From fenner@parc.xerox.com  Sat Jan 23 00:31:57 1999
Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id AAA01446
          for <FreeBSD-gnats-submit@freebsd.org>; Sat, 23 Jan 1999 00:31:57 -0800 (PST)
          (envelope-from fenner@parc.xerox.com)
Received: from louise.parc.xerox.com ([13.2.118.28]) by alpha.xerox.com with SMTP id <62795(4)>; Sat, 23 Jan 1999 00:31:41 PST
Received: from fenestro.parc.xerox.com ([13.0.208.199]) by louise.parc.xerox.com with SMTP id <362854>; Sat, 23 Jan 1999 00:31:33 PST
Received: (from fenner@localhost)
	by fenestro.parc.xerox.com (8.9.2/8.9.1) id AAA00395;
	Sat, 23 Jan 1999 00:31:27 -0800 (PST)
	(envelope-from fenner)
Message-Id: <199901230831.AAA00395@fenestro.parc.xerox.com>
Date: Sat, 23 Jan 1999 00:31:27 PST
From: Bill Fenner <fenner@parc.xerox.com>
Reply-To: fenner@parc.xerox.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: new boot loader uses freed memory if you specify full path to module to load
X-Send-Pr-Version: 3.2

>Number:         9631
>Category:       kern
>Synopsis:       new boot loader uses freed memory if you specify full path to module to load
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    dcs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 23 00:40:01 PST 1999
>Closed-Date:    Mon Feb 22 05:20:50 PST 1999
>Last-Modified:  Mon Feb 22 05:21:29 PST 1999
>Originator:     Bill Fenner
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
Xerox
>Environment:

3.0-RELEASE upgraded to 3.0-CURRENT on 1999/1/20 (including new boot blocks)

>Description:

Typing "load /modules/splash_bmp" causes approximately the error
"can't load module '***': No such file or directory"
where *** is garbage characters

The problem is that mod_searchmodule("/modules/splash_bmp") creates
tn, which is the passed in name with .ko appended to it.  It then
calls mod_searchfile(tn = "/modules/splash_bmp.ko"), which just
returns its argument if its argument exists.  In this case, it does,
so result = tn.  mod_searchmodule() then frees tn, and returns
result.  mod_loadmodule() then tries to load the freed memory, and
prints the error.

>How-To-Repeat:

Type "load /modules/splash_bmp" to new boot loader

>Fix:

mod_searchfile() should not return its argument directly.

cvs diff: Diffing .
Index: module.c
===================================================================
RCS file: /home/ncvs/src/sys/boot/common/module.c,v
retrieving revision 1.7
diff -u -r1.7 module.c
--- module.c	1999/01/11 06:41:31	1.7
+++ module.c	1999/01/23 08:23:28
@@ -452,7 +452,7 @@
     if ((cp != name) || (strchr(name, '/') != NULL)) {
 	/* Qualified, so just see if it exists */
 	if (stat(name, &sb) == 0)
-	    return(name);
+	    return(strdup(name));
 	return(NULL);
     }
     

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->dcs 
Responsible-Changed-By: dcs 
Responsible-Changed-When: Mon Feb 8 13:30:02 PST 1999 
Responsible-Changed-Why:  
My backyard, Mike's busy. 
State-Changed-From-To: open->closed 
State-Changed-By: dcs 
State-Changed-When: Mon Feb 22 05:20:50 PST 1999 
State-Changed-Why:  
Slightly more comprehensive fix committed. Thanks. 
>Unformatted:
