The branch main has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=41b03932e59068decf03b7975889841f71c73ec4

commit 41b03932e59068decf03b7975889841f71c73ec4
Author:     Mark Johnston <[email protected]>
AuthorDate: 2026-05-04 15:39:55 +0000
Commit:     Mark Johnston <[email protected]>
CommitDate: 2026-05-04 17:28:02 +0000

    tests: Add a simple regression test for an execve overflow bug
    
    MFC after:      2 weeks
---
 tests/sys/kern/Makefile          |  1 +
 tests/sys/kern/execve_overflow.c | 46 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+)

diff --git a/tests/sys/kern/Makefile b/tests/sys/kern/Makefile
index a5a2af67e39d..a06e8702f16d 100644
--- a/tests/sys/kern/Makefile
+++ b/tests/sys/kern/Makefile
@@ -17,6 +17,7 @@ ATF_TESTS_C+= kern_copyin
 ATF_TESTS_C+=  kern_descrip_test
 # One test modifies the maxfiles limit, which can cause spurious test failures.
 TEST_METADATA.kern_descrip_test+= is_exclusive="true"
+PLAIN_TESTS_C+=        execve_overflow
 ATF_TESTS_C+=  exterr_test
 ATF_TESTS_C+=  fdgrowtable_test
 ATF_TESTS_C+=  getdirentries_test
diff --git a/tests/sys/kern/execve_overflow.c b/tests/sys/kern/execve_overflow.c
new file mode 100644
index 000000000000..462f36ac5154
--- /dev/null
+++ b/tests/sys/kern/execve_overflow.c
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2026 Mark Johnston <[email protected]>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+/*
+ * A minimal regression test for FreeBSD-SA-26:13.exec.
+ */
+
+#include <err.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define        SCRIPTNAME      "script"
+#define        SCRIPTBODY      "#!/bin/sh\nexit 0\n"
+
+int
+main(void)
+{
+       char *argv;
+       size_t size;
+       int fd;
+
+       fd = open(SCRIPTNAME, O_WRONLY | O_CREAT | O_TRUNC, 0700);
+       if (fd == -1)
+               err(1, "open");
+       if (write(fd, SCRIPTBODY, sizeof(SCRIPTBODY) - 1) !=
+           sizeof(SCRIPTBODY) - 1)
+               err(1, "write");
+       close(fd);
+
+       size = ARG_MAX / 2;
+       argv = malloc(size);
+       if (argv == NULL)
+               err(1, "malloc");
+       memset(argv, 'a', size - 1);
+       argv[size - 1] = '\0';
+
+       execve(SCRIPTNAME, (char *[]){ argv, NULL }, (char *[]){ NULL });
+
+       exit(1);
+}

Reply via email to