From apb@cequrux.com  Fri Oct 11 07:37:37 2002
Return-Path: <apb@cequrux.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 58E1037B401
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 11 Oct 2002 07:37:37 -0700 (PDT)
Received: from citadel.cequrux.com (citadel.cequrux.com [192.96.22.18])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 864A543E6E
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 11 Oct 2002 07:37:30 -0700 (PDT)
	(envelope-from apb@cequrux.com)
Received: (from nobody@localhost) by citadel.cequrux.com (8.8.8/8.6.9) id QAA08813 for <FreeBSD-gnats-submit@freebsd.org>; Fri, 11 Oct 2002 16:37:23 +0200 (SAST)
Received: by citadel.cequrux.com via recvmail id 8747; Fri, 11 Oct 2002 16:36:34 +0200 (SAST)
Message-Id: <200210111443.QAA20762@build.cequrux.com>
Date: Fri, 11 Oct 2002 16:43:35 +0200 (SAST)
From: apb@cequrux.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: ldconfig calls bcopy with wrong size
X-Send-Pr-Version: 3.2

>Number:         43930
>Category:       bin
>Synopsis:       ldconfig calls bcopy with wrong size
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    cperciva
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Oct 11 07:40:01 PDT 2002
>Closed-Date:    Mon Mar 15 23:14:53 PST 2004
>Last-Modified:  Mon Mar 15 23:14:53 PST 2004
>Originator:     Alan Barrett
>Release:        FreeBSD 4.6
>Organization:
Not much
>Environment:
>Description:
        In the enter() function in ldconfig, bcopy is sometimes called
        with the wrong size: MAXDEWEY instead of MAXDEWEY*sixeof(int),
        or sizeof(sbp->dewey).

	The effect of this error is that only the major and minor
	version numbers are copied into the data structure.  The third,
	fourth and later teeny version numbers, if any, are accidentally
	set to zero.

	As a consequence of this error, ldconfig will sometimes end up
	choosing the second-highest numbered shared library instead
	of the highest numbered shared library.  The incorrect choice
	happens when the highest numbered library happens to be the
	first one encountered in the readdir() loop, and when the
	difference between the highest and second-highest numbered
	library is not apparent in the first two (major and minor)
	version number fields, but only in the third or later fields.

>How-To-Repeat:

	The following commands demonstrate the problem under FreeBSD-2.2.
	Demonstrating it under more recent ELF systems is difficult,
	because it's masked by all the ELF library symlinks.

	# cd /usr/lib
	# touch libfoo.so.1.2.3.4
	# touch libfoo.so.1.2.3.1
	# ls -1f | grep libfoo
	libfoo.so.1.2.3.4
	libfoo.so.1.2.3.1
	# ldconfig -R -v | grep libfoo
	Adding /usr/lib/libfoo.so.1.2.3.4
	Updating libfoo.1.2 to /usr/lib/libfoo.1.2.3.1

	Although the first line of ldconfig output shows it adding
	version 1.2.3.4, the bcopy size error makes it act as though
	it added version 1.2.0.0.  Later, version 1.2.3.1 is seen as
	higher than 1.2.0.0, and this causes the "Updating" output.

	The error does not occur if the output from "ls -f" is in the
	opposite order.

>Fix:
Apply the following patch to src/sbin/ldconfig/ldconfig.c in
-current and the RELENG_4_* and RELENG_3_* branches.  Apply it to
src/gnu/usr.bin/ld/ldconfig/ldconfig.c in the RELENG_2_* branches if
anybody cares.

--- ldconfig.c  2002/09/17 01:48:53     1.38
+++ ldconfig.c  2002/10/11 13:56:40
@@ -357,7 +357,7 @@
 	shp = (struct shlib_list *)xmalloc(sizeof *shp);
 	shp->name = strdup(name);
 	shp->path = concat(dir, "/", file);
-	bcopy(dewey, shp->dewey, MAXDEWEY);
+	bcopy(dewey, shp->dewey, sizeof(sbp->dewey));
 	shp->ndewey = ndewey;
 	shp->next = NULL;

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->patched 
State-Changed-By: cperciva 
State-Changed-When: Fri Mar 12 16:57:31 PST 2004 
State-Changed-Why:  
Fixed in -current, will MFC in 3 days. 


Responsible-Changed-From-To: freebsd-bugs->cperciva 
Responsible-Changed-By: cperciva 
Responsible-Changed-When: Fri Mar 12 16:57:31 PST 2004 
Responsible-Changed-Why:  
Fixed in -current, will MFC in 3 days. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=43930 
State-Changed-From-To: patched->closed 
State-Changed-By: cperciva 
State-Changed-When: Mon Mar 15 23:14:25 PST 2004 
State-Changed-Why:  
MFC done. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=43930 
>Unformatted:
