From phk@critter.freebsd.dk  Thu Dec 13 10:42:46 2012
Return-Path: <phk@critter.freebsd.dk>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 962EF2B5
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 13 Dec 2012 10:42:46 +0000 (UTC)
	(envelope-from phk@critter.freebsd.dk)
Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222])
	by mx1.freebsd.org (Postfix) with ESMTP id 4B6D58FC08
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 13 Dec 2012 10:42:46 +0000 (UTC)
Received: from critter.freebsd.dk (critter.freebsd.dk [192.168.61.3])
	by phk.freebsd.dk (Postfix) with ESMTP id 4FA5F8A3FC
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 13 Dec 2012 10:42:39 +0000 (UTC)
Received: from critter.freebsd.dk (localhost [127.0.0.1])
	by critter.freebsd.dk (8.14.5/8.14.5) with ESMTP id qBDAgdaV008195
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 13 Dec 2012 10:42:39 GMT
	(envelope-from phk@critter.freebsd.dk)
Received: (from phk@localhost)
	by critter.freebsd.dk (8.14.5/8.14.5/Submit) id qBDAgdjG008194;
	Thu, 13 Dec 2012 10:42:39 GMT
	(envelope-from phk)
Message-Id: <201212131042.qBDAgdjG008194@critter.freebsd.dk>
Date: Thu, 13 Dec 2012 10:42:39 GMT
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Reply-To: Poul-Henning Kamp <phk@critter.freebsd.dk>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: pw(8) core dump
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         174411
>Category:       bin
>Synopsis:       pw(8) core dump
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bapt
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 13 10:50:00 UTC 2012
>Closed-Date:    Thu Dec 27 16:43:05 UTC 2012
>Last-Modified:  Thu Dec 27 16:43:05 UTC 2012
>Originator:     Poul-Henning Kamp
>Release:        FreeBSD 10.0-CURRENT amd64
>Organization:
>Environment:

FreeBSD c9.freebsd.dk 10.0-CURRENT FreeBSD 10.0-CURRENT #0 r244088: Mon Dec 10 16:36:05 UTC 2012     root@c9.freebsd.dk:/usr/obj/freebsd/svn_src/head/sys/GENERIC  amd64


>Description:

	The pw(8) program coredumps on bad memory management

>How-To-Repeat:

	On a freshly installed -current, executing:

	/usr/sbin/pw useradd phk -u 488 -d /home/phk \
		-c "Poul-Henning Kamp" -G "wheel,operator,dialer" \
		-s /bin/csh -w none

	This coredumps in jemalloc, from the call in line 761 in
	src/usr.sbin/pw/pw_user.c:

		if (j == 0)
			grp->gr_mem = NULL;
	>>>>>	grp->gr_mem = reallocf(grp->gr_mem, sizeof(*grp->gr_mem) *
						    (j + 2));
		grp->gr_mem[j] = pwd->pw_name;

	Reading the getgrent(3) manual page, it is far from clear to me
	that there is any reason to assume that grp->gr_mem is a malloced
	pointer.

	On the other hand, it is not clear to me that getgrent() is what
	is being called in the first place.

	Notice also the missing error handling on reallocf() failure,
	something more helpful than a somewhat-NULL pointer deref
	coredump could be called for.

>Fix:

	Rather than reallocf() a dedicated malloc() + memcopy() seems
	called for.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->eadler 
Responsible-Changed-By: eadler 
Responsible-Changed-When: Thu Dec 13 15:47:45 UTC 2012 
Responsible-Changed-Why:  
db and I are working on pw 

http://www.freebsd.org/cgi/query-pr.cgi?pr=174411 
Responsible-Changed-From-To: eadler->bapt 
Responsible-Changed-By: bapt 
Responsible-Changed-When: Thu Dec 27 16:42:06 UTC 2012 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=174411 
State-Changed-From-To: open->closed 
State-Changed-By: bapt 
State-Changed-When: Thu Dec 27 16:43:04 UTC 2012 
State-Changed-Why:  
Fixed in head, no MFC planned as this was a head only bug. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=174411 
>Unformatted:
