1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
/* Reproduces bug 321960 (based on test from Daniel Stodden).
At least on Ubuntu 12 and 13, causes invalid write errors
in __yell or the memset call (due to some part of the main
stack being marked as not addressable in memcheck).
Bug seems extremely sensitive to initial conditions:
Depending on the size of the env, bug is triggered or not.
Also, a high nr of threads in thr[] is needed to get
the problem. */
#include <pthread.h>
#if !defined(__FreeBSD__)
#include <alloca.h>
#endif
#include <assert.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
void *
nop(void *nil)
{
return NULL;
}
void
__yell(void)
{
char buf[256];
memset(buf, 0, sizeof(buf));
}
/* Without argument, executes once.
Otherwise first arg indicates nr of times the process will exec
itself, each time increasing the size of the environment
by about 50 characters. */
int main(int argc, char **argv, char** envp)
{
pthread_t thr[50];
int i, err;
for (i = 0; i < sizeof(thr) / sizeof(*thr); i++) {
err = pthread_create(&thr[i], NULL, nop, NULL);
assert(!err);
}
alloca(4096);
__yell();
for (i = 0; i < sizeof(thr) / sizeof(*thr); i++)
pthread_join(thr[i], NULL);
if ( argc == 2 && atoi(argv[1]) > 0) {
/* exec ourselves with some more env */
char** new_env;
char more_env[100];
char n[10];
int j;
sprintf(more_env, "N%d=ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ", atoi(argv[1]));
for (j = 0; envp[j]; j++)
;
new_env = malloc((j+2) * sizeof(char*));
assert (new_env != NULL);
for (i = 0; i < j; i++)
new_env[i] = envp[i];
new_env[i++] = more_env;
new_env[i++] = NULL;
assert(i == j+2);
sprintf (n, "%d", atoi(argv[1]) - 1);
// system ("env | wc");
execle(argv[0], argv[0], n, (char *) NULL, new_env);
assert(0);
} else
return 0;
}
|
