From ast@marabu.ch  Sun May 27 12:36:13 2001
Return-Path: <ast@marabu.ch>
Received: from oneplusone.ch (oneplusone.ch [194.191.122.98])
	by hub.freebsd.org (Postfix) with ESMTP id 3DDBD37B423
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 27 May 2001 12:36:12 -0700 (PDT)
	(envelope-from ast@marabu.ch)
Received: (from uucp@localhost)
	by oneplusone.ch (8.11.3/8.11.3) with UUCP id f4RJa3s11324;
	Sun, 27 May 2001 21:36:03 +0200 (MEST)
	(envelope-from ast@marabu.ch)
Received: from srv.marabu.ch (srv.marabu.ch [192.168.21.2])
	by marabu.ch (8.9.3/2000102801) with ESMTP id VAA29208;
	Sun, 27 May 2001 21:30:43 +0200 (CEST)
	(envelope-from ast@marabu.ch)
Received: (from ast@localhost)
	by srv.marabu.ch (8.11.3/8.11.3) id f4RJUCK01642;
	Sun, 27 May 2001 21:30:12 +0200 (MEST)
	(envelope-from ast)
Message-Id: <200105271930.f4RJUCK01642@srv.marabu.ch>
Date: Sun, 27 May 2001 21:30:12 +0200 (MEST)
From: ast@marabu.ch
Reply-To: ast@marabu.ch
To: FreeBSD-gnats-submit@freebsd.org
Subject: A typo in /boot/loader interface "ok load -t foo" may hang system
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         27693
>Category:       i386
>Synopsis:       /boot/loader may hang on "load -t type file" when type is missing
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 27 12:40:02 PDT 2001
>Closed-Date:    Sun May 27 16:24:44 PDT 2001
>Last-Modified:  Sun May 27 16:26:34 PDT 2001
>Originator:     Adrian Steinmann
>Release:        FreeBSD 4.3-STYX i386
>Organization:
Steinmann Consulting
>Environment:
System: FreeBSD srv.marabu.ch 4.3-STYX FreeBSD 4.3-STYX #0: Fri May 18 20:20:58 GMT 2001 root@srv.marabu.ch:/usr/src/sys/compile/STYX i386
>Description:
In sys/boot/common/module.c, near line 105 a request for a raw
file is processed by passing its name in argv[1]:
        return(mod_loadobj(typestr, argv[1]));
however, it is not tested to see if argv[1] actually is defined.

At best, mod_loadobj() near line 244 returns an error like
"can't find 'garbage'" but if the "filename" entered is sufficiently
long, some buffer gets overrun. Of course, "load -t filename" is
actually a typo because we meant to type "load -t mfs_root filename";
nevertheless, a hung machine seems like too harsh a punishment for
such a small typo...

>How-To-Repeat:
Here is a session which shows the problem:

FreeBSD/i386 bootstrap loader, Revision 0.8
(root@srv.marabu.ch, Wed May 23 12:39:29 GMT 2001)
Loading /boot/defaults/loader.conf 
/kernel text=0x18f9bb data=0x20c4c+0x2aecc syms=[0x4+0x26990+0x4+0x2bf24]

Hit [Enter] to boot immediately, or any other key for command prompt.


Type '?' for a list of commands, 'help' for more detailed help.
ok  unload
ok ls
/
 d  root
 d  home
 d  bin
 d  boot
 d  dev
 d  etc
 d  mnt
 d  sbin
 l  tmp
 d  usr
 d  var
    .cshrc
    .profile
    kernel.GENERIC
    kernel.config
    boot.config
    k.GENERIC.gz
    fs.GENERIC.gz
 d  pi
    kernel
    k.PIC.gz
    fs.PIC.gz
ok load k.PIC                                           
/k.PIC text=0xdd797 data=0x17294+0x16420 /
ok load -t fs.PIC
can't find 't 

 '
ok 
ok load -t fs.PIC...........
can't find '
... HUNG!

>Fix:
With the patch to module.c attached below, we diagnose the bogus argv[1]
as being a bad type:

FreeBSD/i386 bootstrap loader, Revision 0.8
(root@srv.marabu.ch, Sun May 27 20:57:11 MEST 2001)
Loading /boot/defaults/loader.conf 
/kernel text=0x18f9bb data=0x20c4c+0x2aecc syms=[0x4+0x26990+0x4+0x2bf24]

Hit [Enter] to boot immediately, or any other key for command prompt.


Type '?' for a list of commands, 'help' for more detailed help.
ok unload
ok ls
/
 d  root
 d  home
 d  bin
 d  boot
 d  dev
 d  etc
 d  mnt
 d  sbin
 l  tmp
 d  usr
 d  var
    .cshrc
    .profile
    kernel.GENERIC
    kernel.config
    boot.config
    k.GENERIC.gz
    fs.GENERIC.gz
 d  pi
    kernel
    k.PIC.gz
    fs.PIC.gz
ok load k.PIC                                           
/k.PIC text=0xdd797 data=0x17294+0x16420 /
ok load -t fs.PIC
invalid load type
ok load -t mfs_root foo bar
invalid load type
ok load -t mfs_root fs.PIC
ok 


Index: module.c
===================================================================
RCS file: /usr/cvs/src/sys/boot/common/module.c,v
retrieving revision 1.13.2.1
diff -u -r1.13.2.1 module.c
--- module.c    2000/12/28 13:12:35     1.13.2.1
+++ module.c    2001/05/27 18:56:21
@@ -98,7 +98,7 @@
      * Request to load a raw file?
      */
     if (dofile) {
-       if ((typestr == NULL) || (*typestr == 0)) {
+       if (argc != 2 || (typestr == NULL) || (*typestr == 0)) {
            command_errmsg = "invalid load type";
            return(CMD_ERROR);
        }


Adrian Steinmann
_________________________________________________________________________
Dr. Adrian Steinmann  Steinmann Consulting  Apollostrasse 21  8032 Zurich
   Tel +41 1 380 30 83     Fax +41 1 380 30 85    Mailto:ast@marabu.ch

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: jesper 
State-Changed-When: Sun May 27 16:24:44 PDT 2001 
State-Changed-Why:  
committed 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=27693 
>Unformatted:
