Hide Forgot
The code declares variables as: char path[FILENAME_MAX]; char buf_pname[FILENAME_MAX]; char buf_cwd[FILENAME_MAX]; and on a coredump provided by an user, buf_cwd has a sane value (it has a smaller value, thus not overwritten), but buf_pname is pointing to a very large shell script, having written more than 16k bytes before the crash. The code looks like: while (c != EOF) { c = fgetc(f); if ((c != EOF) && (c != '\0')) { buf_pname[len] = c; len++; continue; } buf_pname[len] = '\0'; from gdb I also see: (gdb) p pname_status $28 = 0x102b3e0 "sh" so, I believe the crash was caused by some variant of a logic like: $ /bin/sh -c "$(cat /some/really/large/script)" where contents of /some/really/large/script will be in /proc/$PID/cmdline. The pseudo patch to prevent the crash would be: - if ((c != EOF) && (c != '\0')) { + if ((c != EOF) && (c != '\0') && len < 4095) { another possible cause would be a corrupted /proc/$PID/cmdline, but the above description looks a lot more likely the crash condition.
Created attachment 1212848 [details] Simple python reproducer
Created attachment 1212849 [details] api.c: fix potential buffer overflow
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0583.html