From hsn@netmag.cz  Wed Jan 21 14:18:48 2004
Return-Path: <hsn@netmag.cz>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B5CB016A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 21 Jan 2004 14:18:48 -0800 (PST)
Received: from mail.tiscali.cz (stateless2.tiscali.cz [213.235.135.71])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C48B843D31
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 21 Jan 2004 14:18:46 -0800 (PST)
	(envelope-from hsn@netmag.cz)
Received: from asura.bsd (212.90.236.232) by mail.tiscali.cz (6.7.018)
        id 3FB968090129BDCA for FreeBSD-gnats-submit@freebsd.org; Wed, 21 Jan 2004 23:18:45 +0100
Received: from hsn by asura.bsd with local (Exim 4.24 #4 (Debian))
	id 1AjNpB-0000D7-IZ
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 21 Jan 2004 20:15:37 +0100
Message-Id: <E1AjNpB-0000D7-IZ@asura.bsd>
Date: Wed, 21 Jan 2004 20:15:37 +0100
From: Radim Kolar <hsn@netmag.cz>
Reply-To: Radim Kolar <hsn@netmag.cz>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: fsdb seqfaults in cmd. parsing routine
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         61690
>Category:       bin
>Synopsis:       fsdb seqfaults in cmd. parsing routine
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 21 14:20:09 PST 2004
>Closed-Date:    Fri Apr 21 20:43:22 GMT 2006
>Last-Modified:  Fri Apr 21 20:43:22 GMT 2006
>Originator:     Radim Kolar
>Release:        FreeBSD 5.2-RELEASE i386
>Organization:
Sanatana Dharma
>Environment:
System: FreeBSD asura.bsd 5.2-RELEASE FreeBSD 5.2-RELEASE #0: Thu Jan 15 18:35:03 CET 2004 root@asura.bsd:/usr/obj/usr/src/sys/GENERIC i386

>Description:
    fsdb seqfaults if user suplies more arguments to command than previously
    expected by executed command.
>How-To-Repeat:
asura# fsdb /dev/ad2s4e
** /dev/ad2s4e (NO WRITE)
Editing file system `/dev/ad2s4e'
Last Mounted on /home
current inode: directory
I=2 MODE=40755 SIZE=512
        MTIME=Jan 13 15:19:31 2004 [0 nsec]
        CTIME=Jan 13 15:20:05 2004 [0 nsec]
        ATIME=Jan 21 18:53:46 2004 [0 nsec]
OWNER=root GRP=wheel LINKCNT=4 FLAGS=0 BLKCNT=4 GEN=48307996
fsdb (inum: 2)> help crashme
Segmentation fault (core dumped)
asura#
>Fix:
Workaround= don't type more arguments than requested.
>Release-Note:
>Audit-Trail:

From: Jan-Espen Pettersen <sigsegv@leakingmemory.org>
To: freebsd-gnats-submit@FreeBSD.org, hsn@netmag.cz
Cc: sigsegv@leakingmemory.org
Subject: Re: bin/61690: fsdb seqfaults in cmd. parsing routine
Date: Wed, 28 Jan 2004 23:26:36 +0100

 Debug info from gdb:
 
 (gdb) run /dev/ad0s1a
 Starting program: /usr/obj/usr/src/FreeBSD-CURRENT/sbin/fsdb/fsdb 
 /dev/ad0s1a
 ** /dev/ad0s1a (NO WRITE)
 Editing file system `/dev/ad0s1a'
 Last Mounted on /
 current inode: directory
 I=2 MODE=40755 SIZE=512
         MTIME=Jan 25 14:26:13 2004 [0 nsec]
         CTIME=Jan 25 14:26:13 2004 [0 nsec]
         ATIME=Jan 28 03:01:06 2004 [0 nsec]
 OWNER=root GRP=wheel LINKCNT=24 FLAGS=0 BLKCNT=4 GEN=7aca51f8
 fsdb (inum: 2)> help test
 
 Breakpoint 1, recrack (line=0x80c6060 "help test\n", argc=0xbfbfeb0c, 
 argc_max=1)
     at /usr/src/FreeBSD-CURRENT/sbin/fsdb/fsdbutil.c:82
 82          for (p = line, i = 0; p != NULL && i < 8 && i < argc_max - 
 1; i++) {
 (gdb) bt
 #0  recrack (line=0x80c6060 "help test\n", argc=0xbfbfeb0c, argc_max=1) 
 at /usr/src/FreeBSD-CURRENT/sbin/fsdb/fsdbutil.c:82
 #1  0x08049a33 in cmdloop () at 
 /usr/src/FreeBSD-CURRENT/sbin/fsdb/fsdb.c:260
 #2  0x08049664 in main (argc=1, argv=0xbfbfeb74) at 
 /usr/src/FreeBSD-CURRENT/sbin/fsdb/fsdb.c:107
 #3  0x08049452 in _start ()
 (gdb) next
 90          argv[i] = argv[i - 1] + strlen(argv[i - 1]) + 1;
 (gdb)
 
 Program received signal SIGSEGV, Segmentation fault.
 0x281032f9 in strlen () from /lib/libc.so.5
 (gdb) bt full
 #0  0x281032f9 in strlen () from /lib/libc.so.5
 No symbol table info available.
 #1  0xbfbfeb70 in ?? ()
 No symbol table info available.
 #2  0x08049a33 in cmdloop () at 
 /usr/src/FreeBSD-CURRENT/sbin/fsdb/fsdb.c:260
         line = 0x80c6060 "help test\n"
         elline = 0x80cb800 "help test\n"
         cmd_argc = 2
         rval = 0
         known = 0
         cmd_argv = (char **) 0x80618a0
         cmdp = (struct cmdtable *) 0x80602a0
         hist = (History *) 0x80b0140
         elptr = (EditLine *) 0x80c5000
         he = {num = 1, str = 0x80c6050 "help test\n"}
 #3  0x08049664 in main (argc=1, argv=0xbfbfeb74) at 
 /usr/src/FreeBSD-CURRENT/sbin/fsdb/fsdb.c:107
         ch = -1
         rval = 2
         fsys = 0xbfbfec98 "/dev/ad0s1a"
 #4  0x08049452 in _start ()
 No symbol table info available.
 
 Patch:
 
 http://www.leakingmemory.org/patches/fsdb/fsdb_segf.diff
 
 
 The crash is caused by an underflow where i = 0, and an attempt to read 
 at argv[i - 1].
 
 Regards,
 Jan-Espen Pettersen
 
 
State-Changed-From-To: open->closed 
State-Changed-By: maxim 
State-Changed-When: Fri Apr 21 20:41:04 UTC 2006 
State-Changed-Why:  
Duplicate of bin/37096.  I've just committed the patch from that PR 
to HEAD.  Can't check Jan-Espen Pettersen patch, URL he provided 404 
for me. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=61690 
>Unformatted:
