git: 41b03932e590 - main - tests: Add a simple regression test for an execve overflow bug

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Mon, 04 May 2026 17:28:22 UTC

The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=41b03932e59068decf03b7975889841f71c73ec4

commit 41b03932e59068decf03b7975889841f71c73ec4
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-05-04 15:39:55 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-05-04 17:28:02 +0000

    tests: Add a simple regression test for an execve overflow bug
    
    MFC after:      2 weeks
---
 tests/sys/kern/Makefile          |  1 +
 tests/sys/kern/execve_overflow.c | 46 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+)

diff --git a/tests/sys/kern/Makefile b/tests/sys/kern/Makefile
index a5a2af67e39d..a06e8702f16d 100644
--- a/tests/sys/kern/Makefile
+++ b/tests/sys/kern/Makefile
@@ -17,6 +17,7 @@ ATF_TESTS_C+=	kern_copyin
 ATF_TESTS_C+=	kern_descrip_test
 # One test modifies the maxfiles limit, which can cause spurious test failures.
 TEST_METADATA.kern_descrip_test+= is_exclusive="true"
+PLAIN_TESTS_C+=	execve_overflow
 ATF_TESTS_C+=	exterr_test
 ATF_TESTS_C+=	fdgrowtable_test
 ATF_TESTS_C+=	getdirentries_test
diff --git a/tests/sys/kern/execve_overflow.c b/tests/sys/kern/execve_overflow.c
new file mode 100644
index 000000000000..462f36ac5154
--- /dev/null
+++ b/tests/sys/kern/execve_overflow.c
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2026 Mark Johnston <markj@FreeBSD.org>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+/*
+ * A minimal regression test for FreeBSD-SA-26:13.exec.
+ */
+
+#include <err.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define	SCRIPTNAME	"script"
+#define	SCRIPTBODY	"#!/bin/sh\nexit 0\n"
+
+int
+main(void)
+{
+	char *argv;
+	size_t size;
+	int fd;
+
+	fd = open(SCRIPTNAME, O_WRONLY | O_CREAT | O_TRUNC, 0700);
+	if (fd == -1)
+		err(1, "open");
+	if (write(fd, SCRIPTBODY, sizeof(SCRIPTBODY) - 1) !=
+	    sizeof(SCRIPTBODY) - 1)
+		err(1, "write");
+	close(fd);
+
+	size = ARG_MAX / 2;
+	argv = malloc(size);
+	if (argv == NULL)
+		err(1, "malloc");
+	memset(argv, 'a', size - 1);
+	argv[size - 1] = '\0';
+
+	execve(SCRIPTNAME, (char *[]){ argv, NULL }, (char *[]){ NULL });
+
+	exit(1);
+}