more format specifiers than expected.
|
int chars = snprintf(name, MAX_DEBUGGER_TRANSPORT_PIPE_NAME_LENGTH, formatBuffer, id, disambiguationKey, suffix); |
Description
.Net segfaults when
TMPDIRenvironment variable includes a printf format specifier (e.g. "%d").Reproduction Steps
All that is required is for TMPDIR env var to contain a valid printf format specifier. A minimal example just uses the
dotnet --infocli command:TMPDIR="/tmp/%d" dotnet --infoExpected behavior
Program runs without exception.
Actual behavior
Segmentation fault (core dumped) TMPDIR="/tmp/%d" dotnet --infoRegression?
No response
Known Workarounds
Change the value of the TMPDIR env var to not include valid printf format specifiers.
Configuration
Other information
The core dump points to the problem being in process.cpp in
PAL_GetTransportPipeName, where we read in the value of theTMPDIRenv var and use it as part of a format string in a call tosnprintf. Specifically, I believe the probem is caused by:This line reads in TMPDIR into
formatBuffer. In the problematic case, this is something like "/tmp/%d":runtime/src/coreclr/src/pal/src/thread/process.cpp
Line 2112 in ab3b9a8
This line concatenates a constant string to
formatBuffer. In the probmeatic case, this yields "tmp/%d/clr-debug-pipe-%d-%llu-%s":runtime/src/coreclr/src/pal/src/thread/process.cpp
Line 2124 in ab3b9a8
This line interprets
formatBufferas a format string. In the problematic case, this segfaults becauseformatBuffercontains more format specifiers than expected.runtime/src/coreclr/src/pal/src/thread/process.cpp
Line 2130 in ab3b9a8