From nobody@FreeBSD.org  Mon Dec 10 20:19:01 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id CE10637B41B
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 10 Dec 2001 20:19:00 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id fBB4J0M07643;
	Mon, 10 Dec 2001 20:19:00 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200112110419.fBB4J0M07643@freefall.freebsd.org>
Date: Mon, 10 Dec 2001 20:19:00 -0800 (PST)
From: Koga Youichirou <y-koga@jp.FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: locate command dumps a core file with broken database
X-Send-Pr-Version: www-1.0

>Number:         32686
>Category:       bin
>Synopsis:       [patch] locate(1) dumps a core file with broken database
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    delphij
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Dec 10 20:20:01 PST 2001
>Closed-Date:    Sat Apr 11 14:14:23 UTC 2009
>Last-Modified:  Sat Apr 11 14:20:03 UTC 2009
>Originator:     Koga Youichirou
>Release:        FreeBSD 4.4-STABLE
>Organization:
The FreeBSD Project (Japan)
>Environment:
FreeBSD xxx 4.4-STABLE FreeBSD 4.4-STABLE #2: Tue Dec  4 13:42:07 JST 2001     root@xxx:/path/to/src/sys/ XXX  i386
>Description:
locate command assumes that a database file is perfect,
but it dumps a core file with a broken database.

I don't think it should not dump a core file
even if it uses a broken database.

>How-To-Repeat:
% cat /var/db/locate.db ~/somefile >locate.db
% locate -d ./locate.db word
(some search results)
Segmentation fault (core dumped)

>Fix:
I think a check routine is needed in locate/fastfind.c near...:
290                             if (*s == cc
291     #ifdef FF_ICASE
292                                 || TOLOWER(*s) == cc
293     #endif /* FF_ICASE */
294                                 ) { /* fast first char check */
295                                     for (p = patend - 1, q = s - 1; *p != '\0';
296                                          p--, q--)
297                                             if (*q != *p
298     #ifdef FF_ICASE
299                                                 && TOLOWER(*q) != *p

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: sheldonh 
State-Changed-When: Sun Dec 30 04:28:06 PST 2001 
State-Changed-Why:  
Looks like nobody's stepped forward to claim this one.  Since this 
doesn't seem to be something a lot of people complain about, you 
may want to try come up with a patch yourself. 

Please post followup to freebsd-gnats-submit@FreeBSD.org if you come 
up with something. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=32686 
Responsible-Changed-From-To: freebsd-bugs->wosch 
Responsible-Changed-By: wosch 
Responsible-Changed-When: Tue Jan 1 09:57:01 PST 2002 
Responsible-Changed-Why:  
I'm the maintainer of locate 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=32686 
State-Changed-From-To: feedback->open 
State-Changed-By: linimon 
State-Changed-When: Sun Dec 5 06:26:51 GMT 2004 
State-Changed-Why:  

http://www.freebsd.org/cgi/query-pr.cgi?pr=32686 
State-Changed-From-To: open->feedback 
State-Changed-By: linimon 
State-Changed-When: Sun Dec 5 06:27:37 GMT 2004 
State-Changed-Why:  
To submitter: is this still a problem with modern versions of FreeBSD? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=32686 

Adding to audit trail from personal email:

Yes, it is still a problem with 4.10-STABLE.

Try following, please.

% cat /var/db/locate.db ~/somefile >locate.db
% locate -d ./locate.db word
(some search results)
Segmentation fault (core dumped)

-- Koga, Youichirou
State-Changed-From-To: feedback->open 
State-Changed-By: linimon 
State-Changed-When: Mon Mar 21 06:45:50 GMT 2005 
State-Changed-Why:  
Feedback received some time ago. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=32686 

From: Jaakko Heinonen <jh@saunalahti.fi>
To: bug-followup@FreeBSD.org, y-koga@jp.FreeBSD.org, wosch@FreeBSD.org
Cc:  
Subject: Re: bin/32686: locate(1) dumps a core file with broken database
Date: Sat, 9 Feb 2008 14:03:36 +0200

 --9amGYk9869ThD9tj
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 
 Following patch adds a basic check which fixes the test case for me.
 There are probably still ways to make locate crash with corrupted
 databases.
 
 -- 
 Jaakko
 
 --9amGYk9869ThD9tj
 Content-Type: text/x-diff; charset=us-ascii
 Content-Disposition: attachment; filename="locate-coredump.diff"
 
 Index: locate/fastfind.c
 ===================================================================
 RCS file: /home/ncvs/src/usr.bin/locate/locate/fastfind.c,v
 retrieving revision 1.14
 diff -u -r1.14 fastfind.c
 --- locate/fastfind.c	7 Dec 2005 12:22:46 -0000	1.14
 +++ locate/fastfind.c	9 Feb 2008 11:57:02 -0000
 @@ -216,6 +216,8 @@
  			count += c - OFFSET;
  		}
  
 +		if (count < 0 || count >= MAXPATHLEN)
 +			errx(1, "corrupted database: %s", database);
  		/* overlay old path */
  		p = path + count;
  		foundchar = p - 1;
 
 --9amGYk9869ThD9tj--

From: Jaakko Heinonen <jh@saunalahti.fi>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/32686: locate(1) dumps a core file with broken database
Date: Tue, 7 Oct 2008 18:37:17 +0300

 --45Z9DzgjV8m4Oswq
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 On 2008-03-18, Jaakko Heinonen wrote:
 > > >  +              if (count < 0 || count >= MAXPATHLEN)
 > > >  +                      errx(1, "corrupted database: %s", database);
 > 
 > I think that the latter test should be count > MAXPATHLEN. Updated patch
 > is attached.
 
 Submit updated patch also to the PR so it doesn't get lost.
 
 -- 
 Jaakko
 
 --45Z9DzgjV8m4Oswq
 Content-Type: text/x-diff; charset=us-ascii
 Content-Disposition: attachment; filename="locate-coredump.diff"
 
 Category: locate(1)
 PR: bin/32686
 
 Index: fastfind.c
 ===================================================================
 RCS file: /home/ncvs/src/usr.bin/locate/locate/fastfind.c,v
 retrieving revision 1.14
 diff -p -u -r1.14 fastfind.c
 --- fastfind.c	7 Dec 2005 12:22:46 -0000	1.14
 +++ fastfind.c	18 Mar 2008 12:40:04 -0000
 @@ -216,6 +216,8 @@ fastfind
  			count += c - OFFSET;
  		}
  
 +		if (count < 0 || count > MAXPATHLEN)
 +			errx(1, "corrupted database: %s", database);
  		/* overlay old path */
  		p = path + count;
  		foundchar = p - 1;
 
 --45Z9DzgjV8m4Oswq--
Responsible-Changed-From-To: wosch->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Nov 12 15:09:31 UTC 2008 
Responsible-Changed-Why:  
wosch has had his src bit taken in for safekeeping. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=32686 
State-Changed-From-To: open->analyzed 
State-Changed-By: murray 
State-Changed-When: Tue Dec 16 05:57:09 UTC 2008 
State-Changed-Why:  
Patch looks reasonable to me.  I will take this. 



Responsible-Changed-From-To: freebsd-bugs->murray 
Responsible-Changed-By: murray 
Responsible-Changed-When: Tue Dec 16 05:57:09 UTC 2008 
Responsible-Changed-Why:  
Patch looks reasonable to me.  I will take this. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=32686 
Responsible-Changed-From-To: murray->delphij 
Responsible-Changed-By: delphij 
Responsible-Changed-When: Thu Apr 2 21:17:15 UTC 2009 
Responsible-Changed-Why:  
Take 

http://www.freebsd.org/cgi/query-pr.cgi?pr=32686 
State-Changed-From-To: analyzed->patched 
State-Changed-By: delphij 
State-Changed-When: Thu Apr 2 21:23:12 UTC 2009 
State-Changed-Why:  
Patch applied against -HEAD. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=32686 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/32686: commit references a PR
Date: Thu,  2 Apr 2009 21:23:29 +0000 (UTC)

 Author: delphij
 Date: Thu Apr  2 21:23:04 2009
 New Revision: 190656
 URL: http://svn.freebsd.org/changeset/base/190656
 
 Log:
   Don't crash when we have an invalid count number.
   
   PR:		bin/32686
   Submitted by:	Jaakko Heinonen <jh saunalahti.fi>
   MFC after:	1 week
 
 Modified:
   head/usr.bin/locate/locate/fastfind.c
 
 Modified: head/usr.bin/locate/locate/fastfind.c
 ==============================================================================
 --- head/usr.bin/locate/locate/fastfind.c	Thu Apr  2 21:16:20 2009	(r190655)
 +++ head/usr.bin/locate/locate/fastfind.c	Thu Apr  2 21:23:04 2009	(r190656)
 @@ -216,6 +216,8 @@ fastfind
  			count += c - OFFSET;
  		}
  
 +		if (count < 0 || count > MAXPATHLEN)
 +			errx(1, "corrupted database: %s", database);
  		/* overlay old path */
  		p = path + count;
  		foundchar = p - 1;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: delphij 
State-Changed-When: Sat Apr 11 14:13:50 UTC 2009 
State-Changed-Why:  
Fix has been committed on all supported -STABLE branches 
(stable/7 and stable/6). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=32686 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/32686: commit references a PR
Date: Sat, 11 Apr 2009 14:10:58 +0000 (UTC)

 Author: delphij
 Date: Sat Apr 11 14:10:42 2009
 New Revision: 190920
 URL: http://svn.freebsd.org/changeset/base/190920
 
 Log:
   MFC r190656:
   
   Fix a crash when corrupted data file is found.
   
   PR:		bin/32686
   Approved by:	re (kib)
 
 Modified:
   stable/7/usr.bin/locate/   (props changed)
   stable/7/usr.bin/locate/locate/fastfind.c
 
 Modified: stable/7/usr.bin/locate/locate/fastfind.c
 ==============================================================================
 --- stable/7/usr.bin/locate/locate/fastfind.c	Sat Apr 11 14:01:01 2009	(r190919)
 +++ stable/7/usr.bin/locate/locate/fastfind.c	Sat Apr 11 14:10:42 2009	(r190920)
 @@ -216,6 +216,8 @@ fastfind
  			count += c - OFFSET;
  		}
  
 +		if (count < 0 || count > MAXPATHLEN)
 +			errx(1, "corrupted database: %s", database);
  		/* overlay old path */
  		p = path + count;
  		foundchar = p - 1;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/32686: commit references a PR
Date: Sat, 11 Apr 2009 14:13:49 +0000 (UTC)

 Author: delphij
 Date: Sat Apr 11 14:13:39 2009
 New Revision: 190922
 URL: http://svn.freebsd.org/changeset/base/190922
 
 Log:
   MFC r190656:
   
   Fix a crash when corrupted data file is found.
   
   PR:             bin/32686
 
 Modified:
   stable/6/usr.bin/locate/   (props changed)
   stable/6/usr.bin/locate/locate/fastfind.c
 
 Modified: stable/6/usr.bin/locate/locate/fastfind.c
 ==============================================================================
 --- stable/6/usr.bin/locate/locate/fastfind.c	Sat Apr 11 14:12:44 2009	(r190921)
 +++ stable/6/usr.bin/locate/locate/fastfind.c	Sat Apr 11 14:13:39 2009	(r190922)
 @@ -216,6 +216,8 @@ fastfind
  			count += c - OFFSET;
  		}
  
 +		if (count < 0 || count > MAXPATHLEN)
 +			errx(1, "corrupted database: %s", database);
  		/* overlay old path */
  		p = path + count;
  		foundchar = p - 1;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
