Bug 65470

Summary: libbsd-0.5.1 segfault in spt_copyenv() called from spt_init()
Product: libbsd Reporter: Eric Smith <brouhaha>
Component: libbsdAssignee: Guillem Jover <guillem>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Eric Smith 2013-06-06 17:49:29 UTC 
Found by the Fedora FreeIPA team in testing the libbsd-0.5.1 update I submitted for Fedora 19.  See Fedora bug 971513:

https://bugzilla.redhat.com/show_bug.cgi?id=971513

Nalin Dahyabhai's comment seems particularly informative, so I quote it here:

The top couple of frames in my backtrace (with a little more debuginfo) look like this:

#0  __strchr_sse2 () at ../sysdeps/x86_64/strchr.S:32
#1  0x00007fffec389cdb in spt_copyenv (oldenv=0x55555577ec10)
    at setproctitle.c:94
#2  spt_init (argc=8, argv=0x7fffffffe448, envp=0x55555577ec10)
    at setproctitle.c:172

I think that spt_init's use of the passed-in value of "environ" is causing some trouble because when it calls spt_clearenv(), and spt_clearenv() ends up calling clearenv(), the value is freed before it's read.

Patching spt_clearenv() to behave as if HAVE_CLEARENV isn't defined keeps it from crashing on my system, as the fallback path doesn't actually free the old environment.
Comment 1 Guillem Jover 2013-06-07 05:40:41 UTC 
As mentioned on the list, I've two possible fixes for this, which I'll include in 0.5.2 probably later today.
Comment 2 Guillem Jover 2013-06-08 16:45:11 UTC 
Fixed in 0.5.2.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.