From nobody@FreeBSD.org  Fri Jan 16 22:06:15 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4DF01106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 16 Jan 2009 22:06:15 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 22B0B8FC12
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 16 Jan 2009 22:06:15 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n0GM6EDY088883
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 16 Jan 2009 22:06:14 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n0GM6EDJ088882;
	Fri, 16 Jan 2009 22:06:14 GMT
	(envelope-from nobody)
Message-Id: <200901162206.n0GM6EDJ088882@www.freebsd.org>
Date: Fri, 16 Jan 2009 22:06:14 GMT
From: Dimitry Andric <dimitry@andric.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: gpart assert failure if used from FreeBSD Live CD
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         130632
>Category:       bin
>Synopsis:       [patch] gpart(8) assert failure if used from FreeBSD Live CD
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lulf
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 16 22:10:01 UTC 2009
>Closed-Date:    Thu Feb 05 11:21:26 UTC 2009
>Last-Modified:  Thu Feb 05 11:21:26 UTC 2009
>Originator:     Dimitry Andric
>Release:        FreeBSD 8.0-CURRENT i386
>Organization:
n/a
>Environment:
System: FreeBSD vfbsd8.home.andric.com 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Thu Jan 15 23:55:45 CET 2009 dim@vfbsd8.home.andric.com:/usr/obj/usr/src/sys/GENERIC i386
>Description:
If you run gpart(8) from a recent FreeBSD -CURRENT Live CD, it will
crash with the following assertion failure:

Assertion failed: (diff == regind * size), function arena_run_reg_dalloc, file /usr/src/lib/libc/stdlib/malloc.c, line 2536.
Abort trap: 6 (core dumped)

This is due to incorrect usage of strsep(3) in the function
load_library() in /usr/src/sbin/geom/core/geom.c, and caused by the
Live CD having set GEOM_LIBRARY_PATH to "/mnt2/lib/geom:/lib/geom".

In load_library(), you see the following:

	totalpath = strdup(libpath);
	...
	if (strchr(totalpath, ':') != NULL)
		curpath = strsep(&totalpath, ":");
	...
	free(totalpath);

The problem here is that strsep(3) modifies totalpath, to point at the
next token.  If you then attempt to free it later, the behaviour is
undefined.  The newer malloc in -CURRENT apparently catches this.

Note this ONLY occurs if GEOM_LIBRARY_PATH exists, contains more than
one directory, and the geom .so files are found in the first
directory.

>How-To-Repeat:
This is easily reproduced on -CURRENT, by running:

$ GEOM_LIBRARY_PATH=/lib/geom:/foo /sbin/gpart
Assertion failed: (diff == regind * size), function arena_run_reg_dalloc, file /usr/src/lib/libc/stdlib/malloc.c, line 2536.
Abort trap: 6 (core dumped)

>Fix:
Here is a patch, following the strsep(3) manpage example.

Index: sbin/geom/core/geom.c
===================================================================
RCS file: /home/ncvs/src/sbin/geom/core/geom.c,v
retrieving revision 1.36
diff -u -p -r1.36 geom.c
--- sbin/geom/core/geom.c	4 Jun 2008 20:07:59 -0000	1.36
+++ sbin/geom/core/geom.c	16 Jan 2009 21:40:54 -0000
@@ -487,13 +487,13 @@ library_path(void)
 static void
 load_library(void)
 {
-	char *curpath, path[MAXPATHLEN], *totalpath;
+	char *curpath, path[MAXPATHLEN], *totalpath, *tofree;
 	uint32_t *lib_version;
 	void *dlh;
 	int ret;
 
 	ret = 0;
-	totalpath = strdup(library_path());
+	tofree = totalpath = strdup(library_path());
 	if (totalpath == NULL)
 		err(EXIT_FAILURE, "Not enough memory for library path");
 
@@ -519,7 +519,7 @@ load_library(void)
 		}
 		break;
 	}
-	free(totalpath);
+	free(tofree);
 	/* No library was found, but standard commands can still be used */
 	if (ret == -1)
 		return;


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-geom 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Fri Jan 16 22:43:28 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=130632 
Responsible-Changed-From-To: freebsd-geom->lulf 
Responsible-Changed-By: lulf 
Responsible-Changed-When: Mon Feb 2 19:08:39 UTC 2009 
Responsible-Changed-Why:  
I'll take this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=130632 
State-Changed-From-To: open->patched 
State-Changed-By: lulf 
State-Changed-When: Mon Feb 2 19:23:03 UTC 2009 
State-Changed-Why:  
- Patch committed to HEAD, thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=130632 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/130632: commit references a PR
Date: Mon,  2 Feb 2009 19:23:10 +0000 (UTC)

 Author: lulf
 Date: Mon Feb  2 19:22:53 2009
 New Revision: 188017
 URL: http://svn.freebsd.org/changeset/base/188017
 
 Log:
   - Use a separate pointer to the allocated memory for freeing, as strsep may
     modify the pointer argument passed to it. This triggered an assert in malloc
     when a geom command being run under the livefs environment.
   
   PR:		bin/130632
   Submitted by:	Dimitry Andric <dimitry -at- andric.com>
   Pointy hat to:	me
   MFC after:	2 days
 
 Modified:
   head/sbin/geom/core/geom.c
 
 Modified: head/sbin/geom/core/geom.c
 ==============================================================================
 --- head/sbin/geom/core/geom.c	Mon Feb  2 18:32:41 2009	(r188016)
 +++ head/sbin/geom/core/geom.c	Mon Feb  2 19:22:53 2009	(r188017)
 @@ -487,13 +487,13 @@ library_path(void)
  static void
  load_library(void)
  {
 -	char *curpath, path[MAXPATHLEN], *totalpath;
 +	char *curpath, path[MAXPATHLEN], *tofree, *totalpath;
  	uint32_t *lib_version;
  	void *dlh;
  	int ret;
  
  	ret = 0;
 -	totalpath = strdup(library_path());
 +	tofree = totalpath = strdup(library_path());
  	if (totalpath == NULL)
  		err(EXIT_FAILURE, "Not enough memory for library path");
  
 @@ -519,7 +519,7 @@ load_library(void)
  		}
  		break;
  	}
 -	free(totalpath);
 +	free(tofree);
  	/* No library was found, but standard commands can still be used */
  	if (ret == -1)
  		return;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/130632: commit references a PR
Date: Wed,  4 Feb 2009 17:35:36 +0000 (UTC)

 Author: lulf
 Date: Wed Feb  4 17:35:21 2009
 New Revision: 188116
 URL: http://svn.freebsd.org/changeset/base/188116
 
 Log:
   MFC r188017:
   - Use a separate pointer to the allocated memory for freeing, as strsep may
     modify the pointer argument passed to it. This triggered an assert in malloc
     when a geom command being run under the livefs environment.
   
   PR:		bin/130632
   Submitted by:	Dimitry Andric <dimitry -at- andric.com>
 
 Modified:
   stable/7/sbin/geom/   (props changed)
   stable/7/sbin/geom/class/part/   (props changed)
   stable/7/sbin/geom/core/geom.c
   stable/7/sbin/geom/misc/   (props changed)
 
 Modified: stable/7/sbin/geom/core/geom.c
 ==============================================================================
 --- stable/7/sbin/geom/core/geom.c	Wed Feb  4 17:10:01 2009	(r188115)
 +++ stable/7/sbin/geom/core/geom.c	Wed Feb  4 17:35:21 2009	(r188116)
 @@ -480,13 +480,13 @@ library_path(void)
  static void
  load_library(void)
  {
 -	char *curpath, path[MAXPATHLEN], *totalpath;
 +	char *curpath, path[MAXPATHLEN], *tofree, *totalpath;
  	uint32_t *lib_version;
  	void *dlh;
  	int ret;
  
  	ret = 0;
 -	totalpath = strdup(library_path());
 +	tofree = totalpath = strdup(library_path());
  	if (totalpath == NULL)
  		err(EXIT_FAILURE, "Not enough memory for library path");
  
 @@ -512,7 +512,7 @@ load_library(void)
  		}
  		break;
  	}
 -	free(totalpath);
 +	free(tofree);
  	/* No library was found, but standard commands can still be used */
  	if (ret == -1)
  		return;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: lulf 
State-Changed-When: Thu Feb 5 11:21:01 UTC 2009 
State-Changed-Why:  
The change have been MFCed to RELENG_7 

http://www.freebsd.org/cgi/query-pr.cgi?pr=130632 
>Unformatted:
