[lxc-devel] Regression: lxc-0.8.0-rc2: lxc-execute crashes on long argument lists

Sun Apr 15 20:27:30 UTC 2012

Commit 0ae4f887 ("lxc: introduce lxc_execute()" - Greg Kurz) introduced
a regression with the use of lxc-execute for containers with large
argument lists.  In lxc-0.7.5, the following command produced 100000
lines of output:

	lxc-execute -n test -- /usr/bin/printf '%s\n' {1..100000}

In lxc-0.8.0-rc2, the same command produces no output.  Running strace
reveals that a child of lxc-execute receives a segmentation fault before
it starts lxc-init.  The crash occurs because the new function allocates
too few elements for the argv of the child, so a long argument list
causes it to trash the heap.  Given a large enough argument list, it
will run off the end of the heap and access an unmapped page, causing a
segmentation fault.

I have a patch for this posted in my master branch on GitHub:

	https://github.com/kevin-dot-pyle/lxc

The following changes since commit ed55bf5203aca88809d979b289d6b2280a18e79c:

   lxc-0.8.0-rc2 (2012-03-20 23:27:47 +0100)

are available in the git repository at:
   git://github.com/kevin-dot-pyle/lxc.git master

Kevin Pyle (4):
       conf: make struct config const
       network: make lxc_ipv{4,6}_addr_add const correct
       log: make locinfo static const
       execute: fix argument counting regression from 0ae4f887

  src/lxc/confile.c |    8 ++++----
  src/lxc/execute.c |    5 ++++-
  src/lxc/log.h     |   24 ++++++++++++------------
  src/lxc/network.c |   12 ++++++------
  src/lxc/network.h |   10 +++++-----
  5 files changed, 31 insertions(+), 28 deletions(-)