From owner-freebsd-bugs Fri Nov 28 02:30:03 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id CAA06396 for bugs-outgoing; Fri, 28 Nov 1997 02:30:03 -0800 (PST) (envelope-from owner-freebsd-bugs) Received: (from gnats@localhost) by hub.freebsd.org (8.8.7/8.8.7) id CAA06390; Fri, 28 Nov 1997 02:30:01 -0800 (PST) (envelope-from gnats) Resent-Date: Fri, 28 Nov 1997 02:30:01 -0800 (PST) Resent-Message-Id: <199711281030.CAA06390@hub.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@FreeBSD.ORG, kagotani@in.it.okayama-u.ac.jp Received: from herring.in.it.okayama-u.ac.jp (herring.in.it.okayama-u.ac.jp [150.46.6.41]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id CAA06089 for ; Fri, 28 Nov 1997 02:23:46 -0800 (PST) (envelope-from kagotani@in.it.okayama-u.ac.jp) Received: by herring.in.it.okayama-u.ac.jp (3.5Wpl6) id TAA05661; Fri, 28 Nov 1997 19:23:33 +0900 (JST) Message-Id: <199711281023.TAA02509@loach.in.it.okayama-u.ac.jp> Date: Fri, 28 Nov 1997 19:23:34 +0900 (JST) From: kagotani@in.it.okayama-u.ac.jp Reply-To: kagotani@in.it.okayama-u.ac.jp To: FreeBSD-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: 3.2 Subject: bin/5172: [2.2.5] /bin/sh dumps core Sender: owner-freebsd-bugs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >Number: 5172 >Category: bin >Synopsis: /bin/sh dumps core when exec'ing a bogus script >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Nov 28 02:30:00 PST 1997 >Last-Modified: >Originator: Hiroto Kagotani >Organization: Okayama University, Japan >Release: FreeBSD 2.2.5-RELEASE i386 >Environment: On the console or on any terminal emulator running any shell. >Description: If the interpreter of an executable script does not exist, and the directory containing the script is not the last part of PATH variable, then /bin/sh dumps core when exec'int the script. >How-To-Repeat: Create two executable scripts named "a" and "b" as follows: --- a --- #!/bin/sh PATH=.:/bin b --------- --- b --- #!/no/such/file --------- And type "./a" in your shell. Then, you will get: % ./a Segmentation fault - core dumped % >Fix: shellexec() in /bin/sh assumes that tryexec() does not change argv[0]. But execve(2) called in tryexec() changes it. (I'm not sure whether this is a spec or a bug of execve(2).) So, my sample fix preserves argv[0] before calling execve(2), and restores it after. --------- diff -u /usr/src/bin/sh/exec.c ./exec.c --- /usr/src/bin/sh/exec.c Mon Aug 25 18:09:46 1997 +++ ./exec.c Fri Nov 28 18:17:22 1997 @@ -164,6 +164,7 @@ char *p; #endif + char *argv0 = argv[0]; #ifdef SYSV do { execve(cmd, argv, envp); @@ -171,6 +172,7 @@ #else execve(cmd, argv, envp); #endif + argv[0] = argv0; e = errno; if (e == ENOEXEC) { initshellproc(); --------- >Audit-Trail: >Unformatted: