Bug#320244: marked as done (glibc crashes in execvp())

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 07 Aug 2005 18:20:47 +0400
with message-id <87oe89j0ao.fsf@foo.vault.bofh.ru>
and subject line fixed
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 27 Jul 2005 20:27:13 +0000
>From belyshev@depni.sinp.msu.ru Wed Jul 27 13:27:13 2005
Return-path: <belyshev@depni.sinp.msu.ru>
Received: from (foo.vault.bofh.ru) [82.138.41.32] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1DxsUj-0000dr-00; Wed, 27 Jul 2005 13:27:13 -0700
Received: from localhost ([127.0.0.1] helo=foo.vault.bofh.ru)
	by foo.vault.bofh.ru with esmtp (Exim 4.52)
	id 1DxsUh-0004tS-Lc
	for submit@bugs.debian.org; Thu, 28 Jul 2005 00:27:11 +0400
To: submit@bugs.debian.org
Subject: glibc crashes in execvp()
From: Serge Belyshev <belyshev@depni.sinp.msu.ru>
Date: Thu, 28 Jul 2005 00:27:11 +0400
Message-ID: <871x5kc7vk.fsf@foo.vault.bofh.ru>
User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/23.0.0 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

--=-=-=


Package: libc6
Version: 2.3.5-2

This small program crashes glibc in execvp():

---------------------------------------------------
#include <unistd.h>

extern char **environ;
static char *empty[] = { 0 };

int main (void)
{
  environ = empty;
  execvp ("nothing ", empty);
  return 0;
}
---------------------------------------------------

$ ./a.out 
*** glibc detected *** free(): invalid pointer: 0x0000000000501016 ***
Aborted (core dumped)
$ 

similar effect can be achieved by executing "env -i nonexistent_program".

This bug was reported to upstream developers, see
http://sources.redhat.com/bugzilla/show_bug.cgi?id=1125
and it is already fixed in current CVS HEAD.
I have attached backported patch for debian glibc package.


--=-=-=
Content-Disposition: attachment; filename=glibc235-execvp-fix.dpatch
Content-Description: fix for glibc bug #1125

#! /bin/sh -e

# All lines beginning with `# DP:' are a description of the patch.
# DP: Description: fix BZ #1125
# DP: Related bugs: 
# DP: Dpatch author: Serge Belyshev <belyshev@depni.sinp.msu.ru>
# DP: Patch author: Upstream
# DP: Upstream status: In CVS
# DP: Status Details: 
# DP: Date: @DATE@

PATCHLEVEL=1

if [ $# -ne 2 ]; then
    echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
    exit 1
fi
case "$1" in
    -patch) patch -d "$2" -f --no-backup-if-mismatch -p$PATCHLEVEL < $0;;
    -unpatch) patch -d "$2" -f --no-backup-if-mismatch -R -p$PATCHLEVEL < $0;;
    *)
	echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
	exit 1
esac
exit 0

# append the patch here and adjust the -p? flag in the patch calls.
diff -purN a/posix/execvp.c b/posix/execvp.c
--- a/posix/execvp.c	2005-07-26 01:15:32.000000000 +0400
+++ b/posix/execvp.c	2005-07-26 01:16:21.000000000 +0400
@@ -88,7 +88,7 @@ execvp (file, argv)
   else
     {
       char *path = getenv ("PATH");
-      bool path_malloc = false;
+      char *path_malloc = NULL;
       if (path == NULL)
 	{
 	  /* There is no `PATH' in the environment.
@@ -100,7 +100,7 @@ execvp (file, argv)
 	    return -1;
 	  path[0] = ':';
 	  (void) confstr (_CS_PATH, path + 1, len);
-	  path_malloc = true;
+	  path_malloc = path;
 	}
 
       size_t len = strlen (file) + 1;
@@ -108,8 +108,7 @@ execvp (file, argv)
       char *name = malloc (pathlen + len + 1);
       if (name == NULL)
 	{
-	  if (path_malloc)
-	    free (path);
+	  free (path_malloc);
 	  return -1;
 	}
       /* Copy the file name at the top.  */
@@ -190,8 +189,7 @@ execvp (file, argv)
 
       free (script_argv);
       free (name - pathlen);
-      if (path_malloc)
-	free (path);
+      free (path_malloc);
     }
 
