Bug #12906
openrealpath() race can result in a segfault, memory corruption, or an incorrect path
0%
Description
A race in the libc realpath() function can cause the function to read and write outside the bounds of its stack-based buffer, or produce an incorrect result, if another process renames the current working directory or one of its ancestors during execution of the function.
The testcase demonstrates a valid call to realpath() producing a segmentation fault, when another independent process that renames the working directory is running at the same time. (It runs in a loop until the race condition is triggered, which is within a couple seconds on my 2 CPU VM.) The bug is triggered when the working directory is renamed after realpath_impl() (called by realpath()) has called resolvepath() and before it calls getcwd(). The segmentation fault occurs because realpath_impl() attempts to read from the memory address just before the first mapped stack page, at usr/src/lib/libc/port/gen/realpath.c line 98.
$ gcc -g -o get-realpath get-realpath.c $ gcc -g -o rename-w rename-w.c $ ./rename-w & [1] 15573 $ ./get-realpath Segmentation Fault (core dumped) $ kill %% $ [1]+ Terminated ./rename-w
Files
No data to display