1 files changed, 62 insertions, 0 deletions

diff --git a/testsuite/systemtap.base/overflow-get_argv.stp b/testsuite/systemtap.base/overflow-get_argv.stp
new file mode 100644
index 00000000..159ef4a8
--- /dev/null
+++ b/testsuite/systemtap.base/overflow-get_argv.stp
@@ -0,0 +1,62 @@
+// PR11234: __get_argv can overflow its return buffer
+
+// __get_argv has a signature like this:
+//    struct function___get_argv_locals {
+//      int64_t a;
+//      int64_t first;
+//      string_t __retvalue;
+//    } function___get_argv;
+//
+// These functions are meant to have an overlap such that we can tell if
+// __get_argv overran its __retvalue.
+//
+//      int64_t x;
+//      int64_t y;
+//      string_t z;
+//      string_t __retvalue;
+//
+// NB: __retvalue[0] always gets cleared on call, but the rest should be
+// untouched, so we can use it as a sentinal.
+
+function clear:string(x:long, y:long, z:string) %{
+  memset(THIS->__retvalue, 0, MAXSTRINGLEN);
+%}
+
+function check:string(x:long, y:long, z:string) %{
+  int i, bad = 0;
+  for (i=1; i<MAXSTRINGLEN; ++i)
+    if (THIS->__retvalue[i])
+      ++bad;
+
+  if (bad)
+    snprintf(THIS->__retvalue, MAXSTRINGLEN, "%d non-zero bytes", bad);
+  else
+    strlcpy(THIS->__retvalue, "ok", MAXSTRINGLEN);
+%}
+
+global result = "untested"
+
+probe syscall.execve {
+  if (pid() != target())
+    next
+
+  clear(0, 0, "")
+  foo = __get_argv($argv, 0)
+  result = check(0, 0, "")
+
+  // ensure that foo isn't optimized away
+  if (foo == "foo")
+    next
+}
+
+probe begin {
+  println("systemtap starting probe")
+}
+
+probe end {
+  println("systemtap ending probe")
+  if (result == "ok")
+    println("systemtap test success")
+  else
+    println("systemtap test failure: ", result)
+}