This small program crashes glibc in execvp(): --------------------------------------------------- #include <unistd.h> extern char **environ; static char *empty[] = { 0 }; int main (void) { environ = empty; execvp ("nothing ", empty); return 0; } --------------------------------------------------- $ ./a.out *** glibc detected *** free(): invalid pointer: 0x0000000000501016 *** Aborted (core dumped) $ similar effect can be achieved by executing "env -i nonexistent_program". the problem seems to be here, posix/execvp.c:121: char *p = path; do { char *startp; path = p; // it changes 'path' inside loop p = __strchrnul (path, ':'); ... } while (*p++ != '\0'); ... if (path_malloc) free (path); // and then frees it.
Fixed in the latest cvs.
Subject: Bug 1125 CVSROOT: /cvs/glibc Module name: libc Branch: glibc-2_3-branch Changes by: roland@sources.redhat.com 2005-10-17 09:05:18 Modified files: posix : execvp.c Log message: 2005-07-24 Jakub Jelinek <jakub@redhat.com> [BZ #1125] * posix/execvp.c (execvp): Change path_malloc to char *, free that pointer on failure. Patches: http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/posix/execvp.c.diff?cvsroot=glibc&only_with_tag=glibc-2_3-branch&r1=1.21.2.3&r2=1.21.2.4
Subject: Bug 1125 CVSROOT: /cvs/glibc Module name: libc Branch: glibc-2_3-branch Changes by: roland@sources.redhat.com 2005-10-17 09:05:20 Modified files: posix : Makefile Added files: posix : tst-execvp4.c Log message: 2005-07-24 Ulrich Drepper <drepper@redhat.com> [BZ #1125] * posix/Makefile (tests): Add tst-execvp4. * posix/tst-execvp4.c: New file. Patches: http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/posix/tst-execvp4.c.diff?cvsroot=glibc&only_with_tag=glibc-2_3-branch&r1=NONE&r2=1.1.4.1 http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/posix/Makefile.diff?cvsroot=glibc&only_with_tag=glibc-2_3-branch&r1=1.179.2.3&r2=1.179.2.4
Flagging as security-; no apparent application impact.