Date: Sun, 27 May 2001 21:30:12 +0200 (MEST) From: ast@marabu.ch To: FreeBSD-gnats-submit@freebsd.org Subject: i386/27693: A typo in /boot/loader interface "ok load -t foo" may hang system Message-ID: <200105271930.f4RJUCK01642@srv.marabu.ch>
next in thread | raw e-mail | index | archive | help
>Number: 27693
>Category: i386
>Synopsis: /boot/loader may hang on "load -t type file" when type is missing
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun May 27 12:40:02 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Adrian Steinmann
>Release: FreeBSD 4.3-STYX i386
>Organization:
Steinmann Consulting
>Environment:
System: FreeBSD srv.marabu.ch 4.3-STYX FreeBSD 4.3-STYX #0: Fri May 18 20:20:58 GMT 2001 root@srv.marabu.ch:/usr/src/sys/compile/STYX i386
>Description:
In sys/boot/common/module.c, near line 105 a request for a raw
file is processed by passing its name in argv[1]:
return(mod_loadobj(typestr, argv[1]));
however, it is not tested to see if argv[1] actually is defined.
At best, mod_loadobj() near line 244 returns an error like
"can't find 'garbage'" but if the "filename" entered is sufficiently
long, some buffer gets overrun. Of course, "load -t filename" is
actually a typo because we meant to type "load -t mfs_root filename";
nevertheless, a hung machine seems like too harsh a punishment for
such a small typo...
>How-To-Repeat:
Here is a session which shows the problem:
FreeBSD/i386 bootstrap loader, Revision 0.8
(root@srv.marabu.ch, Wed May 23 12:39:29 GMT 2001)
Loading /boot/defaults/loader.conf
/kernel text=0x18f9bb data=0x20c4c+0x2aecc syms=[0x4+0x26990+0x4+0x2bf24]
Hit [Enter] to boot immediately, or any other key for command prompt.
Type '?' for a list of commands, 'help' for more detailed help.
ok unload
ok ls
/
d root
d home
d bin
d boot
d dev
d etc
d mnt
d sbin
l tmp
d usr
d var
.cshrc
.profile
kernel.GENERIC
kernel.config
boot.config
k.GENERIC.gz
fs.GENERIC.gz
d pi
kernel
k.PIC.gz
fs.PIC.gz
ok load k.PIC
/k.PIC text=0xdd797 data=0x17294+0x16420 /
ok load -t fs.PIC
can't find 'øt
À
'
ok
ok load -t fs.PIC...........
can't find 'ÄëÄëÄëÄë
... HUNG!
>Fix:
With the patch to module.c attached below, we diagnose the bogus argv[1]
as being a bad type:
FreeBSD/i386 bootstrap loader, Revision 0.8
(root@srv.marabu.ch, Sun May 27 20:57:11 MEST 2001)
Loading /boot/defaults/loader.conf
/kernel text=0x18f9bb data=0x20c4c+0x2aecc syms=[0x4+0x26990+0x4+0x2bf24]
Hit [Enter] to boot immediately, or any other key for command prompt.
Type '?' for a list of commands, 'help' for more detailed help.
ok unload
ok ls
/
d root
d home
d bin
d boot
d dev
d etc
d mnt
d sbin
l tmp
d usr
d var
.cshrc
.profile
kernel.GENERIC
kernel.config
boot.config
k.GENERIC.gz
fs.GENERIC.gz
d pi
kernel
k.PIC.gz
fs.PIC.gz
ok load k.PIC
/k.PIC text=0xdd797 data=0x17294+0x16420 /
ok load -t fs.PIC
invalid load type
ok load -t mfs_root foo bar
invalid load type
ok load -t mfs_root fs.PIC
ok
Index: module.c
===================================================================
RCS file: /usr/cvs/src/sys/boot/common/module.c,v
retrieving revision 1.13.2.1
diff -u -r1.13.2.1 module.c
--- module.c 2000/12/28 13:12:35 1.13.2.1
+++ module.c 2001/05/27 18:56:21
@@ -98,7 +98,7 @@
* Request to load a raw file?
*/
if (dofile) {
- if ((typestr == NULL) || (*typestr == 0)) {
+ if (argc != 2 || (typestr == NULL) || (*typestr == 0)) {
command_errmsg = "invalid load type";
return(CMD_ERROR);
}
Adrian Steinmann
_________________________________________________________________________
Dr. Adrian Steinmann Steinmann Consulting Apollostrasse 21 8032 Zurich
Tel +41 1 380 30 83 Fax +41 1 380 30 85 Mailto:ast@marabu.ch
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105271930.f4RJUCK01642>