From e72f3054e337c0335b9c8b9821d175727227609d Mon Sep 17 00:00:00 2001
From: Alexander Moch <amoch@ernw.de>
Date: Mon, 29 Dec 2025 19:16:34 +0000
Subject: [PATCH] cmd/ztest: avoid `PATH_MAX` stack allocation in
 `ztest_get_zdb_bin()` (#18085)

Calling realpath(path, buf) can trigger fortified header wrappers that
allocate a PATH_MAX-sized temporary buffer on the stack, exceeding the
4 KiB frame limit on some systems. Use the heap-allocating
realpath(path, NULL) form instead.

Sponsored-by: ERNW Research GmbH - https://ernw-research.de/

Signed-off-by: Alexander Moch <amoch@ernw.de>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Tony Hutter <hutter2@llnl.gov>
---
 cmd/ztest.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/cmd/ztest.c b/cmd/ztest.c
index 35929cbcf..bab7e32db 100644
--- a/cmd/ztest.c
+++ b/cmd/ztest.c
@@ -7144,6 +7144,7 @@ static void
 ztest_get_zdb_bin(char *bin, int len)
 {
 	char *zdb_path;
+	char *resolved;
 	/*
 	 * Try to use $ZDB and in-tree zdb path. If not successful, just
 	 * let popen to search through PATH.
@@ -7157,7 +7158,11 @@ ztest_get_zdb_bin(char *bin, int len)
 		return;
 	}
 
-	VERIFY3P(realpath(getexecname(), bin), !=, NULL);
+	resolved = realpath(getexecname(), NULL);
+	VERIFY3P(resolved, !=, NULL);
+	strlcpy(bin, resolved, len);
+	free(resolved);
+
 	if (strstr(bin, ".libs/ztest")) {
 		strstr(bin, ".libs/ztest")[0] = '\0'; /* In-tree */
 		strcat(bin, "zdb");