   /* Return the error from the last attempt (probably ENOENT).  */
diff -purN a/posix/Makefile b/posix/Makefile
--- a/posix/Makefile	2005-07-26 01:15:32.000000000 +0400
+++ b/posix/Makefile	2005-07-26 01:16:21.000000000 +0400
@@ -84,7 +84,7 @@ tests		:= tstgetopt testfnm runtests run
 		   transbug tst-rxspencer tst-pcre tst-boost \
 		   bug-ga1 tst-vfork1 tst-vfork2 tst-waitid \
 		   tst-getaddrinfo2 bug-glob1 bug-glob2 tst-sysconf \
-		   tst-execvp1 tst-execvp2 tst-execlp1 tst-execlp2 \
+		   tst-execvp1 tst-execvp2 tst-execvp4 tst-execlp1 tst-execlp2 \
 		   tst-execv1 tst-execv2 tst-execl1 tst-execl2 \
 		   tst-execve1 tst-execve2 tst-execle1 tst-execle2
 xtests		:= bug-ga2
diff -purN a/posix/tst-execvp4.c b/posix/tst-execvp4.c
--- a/posix/tst-execvp4.c	2005-07-26 01:15:32.000000000 +0400
+++ b/posix/tst-execvp4.c	2005-07-26 01:16:21.000000000 +0400
@@ -0,0 +1,35 @@
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/stat.h>
+
+static int
+do_test (void)
+{
+  char buf[40] = "/usr/bin/does-not-exist";
+  size_t stemlen = strlen (buf);
+  struct stat64 st;
+  int cnt = 0;
+  while (stat64 (buf, &st) != -1 || errno != ENOENT
+	 || stat64 (buf + 4, &st) != -1 || errno != ENOENT)
+    {
+      if (cnt++ == 100)
+	{
+	  puts ("cannot find a unique file name");
+	  return 0;
+	}
+
+      strcpy (buf + stemlen, ".XXXXXX");
+      mktemp (buf);
+    }
+
+  unsetenv ("PATH");
+  char *argv[] = { buf + 9, NULL };
+  execvp (argv[0], argv);
+  return 0;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"

--=-=-=--

---------------------------------------
Received: (at 320244-done) by bugs.debian.org; 7 Aug 2005 14:20:50 +0000
>From belyshev@depni.sinp.msu.ru Sun Aug 07 07:20:50 2005
Return-path: <belyshev@depni.sinp.msu.ru>
Received: from (foo.vault.bofh.ru) [82.138.41.32] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1E1m1C-0000YD-00; Sun, 07 Aug 2005 07:20:50 -0700
Received: from localhost ([127.0.0.1] helo=foo.vault.bofh.ru)
	by foo.vault.bofh.ru with esmtp (Exim 4.52)
	id 1E1m1A-0000hR-0B
	for 320244-done@bugs.debian.org; Sun, 07 Aug 2005 18:20:48 +0400
From: Serge Belyshev <belyshev@depni.sinp.msu.ru>
To: 320244-done@bugs.debian.org
Subject: fixed
Date: Sun, 07 Aug 2005 18:20:47 +0400
Message-ID: <87oe89j0ao.fsf@foo.vault.bofh.ru>
User-Agent: Gnus/5.110004 (No Gnus v0.4) Emacs/23.0.0 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Delivered-To: 320244-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-2.0 required=4.0 tests=BAYES_00,ONEWORD autolearn=no 
	version=2.60-bugs.debian.org_2005_01_02

Version: 2.3.5-3