Fix segfault when TMPDIR contains printf format specifiers

[Copilot]

Description

PAL_GetTransportName was concatenating TMPDIR directly into a format string, causing segfaults when TMPDIR contained format specifiers like %d.

Before:

// TMPDIR="/tmp/%d/" -> formatBuffer="/tmp/%d/"
strncat_s(formatBuffer, IpcNameFormat);  // formatBuffer="/tmp/%d/%s-%d-%llu-%s"
snprintf(name, formatBuffer, prefix, id, key, suffix);  // SEGFAULT: too many format specs

After:

// Format IPC name separately first
snprintf(ipcName, IpcNameFormat, prefix, id, key, suffix);  // "clr-debug-pipe-1234-5678-socket"
strncat_s(formatBuffer, ipcName);  // "/tmp/%d/clr-debug-pipe-1234-5678-socket"
strcpy_s(name, formatBuffer);  // %d treated as literal

Customer Impact

.NET crashes immediately on any invocation (including dotnet --info) when TMPDIR contains format specifiers. Affects users in environments like NixOS where TMPDIR may be set to paths containing % characters.

Regression

No. Issue exists in all versions using this code path.

Testing

Verified with test program demonstrating TMPDIR="/tmp/%d" no longer causes segfault. CoreCLR builds successfully.

Risk

Low. Changes are surgical and only affect the transport pipe name construction. Format string is now evaluated separately before concatenation, eliminating the vulnerability without changing the final path structure.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>.Net segfaults when TMPDIR environment variable includes a printf format specifier</issue_title>
<issue_description>### Description

.Net segfaults when TMPDIR environment variable includes a printf format specifier (e.g. "%d").

Reproduction Steps

All that is required is for TMPDIR env var to contain a valid printf format specifier. A minimal example just uses the dotnet --info cli command:

TMPDIR="/tmp/%d" dotnet --info

Expected behavior

Program runs without exception.

Actual behavior

Segmentation fault (core dumped) TMPDIR="/tmp/%d" dotnet --info

Regression?

No response

Known Workarounds

Change the value of the TMPDIR env var to not include valid printf format specifiers.

Configuration

• .Net version 9.0.112
• OS/version is NixOS 25.11.3202.30a3c519afcf (Xantusia). Though I've also tried this on macOS, so I'm pretty sure this at least a reproducible problem on anything unix-like

Other information

The core dump points to the problem being in process.cpp in PAL_GetTransportPipeName, where we read in the value of the TMPDIR env var and use it as part of a format string in a call to snprintf. Specifically, I believe the probem is caused by:

This line reads in TMPDIR into formatBuffer. In the problematic case, this is something like "/tmp/%d":

runtime/src/coreclr/src/pal/src/thread/process.cpp

Line 2112 in ab3b9a8

dwRetVal = ::GetTempPathA(MAX_DEBUGGER_TRANSPORT_PIPE_NAME_LENGTH, formatBuffer);

This line concatenates a constant string to formatBuffer. In the probmeatic case, this yields "tmp/%d/clr-debug-pipe-%d-%llu-%s":

runtime/src/coreclr/src/pal/src/thread/process.cpp

Line 2124 in ab3b9a8

if (strncat_s(formatBuffer, _countof(formatBuffer), PipeNameFormat, strlen(PipeNameFormat)) == STRUNCATE)

This line interprets formatBuffer as a format string. In the problematic case, this segfaults because formatBuffer contains more format specifiers than expected.

runtime/src/coreclr/src/pal/src/thread/process.cpp

Line 2130 in ab3b9a8

int chars = snprintf(name, MAX_DEBUGGER_TRANSPORT_PIPE_NAME_LENGTH, formatBuffer, id, disambiguationKey, suffix);

</issue_description>

<agent_instructions>The segfault happens on main in process.cpp in the PAL_GetTransportName function. The customer was using an earlier version that had a slightly different path.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes .Net segfaults when TMPDIR environment variable includes a printf format specifier #122882

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[mdh1418]

Is a TMPDIR that has format specifiers really valid?

[hoyosjs]

I do agree that:

• We shouldn't crash this way.
• This is more correct. We just do formatting of what we know is correct.

but then the question remains: TMPDIR will give us something with a format specifier. We'd add pipes, dump, and all that here. We take environment to be a trusted block by the user, but does it succeed at creating files in such a dir?

[steveisok]

I do agree that:

• We shouldn't crash this way.
• This is more correct. We just do formatting of what we know is correct.

but then the question remains: TMPDIR will give us something with a format specifier. We'd add pipes, dump, and all that here. We take environment to be a trusted block by the user, but does it succeed at creating files in such a dir?

Directories with a format specifier are valid. It's unclear if the change creates additional problems later. Should we just disallow format specifiers / special characters?

[hoyosjs]

Given that % is not a reserved character on Unix or Windows, this PR is closer to being correct. We should test running an app with it - but generally we should just honor that this is a valid directory.

[dotnet-policy-service]

Draft Pull Request was automatically closed for 30 days of inactivity. Please let us know if you'd like to reopen it.