From owner-freebsd-current  Fri Feb  8 16: 1:36 2002
Delivered-To: freebsd-current@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by hub.freebsd.org (Postfix) with ESMTP id B745137B420
	for <current@freebsd.org>; Fri,  8 Feb 2002 16:01:23 -0800 (PST)
Received: by flood.ping.uio.no (Postfix, from userid 2602)
	id EB5875341; Sat,  9 Feb 2002 01:01:21 +0100 (CET)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
  coincide with those of any organisation or company with
  which I am or have been affiliated.
To: current@freebsd.org
Subject: double-free in mtree(1)
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 09 Feb 2002 01:01:21 +0100
Message-ID: <xzpn0yj7cby.fsf@flood.ping.uio.no>
Lines: 73
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

I get the following error when running mtree(1) in a jail:

root@p4 /usr/src# gdb =mtree
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb.291/gdb/dbxread.c line 2629 in elfstab_build_psymtabs
Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb.291/gdb/dbxread.c line 935 in fill_symbuf

(gdb) set args -deU -f /etc/mtree/BSD.root.dist -p /
(gdb) run
Starting program: /usr/sbin/mtree -deU -f /etc/mtree/BSD.root.dist -p /
mtree in free(): error: chunk is already free

Program received signal SIGABRT, Aborted.
0x280b4f07 in kill () from /usr/lib/libc.so.5
(gdb) where
#0  0x280b4f07 in kill () from /usr/lib/libc.so.5
#1  0x28108aa1 in abort () at /usr/src/lib/libc/../libc/stdlib/abort.c:70
#2  0x28107534 in wrterror (p=0x2811193b "chunk is already free\n")
    at /usr/src/lib/libc/../libc/stdlib/malloc.c:303
#3  0x28107560 in wrtwarning (p=0x2811193b "chunk is already free\n")
    at /usr/src/lib/libc/../libc/stdlib/malloc.c:311
#4  0x28108446 in ifree (ptr=0x8055700)
    at /usr/src/lib/libc/../libc/stdlib/malloc.c:989
#5  0x281086d1 in free (ptr=0x8055700)
    at /usr/src/lib/libc/../libc/stdlib/malloc.c:1121
#6  0x280aff2a in fts_close (sp=0x8059000)
    at /usr/src/lib/libc/../libc/gen/fts.c:235
#7  0x804c0d4 in vwalk () at /usr/src/usr.sbin/mtree/verify.c:155
#8  0x804be12 in verify () at /usr/src/usr.sbin/mtree/verify.c:72
#9  0x804b3c1 in main (argc=6, argv=0xbfbff574)
    at /usr/src/usr.sbin/mtree/mtree.c:167
#10 0x80493c9 in _start (arguments=0xbfbff688 "/usr/sbin/mtree")
    at /usr/src/lib/csu/i386-elf/crt1.c:96
(gdb) up 6
#6  0x280aff2a in fts_close (sp=0x8059000)
    at /usr/src/lib/libc/../libc/gen/fts.c:235
235                     free(p);
(gdb) p *p
$1 = {fts_cycle = 0xd0d0d0d0, fts_parent = 0xd0d0d0d0, fts_link = 0xd0d0d0d0,
  fts_number = -791621424, fts_pointer = 0xd0d0d0d0,
  fts_accpath = 0xd0d0d0d0 <Error reading address 0xd0d0d0d0: Bad address>,
  fts_path = 0xd0d0d0d0 <Error reading address 0xd0d0d0d0: Bad address>,
  fts_errno = -791621424, fts_symfd = -791621424, fts_pathlen = 53456,
  fts_namelen = 53456, fts_ino = 3503345872, fts_dev = 3503345872,
  fts_nlink = 53456, fts_level = -12080, fts_info = 53456, fts_flags = 53456,
  fts_instr = 53456, fts_statp = 0xd0d0d0d0, fts_name = ""}
(gdb) p *sp
$2 = {fts_cur = 0x8055700, fts_child = 0x0, fts_array = 0x0, fts_dev = 29708,
  fts_path = 0x805a000 "./proc", fts_rfd = 3, fts_pathlen = 1280,
  fts_nitems = 0, fts_compar = 0, fts_options = 528}
(gdb) p *(sp->fts_cur)
$3 = {fts_cycle = 0xd0d0d0d0, fts_parent = 0xd0d0d0d0, fts_link = 0xd0d0d0d0,
  fts_number = -791621424, fts_pointer = 0xd0d0d0d0,
  fts_accpath = 0xd0d0d0d0 <Error reading address 0xd0d0d0d0: Bad address>,
  fts_path = 0xd0d0d0d0 <Error reading address 0xd0d0d0d0: Bad address>,
  fts_errno = -791621424, fts_symfd = -791621424, fts_pathlen = 53456,
  fts_namelen = 53456, fts_ino = 3503345872, fts_dev = 3503345872,
  fts_nlink = 53456, fts_level = -12080, fts_info = 53456, fts_flags = 53456,
  fts_instr = 53456, fts_statp = 0xd0d0d0d0, fts_name = ""}
(gdb) 

Same thing happens when I run it outside the jail, but pointing to the
jail's root directory.  Seems like an fts bug, but I was unable to
discover the exact cause.

DES
-- 
Dag-Erling Smorgrav - des@ofug.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message