From nobody@FreeBSD.org  Sun May 23 08:27:26 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 839EC1065759
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 23 May 2010 08:27:26 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 597558FC08
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 23 May 2010 08:27:26 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o4N8RQp8034641
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 23 May 2010 08:27:26 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o4N8RQfV034640;
	Sun, 23 May 2010 08:27:26 GMT
	(envelope-from nobody)
Message-Id: <201005230827.o4N8RQfV034640@www.freebsd.org>
Date: Sun, 23 May 2010 08:27:26 GMT
From: Garrett Cooper <yaneurabeya@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [patch] [sysinstall] address possible QA issues with dispatch.c
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         146855
>Category:       bin
>Synopsis:       [patch] sysinstall(8): address possible QA issues with dispatch.c
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    brucec
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 23 08:30:01 UTC 2010
>Closed-Date:    Wed Nov 24 21:59:42 UTC 2010
>Last-Modified:  Sun Feb 03 22:28:46 UTC 2013
>Originator:     Garrett Cooper
>Release:        9-CURRENT
>Organization:
Cisco Systems, Inc.
>Environment:
FreeBSD bayonetta.local 9.0-CURRENT FreeBSD 9.0-CURRENT #0 r206173M: Mon Apr 26 22:45:06 PDT 2010     root@bayonetta.local:/usr/obj/usr/src/sys/BAYONETTA.ata  amd64
>Description:
1. dispatch_add_command:
   a. Modify the logic so there's only one exit point instead of two.
   b. Only insert valid (non-NULL) values into the queue.

2. dispatch_free_command:
   a. Doesn't ensure that item is NULL before it attempts to remove the item from the queue and dereference the pointer to item.
   b. Previously allocated memory isn't NULLed out, so if one of the calls misuses the memory it will result in a memory access violation.
>How-To-Repeat:
All of these conditions will occur under low memory situations, and thus shouldn't happen 99.9% of the time, but will occur given proper circumstances.
>Fix:
See attached patch.

Patch attached with submission follows:

Index: dispatch.c
===================================================================
--- dispatch.c	(revision 206173)
+++ dispatch.c	(working copy)
@@ -136,9 +136,13 @@
 static void
 dispatch_free_command(command_buffer *item)
 {
-    REMQUE(item);
-    free(item->string);
-    free(item);
+	if (item != NULL) {
+		REMQUE(item);
+		free(item->string);
+		item->string = NULL;
+	}
+	free(item);
+	item = NULL;
 }
 
 static void
@@ -155,17 +159,28 @@
 static command_buffer *
 dispatch_add_command(qelement *head, char *string)
 {
-    command_buffer *new;
+	command_buffer *new = NULL;
 
-    new = malloc(sizeof(command_buffer));
+	new = malloc(sizeof(command_buffer));
 
-    if (!new)
-	return NULL;
+	if (new != NULL) {
 
-    new->string = strdup(string);
-    INSQUEUE(new, head->q_back);
+		new->string = strdup(string);
 
-    return new;
+		/*
+		 * We failed to copy `string'; clean up the allocated
+		 * resources.
+		 */
+		if (new->string == NULL) {
+			free(new);
+			new = NULL;
+		} else {
+			INSQUEUE(new, head->q_back);
+		}
+
+	}
+
+	return new;
 }
 
 /*


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->brucec  
Responsible-Changed-By: brucec 
Responsible-Changed-When: Wed Jun 23 15:25:05 UTC 2010 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=146855 
State-Changed-From-To: open->patched 
State-Changed-By: brucec 
State-Changed-When: Sun Nov 21 14:34:42 UTC 2010 
State-Changed-Why:  
Fixed in r215637. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=146855 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/146855: commit references a PR
Date: Sun, 21 Nov 2010 14:34:30 +0000 (UTC)

 Author: brucec
 Date: Sun Nov 21 14:34:25 2010
 New Revision: 215637
 URL: http://svn.freebsd.org/changeset/base/215637
 
 Log:
   dispatch_add_command:
   Modify the logic so there's only one exit point instead of two.
   Only insert valid (non-NULL) values into the queue.
   
   dispatch_free_command:
   Ensure that item is not NULL before removing it from the queue and
   dereferencing the pointer.
   NULL out free'd pointers to catch any use-after-free bugs.
   
   PR:	bin/146855
   Submitted by:	gcooper
   MFC after: 3 days
 
 Modified:
   head/usr.sbin/sysinstall/dispatch.c
 
 Modified: head/usr.sbin/sysinstall/dispatch.c
 ==============================================================================
 --- head/usr.sbin/sysinstall/dispatch.c	Sun Nov 21 13:41:04 2010	(r215636)
 +++ head/usr.sbin/sysinstall/dispatch.c	Sun Nov 21 14:34:25 2010	(r215637)
 @@ -136,8 +136,12 @@ typedef struct command_buffer_ {
  static void
  dispatch_free_command(command_buffer *item)
  {
 -    REMQUE(item);
 -    free(item->string);
 +    if (item != NULL) {
 +	REMQUE(item);
 +	free(item->string);
 +	item->string = NULL;
 +    }
 +
      free(item);
  }
  
 @@ -155,19 +159,29 @@ dispatch_free_all(qelement *head)
  static command_buffer *
  dispatch_add_command(qelement *head, char *string)
  {
 -    command_buffer *new;
 +    command_buffer *new = NULL;
  
      new = malloc(sizeof(command_buffer));
  
 -    if (!new)
 -	return NULL;
 +    if (new != NULL) {
  
 -    new->string = strdup(string);
 -    INSQUEUE(new, head->q_back);
 +	new->string = strdup(string);
 +
 +	/*
 +	 * We failed to copy `string'; clean up the allocated
 +	 * resources.
 +	 */
 +	if (new->string == NULL) {
 +	    free(new);
 +	    new = NULL;
 +	} else {
 +	    INSQUEUE(new, head->q_back);
 +	}
 +    }
  
      return new;
  }
 -
 +
  /*
   * Command processing
   */
 @@ -280,7 +294,7 @@ dispatchCommand(char *str)
      return i;
  }
  
 -
 +
  /*
   * File processing
   */
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: brucec 
State-Changed-When: Wed Nov 24 21:59:09 UTC 2010 
State-Changed-Why:  
Merged to stable/7 and stable/8. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=146855 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/146855: commit references a PR
Date: Wed, 24 Nov 2010 21:55:01 +0000 (UTC)

 Author: brucec
 Date: Wed Nov 24 21:54:45 2010
 New Revision: 215805
 URL: http://svn.freebsd.org/changeset/base/215805
 
 Log:
   MFC r215637:
   
   dispatch_add_command:
   Modify the logic so there's only one exit point instead of two.
   Only insert valid (non-NULL) values into the queue.
   
   dispatch_free_command:
   Ensure that item is not NULL before removing it from the queue and
   dereferencing the pointer.
   NULL out free'd pointers to catch any use-after-free bugs.
   
   PR:	bin/146855
   Submitted by:	gcooper
 
 Modified:
   stable/8/usr.sbin/sysinstall/dispatch.c
 Directory Properties:
   stable/8/usr.sbin/sysinstall/   (props changed)
 
 Modified: stable/8/usr.sbin/sysinstall/dispatch.c
 ==============================================================================
 --- stable/8/usr.sbin/sysinstall/dispatch.c	Wed Nov 24 21:43:36 2010	(r215804)
 +++ stable/8/usr.sbin/sysinstall/dispatch.c	Wed Nov 24 21:54:45 2010	(r215805)
 @@ -136,8 +136,12 @@ typedef struct command_buffer_ {
  static void
  dispatch_free_command(command_buffer *item)
  {
 -    REMQUE(item);
 -    free(item->string);
 +    if (item != NULL) {
 +	REMQUE(item);
 +	free(item->string);
 +	item->string = NULL;
 +    }
 +
      free(item);
  }
  
 @@ -155,19 +159,29 @@ dispatch_free_all(qelement *head)
  static command_buffer *
  dispatch_add_command(qelement *head, char *string)
  {
 -    command_buffer *new;
 +    command_buffer *new = NULL;
  
      new = malloc(sizeof(command_buffer));
  
 -    if (!new)
 -	return NULL;
 +    if (new != NULL) {
  
 -    new->string = strdup(string);
 -    INSQUEUE(new, head->q_back);
 +	new->string = strdup(string);
 +
 +	/*
 +	 * We failed to copy `string'; clean up the allocated
 +	 * resources.
 +	 */
 +	if (new->string == NULL) {
 +	    free(new);
 +	    new = NULL;
 +	} else {
 +	    INSQUEUE(new, head->q_back);
 +	}
 +    }
  
      return new;
  }
 -
 +
  /*
   * Command processing
   */
 @@ -280,7 +294,7 @@ dispatchCommand(char *str)
      return i;
  }
  
 -
 +
  /*
   * File processing
   */
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/146855: commit references a PR
Date: Wed, 24 Nov 2010 21:58:19 +0000 (UTC)

 Author: brucec
 Date: Wed Nov 24 21:58:15 2010
 New Revision: 215807
 URL: http://svn.freebsd.org/changeset/base/215807
 
 Log:
   MFC r215637:
   
   dispatch_add_command:
   Modify the logic so there's only one exit point instead of two.
   Only insert valid (non-NULL) values into the queue.
   
   dispatch_free_command:
   Ensure that item is not NULL before removing it from the queue and
   dereferencing the pointer.
   NULL out free'd pointers to catch any use-after-free bugs.
   
   PR:	bin/146855
   Submitted by:	gcooper
 
 Modified:
   stable/7/usr.sbin/sysinstall/dispatch.c
 Directory Properties:
   stable/7/usr.sbin/sysinstall/   (props changed)
 
 Modified: stable/7/usr.sbin/sysinstall/dispatch.c
 ==============================================================================
 --- stable/7/usr.sbin/sysinstall/dispatch.c	Wed Nov 24 21:57:45 2010	(r215806)
 +++ stable/7/usr.sbin/sysinstall/dispatch.c	Wed Nov 24 21:58:15 2010	(r215807)
 @@ -135,8 +135,12 @@ typedef struct command_buffer_ {
  static void
  dispatch_free_command(command_buffer *item)
  {
 -    REMQUE(item);
 -    free(item->string);
 +    if (item != NULL) {
 +	REMQUE(item);
 +	free(item->string);
 +	item->string = NULL;
 +    }
 +
      free(item);
  }
  
 @@ -154,19 +158,29 @@ dispatch_free_all(qelement *head)
  static command_buffer *
  dispatch_add_command(qelement *head, char *string)
  {
 -    command_buffer *new;
 +    command_buffer *new = NULL;
  
      new = malloc(sizeof(command_buffer));
  
 -    if (!new)
 -	return NULL;
 +    if (new != NULL) {
  
 -    new->string = strdup(string);
 -    INSQUEUE(new, head->q_back);
 +	new->string = strdup(string);
 +
 +	/*
 +	 * We failed to copy `string'; clean up the allocated
 +	 * resources.
 +	 */
 +	if (new->string == NULL) {
 +	    free(new);
 +	    new = NULL;
 +	} else {
 +	    INSQUEUE(new, head->q_back);
 +	}
 +    }
  
      return new;
  }
 -
 +
  /*
   * Command processing
   */
 @@ -278,7 +292,7 @@ dispatchCommand(char *str)
      return i;
  }
  
 -
 +
  /*
   * File processing
   */
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
