DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 50DEbJ712859778 Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 50DEbJ712859778 Authentication-Results: delorie.com; dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=Q172Id0P X-Recipient: archive-cygwin AT delorie DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 6EFEE3857B8C DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1736779038; bh=nFkp36iWTwINhuQRLNClpg0blumN6QgHAvcetskGyng=; h=Date:To:Subject:References:In-Reply-To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=Q172Id0PY/p7Bh3xIaTkNKgcYxPG4oeG87fgjiA+Rb1FEELi2glbzLz03e8qFIFCQ 1qT8SANjCE9IuB2QvRJN7kKC0Shhwib47HuHOVV/UVXIZkEuhjx7M39gurrRBEKfpw LX3S9z91VJj7233H3ibPZ6j0vsDxY4jsB12ilW0o= X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 0FC493858D21 Date: Mon, 13 Jan 2025 15:36:19 +0100 To: cygwin AT cygwin DOT com Subject: Re: Cygwin main function: vulnerable to wchar_t to char conversion attacks or not? Message-ID: Mail-Followup-To: cygwin AT cygwin DOT com References: <2bc465c57c4826ff6eebbd566a92346e AT kylheku DOT com> <176904400 DOT 20250110103307 AT yandex DOT ru> <58ddf2002fe1e33993102592eeb0c506 AT kylheku DOT com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <58ddf2002fe1e33993102592eeb0c506@kylheku.com> X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.30 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Corinna Vinschen via Cygwin Reply-To: cygwin AT cygwin DOT com Cc: Corinna Vinschen Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com Sender: "Cygwin" On Jan 10 13:52, Kaz Kylheku via Cygwin wrote: > On 2025-01-09 23:52, Marco Atzeri wrote: > > On 10/01/2025 08:33, Andrey Repin via Cygwin wrote: > >> Greetings, Kaz Kylheku! > >> > >>> Hi all, > >> > >>> I'm reading an article on attacks that are evidently possible against some Windows > >>> programs in the area of command line parsing. See below. > >> > >>> Does the Cygwin run-time rely on GetCommandLineA to get the char-based command > >>> line that is parsed into argv[]? > >> > >> You can answer this question yourself. The code is open. > > > > Specifically on https://cygwin.com/git/newlib-cygwin.git > > > > /pub/Cygwin/git/newlib-cygwin > > $ grep -rH GetCommandLineA . > > ./winsup/CVSChangeLogs.old/cygwin/ChangeLog-2013: (cygwin_GetCommandLineA): Ditto. > > ./winsup/cygwin/cygwin.din:GetCommandLineA AT 0 = cygwin_GetCommandLineA AT 0 NOSIGFE > > ./winsup/cygwin/include/cygwin/version.h: 268: Export GetCommandLineA, GetCommandLineW > > ./winsup/cygwin/kernel32.cc:/* Cygwin replacement for GetCommandLineA. Returns a concatenated string > > ./winsup/cygwin/kernel32.cc:cygwin_GetCommandLineA (void) > > I see that the kernel32.cc function uses RtlUnicodeStringtoAnsiString. > > The article I linked to mentions this specific function. The function does the > "BestFit" thing, converting Unicode characters to ASCII pseudo-equivalents. > > If Cygwin relies on this function for converting the process command line > into main() arguments, it is likely susceptible to argument injection. Yeah, but it doesn't. This is just a wrapper function for external apps. See function dll_crt0_1() in dcrt0.cc for the real deal. Corinna -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple