From dufault@hda.hda.com  Mon Jun  1 13:42:54 1998
Received: from hda.hda.com (hda-bicnet.bicnet.net [208.220.66.37])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA28929
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 1 Jun 1998 13:42:44 -0700 (PDT)
          (envelope-from dufault@hda.hda.com)
Received: (from dufault@localhost)
	by hda.hda.com (8.8.5/8.8.5) id QAA05579;
	Mon, 1 Jun 1998 16:18:32 -0400 (EDT)
Message-Id: <199806012018.QAA05579@hda.hda.com>
Date: Mon, 1 Jun 1998 16:18:32 -0400 (EDT)
From: Peter Dufault <dufault@hda.com>
Reply-To: dufault@hda.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: cd9660_mount NULL pointer deref for no CDROM drive
X-Send-Pr-Version: 3.2

>Number:         6820
>Category:       kern
>Synopsis:       cd9660_mount NULL pointer deref for no CDROM drive
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    jesper
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jun  1 13:50:00 PDT 1998
>Closed-Date:    Sun Jan 11 08:35:40 PST 2004
>Last-Modified:  Sun Jan 11 08:35:40 PST 2004
>Originator:     Peter Dufault
>Release:        FreeBSD 3.0-Current Sun May 31
>Organization:
Peter Dufault (dufault@hda.com)   Realtime development, Machine control,
HD Associates, Inc.               Safety critical systems, Agency approval
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:

From: Bruce Evans <bde@zeta.org.au>
To: dufault@hda.com, FreeBSD-gnats-submit@FreeBSD.ORG
Cc:  Subject: Re: kern/6820: cd9660_mount NULL pointer deref for no CDROM drive
Date: Tue, 2 Jun 1998 17:22:57 +1000

 >I tried to mount a CD on my crash box.  Unfortunately I don't have a
 >CDROM drive there.  cd9660_mount crashes with a NULL pointer dereference
 >of bdevsw[major(devvp->v_rdev)]:
 >
 >>    if ((mp->mnt_flag & MNT_UPDATE) == 0) {
 >>        if (bdevsw[major(devvp->v_rdev)]->d_flags & D_NOCLUSTERR)
 >>            mp->mnt_flag |= MNT_NOCLUSTERR;
 >>        error = iso_mountfs(devvp, mp, p, &args);
 >>    } else {
 >
 >This may have been added in 1.29 in the CLUSTERRING commit.
 
 ffs has the same bug.  The device node exists but not the device.
 It doesn't help that mount() would later return ENXIO, since the
 devsw is accessed before the device is opened.  This bug is often
 masked by sloppy initialization using SYSINIT().  The devsw entries
 get initialized although no device is present.
 
 Bruce
State-Changed-From-To: open->suspended 
State-Changed-By: jesper 
State-Changed-When: Sun May 27 17:10:34 PDT 2001 
State-Changed-Why:  
No description of the problem, how to reproduce. 

Please submit more information. 


Responsible-Changed-From-To: freebsd-bugs->jesper 
Responsible-Changed-By: jesper 
Responsible-Changed-When: Sun May 27 17:10:34 PDT 2001 
Responsible-Changed-Why:  
keep it on the radarscreen 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=6820 
State-Changed-From-To: suspended->closed 
State-Changed-By: iedowse 
State-Changed-When: Sun Jan 11 08:32:12 PST 2004 
State-Changed-Why:  

The code in question was removed a long time ago (1999) so I assume 
this is fixed (Jesper, hope it's ok with you to close this - I had 
already looked up the code before I noticed you owned the PR). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=6820 
>Unformatted:

I tried to mount a CD on my crash box.  Unfortunately I don't have a
CDROM drive there.  cd9660_mount crashes with a NULL pointer dereference
of bdevsw[major(devvp->v_rdev)]:

>    if ((mp->mnt_flag & MNT_UPDATE) == 0) {
>        if (bdevsw[major(devvp->v_rdev)]->d_flags & D_NOCLUSTERR)
>            mp->mnt_flag |= MNT_NOCLUSTERR;
>        error = iso_mountfs(devvp, mp, p, &args);
>    } else {

This may have been added in 1.29 in the CLUSTERRING commit.
