From root@smtp.aranyoroszlan.hu  Wed Mar 31 01:20:40 2004
Return-Path: <root@smtp.aranyoroszlan.hu>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C850416A52E
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 31 Mar 2004 01:20:39 -0800 (PST)
Received: from smtp.aranyoroszlan.hu (smtp.aranyoroszlan.hu [195.56.77.57])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8FE5B43D75
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 31 Mar 2004 01:20:36 -0800 (PST)
	(envelope-from root@smtp.aranyoroszlan.hu)
Received: (qmail 1668 invoked by uid 0); 31 Mar 2004 09:23:37 -0000
Message-Id: <20040331092337.1655.qmail@smtp.aranyoroszlan.hu>
Date: 31 Mar 2004 09:23:37 -0000
From: Balazs Nagy <js@iksz.hu>
Reply-To: Balazs Nagy <js@iksz.hu>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: regfree() crasher
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         64983
>Category:       kern
>Synopsis:       regfree() crasher
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 31 01:30:21 PST 2004
>Closed-Date:    Thu Apr 15 05:15:36 PDT 2004
>Last-Modified:  Thu Apr 15 05:15:36 PDT 2004
>Originator:     Balazs Nagy
>Release:        FreeBSD 5.2.1-RELEASE-p1 i386
>Organization:
>Environment:
System: FreeBSD tcb.aranyoroszlan.hu 5.2.1-RELEASE-p1 FreeBSD 5.2.1-RELEASE-p1 #1: Tue Mar 16 08:23:41 CET 2004 root@tcb.aranyoroszlan.hu:/opt/devel/obj/opt/devel/src/sys/SAMU i386


	
>Description:
regfree() in src/libc/regex/regfree.c doesn't check parameter, and with an
invalid pointer, the application crashes.

>How-To-Repeat:

My problem originated with apache2, which dumps core multiple times.  I
recompiled Apache2 with --enable-maintainer-mode, and did a gdb backtrace:

(gdb) bt     
#0  0x283b6dcf in kill () from /lib/libc.so.5
#1  0x08076f11 in sig_coredump (sig=11) at mpm_common.c:955
#2  0x28353f34 in _thread_sig_handler () from /usr/lib/libc_r.so.5
#3  0x28353d9d in _thread_sig_handler () from /usr/lib/libc_r.so.5
#4  <signal handler called>
#5  0x285fdd70 in ?? ()
#6  0x0807161f in regex_cleanup (preg=0x0) at util.c:258
#7  0x283123bd in run_cleanups (cref=0x80d1028) at apr_pools.c:1951
#8  0x28311b1c in apr_pool_destroy (pool=0x80d1018) at apr_pools.c:730
#9  0x28311b0b in apr_pool_destroy (pool=0x80cf018) at apr_pools.c:727
#10 0x0806eb31 in destroy_and_exit_process (process=0x0,
process_exit_value=0) at main.c:213
#11 0x0806fb1e in main (argc=4, argv=0xbfbfecb8) at main.c:644
#12 0x0805f8a2 in _start ()

ports/www/apache2/work/httpd-2.0.49/server/util.c:258: regfree((regex_t *) preg);

Bug caught.

>Fix:

begin 0 libc-regfree.patch
M+2TM(&QI8B]L:6)C+W)E9V5X+W)E9V9R964N8RYO<FEG"49R:2!-87(@,C(@
M,C(Z-3(Z-#<@,C`P,@HK*RL@;&EB+VQI8F,O<F5G97@O<F5G9G)E92YC"5=E
M9"!-87(@,S$@,3$Z,#$Z,#`@,C`P-`I`0"`M-C(L-B`K-C(L."!`0`H@>PH@
M"7-T<G5C="!R95]G=71S("IG.PH@"BL):68@*"%P<F5G*0HK"0ER971U<FX[
M"B`):68@*'!R96<M/G)E7VUA9VEC("$]($U!1TE#,2D)+RH@;V]P<R`J+PH@
M"0ER971U<FX["0D)+RH@;FEC92!T;R!C;VUP;&%I;BP@8G5T(&AA<F0@*B\*
"(`H`
`
end

(text:
--- lib/libc/regex/regfree.c.orig	Fri Mar 22 22:52:47 2002
+++ lib/libc/regex/regfree.c	Wed Mar 31 11:01:00 2004
@@ -62,6 +62,8 @@
 {
 	struct re_guts *g;
 
+	if (!preg)
+		return;
 	if (preg->re_magic != MAGIC1)	/* oops */
 		return;			/* nice to complain, but hard */
 
)
>Release-Note:
>Audit-Trail:

From: David Schultz <das@FreeBSD.ORG>
To: Balazs Nagy <js@iksz.hu>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: kern/64983: regfree() crasher
Date: Sat, 3 Apr 2004 01:45:12 -0800

 On Wed, Mar 31, 2004, Balazs Nagy wrote:
 > regfree() in src/libc/regex/regfree.c doesn't check parameter, and with an
 > invalid pointer, the application crashes.
 [...]
 > My problem originated with apache2, which dumps core multiple times.  I
 > recompiled Apache2 with --enable-maintainer-mode, and did a gdb backtrace:
 [...]
 > --- lib/libc/regex/regfree.c.orig	Fri Mar 22 22:52:47 2002
 > +++ lib/libc/regex/regfree.c	Wed Mar 31 11:01:00 2004
 > @@ -62,6 +62,8 @@
 >  {
 >  	struct re_guts *g;
 >  
 > +	if (!preg)
 > +		return;
 >  	if (preg->re_magic != MAGIC1)	/* oops */
 >  		return;			/* nice to complain, but hard */
 
 The result of regfree() on an invalid pointer is undefined, so
 your problem looks like a bug in Apache.
 
 It isn't clear what regfree() should do, in general, when it
 detects a bug.  Right now, it silently returns when it notices
 some types of corruption.  Arguably it should abort so such bugs
 can be caught, but changing it now could break applications that
 (wrongly) depend on the behaviour.  You are suggesting the
 opposite, namely, that regfree() should try harder to hide
 application bugs from the programmer...

From: =?ISO-8859-2?Q?Nagy_Bal=E1zs?= <js@js.hu>
To: =?ISO-8859-2?Q?Nagy_Bal=E1zs?= <js@iksz.hu>,
	freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: kern/64983: regfree() crasher
Date: Sun, 4 Apr 2004 10:52:38 +0200

 You're right. Besides, it could write a syslog entry about the problem 
 while returns 0.
 Anyways, the bug entry can be closed.
 
State-Changed-From-To: open->closed 
State-Changed-By: cperciva 
State-Changed-When: Thu Apr 15 05:15:08 PDT 2004 
State-Changed-Why:  
Closed at request of submitter. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=64983 
>Unformatted:
