.Net segfaults when TMPDIR environment variable includes a printf format specifier #122882
Description
Description
.Net segfaults when TMPDIR environment variable includes a printf format specifier (e.g. "%d").
Reproduction Steps
All that is required is for TMPDIR env var to contain a valid printf format specifier. A minimal example just uses the dotnet --info cli command:
TMPDIR="/tmp/%d" dotnet --infoExpected behavior
Program runs without exception.
Actual behavior
Segmentation fault (core dumped) TMPDIR="/tmp/%d" dotnet --info
Regression?
No response
Known Workarounds
Change the value of the TMPDIR env var to not include valid printf format specifiers.
Configuration
- .Net version 9.0.112
- OS/version is NixOS 25.11.3202.30a3c519afcf (Xantusia). Though I've also tried this on macOS, so I'm pretty sure this at least a reproducible problem on anything unix-like
Other information
The core dump points to the problem being in process.cpp in PAL_GetTransportPipeName, where we read in the value of the TMPDIR env var and use it as part of a format string in a call to snprintf. Specifically, I believe the probem is caused by:
This line reads in TMPDIR into formatBuffer. In the problematic case, this is something like "/tmp/%d":
This line concatenates a constant string to formatBuffer. In the probmeatic case, this yields "tmp/%d/clr-debug-pipe-%d-%llu-%s":
This line interprets formatBuffer as a format string. In the problematic case, this segfaults because formatBuffer contains more format specifiers than expected.