Bug#320244: glibc crashes in execvp()
Package: libc6
Version: 2.3.5-2
This small program crashes glibc in execvp():
---------------------------------------------------
#include <unistd.h>
extern char **environ;
static char *empty[] = { 0 };
int main (void)
{
environ = empty;
execvp ("nothing ", empty);
return 0;
}
---------------------------------------------------
$ ./a.out
*** glibc detected *** free(): invalid pointer: 0x0000000000501016 ***
Aborted (core dumped)
$
similar effect can be achieved by executing "env -i nonexistent_program".
This bug was reported to upstream developers, see
http://sources.redhat.com/bugzilla/show_bug.cgi?id=1125
and it is already fixed in current CVS HEAD.
I have attached backported patch for debian glibc package.
#! /bin/sh -e
# All lines beginning with `# DP:' are a description of the patch.
# DP: Description: fix BZ #1125
# DP: Related bugs:
# DP: Dpatch author: Serge Belyshev <belyshev@depni.sinp.msu.ru>
# DP: Patch author: Upstream
# DP: Upstream status: In CVS
# DP: Status Details:
# DP: Date: @DATE@
PATCHLEVEL=1
if [ $# -ne 2 ]; then
echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
exit 1
fi
case "$1" in
-patch) patch -d "$2" -f --no-backup-if-mismatch -p$PATCHLEVEL < $0;;
-unpatch) patch -d "$2" -f --no-backup-if-mismatch -R -p$PATCHLEVEL < $0;;
*)
echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
exit 1
esac
exit 0
# append the patch here and adjust the -p? flag in the patch calls.
diff -purN a/posix/execvp.c b/posix/execvp.c
--- a/posix/execvp.c 2005-07-26 01:15:32.000000000 +0400
+++ b/posix/execvp.c 2005-07-26 01:16:21.000000000 +0400
@@ -88,7 +88,7 @@ execvp (file, argv)
else
{
char *path = getenv ("PATH");
- bool path_malloc = false;
+ char *path_malloc = NULL;
if (path == NULL)
{
/* There is no `PATH' in the environment.
@@ -100,7 +100,7 @@ execvp (file, argv)
return -1;
path[0] = ':';
(void) confstr (_CS_PATH, path + 1, len);
- path_malloc = true;
+ path_malloc = path;
}
size_t len = strlen (file) + 1;
@@ -108,8 +108,7 @@ execvp (file, argv)
char *name = malloc (pathlen + len + 1);
if (name == NULL)
{
- if (path_malloc)
- free (path);
+ free (path_malloc);
return -1;
}
/* Copy the file name at the top. */
@@ -190,8 +189,7 @@ execvp (file, argv)
free (script_argv);
free (name - pathlen);
- if (path_malloc)
- free (path);
+ free (path_malloc);
}
/* Return the error from the last attempt (probably ENOENT). */
diff -purN a/posix/Makefile b/posix/Makefile
--- a/posix/Makefile 2005-07-26 01:15:32.000000000 +0400
+++ b/posix/Makefile 2005-07-26 01:16:21.000000000 +0400
@@ -84,7 +84,7 @@ tests := tstgetopt testfnm runtests run
transbug tst-rxspencer tst-pcre tst-boost \
bug-ga1 tst-vfork1 tst-vfork2 tst-waitid \
tst-getaddrinfo2 bug-glob1 bug-glob2 tst-sysconf \
- tst-execvp1 tst-execvp2 tst-execlp1 tst-execlp2 \
+ tst-execvp1 tst-execvp2 tst-execvp4 tst-execlp1 tst-execlp2 \
tst-execv1 tst-execv2 tst-execl1 tst-execl2 \
tst-execve1 tst-execve2 tst-execle1 tst-execle2
xtests := bug-ga2
diff -purN a/posix/tst-execvp4.c b/posix/tst-execvp4.c
--- a/posix/tst-execvp4.c 2005-07-26 01:15:32.000000000 +0400
+++ b/posix/tst-execvp4.c 2005-07-26 01:16:21.000000000 +0400
@@ -0,0 +1,35 @@
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/stat.h>
+
+static int
+do_test (void)
+{
+ char buf[40] = "/usr/bin/does-not-exist";
+ size_t stemlen = strlen (buf);
+ struct stat64 st;
+ int cnt = 0;
+ while (stat64 (buf, &st) != -1 || errno != ENOENT
+ || stat64 (buf + 4, &st) != -1 || errno != ENOENT)
+ {
+ if (cnt++ == 100)
+ {
+ puts ("cannot find a unique file name");
+ return 0;
+ }
+
+ strcpy (buf + stemlen, ".XXXXXX");
+ mktemp (buf);
+ }
+
+ unsetenv ("PATH");
+ char *argv[] = { buf + 9, NULL };
+ execvp (argv[0], argv);
+ return 0;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
Reply to: