illumos gate

A race in the libc realpath() function can cause the function to read and write outside the bounds of its stack-based buffer, or produce an incorrect result, if another process renames the current working directory or one of its ancestors during execution of the function.

The testcase demonstrates a valid call to realpath() producing a segmentation fault, when another independent process that renames the working directory is running at the same time. (It runs in a loop until the race condition is triggered, which is within a couple seconds on my 2 CPU VM.) The bug is triggered when the working directory is renamed after realpath_impl() (called by realpath()) has called resolvepath() and before it calls getcwd(). The segmentation fault occurs because realpath_impl() attempts to read from the memory address just before the first mapped stack page, at usr/src/lib/libc/port/gen/realpath.c line 98.

$ gcc -g -o get-realpath get-realpath.c
$ gcc -g -o rename-w rename-w.c
$ ./rename-w &
[1] 15573
$ ./get-realpath
Segmentation Fault (core dumped)
$ kill %%
$
[1]+  Terminated              ./rename-w