From owner-freebsd-bugs@FreeBSD.ORG  Tue Aug 24 13:40:03 2010
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2C84410656A8
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 24 Aug 2010 13:40:03 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id E6EC48FC1C
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 24 Aug 2010 13:40:02 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o7ODe2Qn092234
	for <freebsd-bugs@freefall.freebsd.org>; Tue, 24 Aug 2010 13:40:02 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o7ODe2eT092224;
	Tue, 24 Aug 2010 13:40:02 GMT (envelope-from gnats)
Resent-Date: Tue, 24 Aug 2010 13:40:02 GMT
Resent-Message-Id: <201008241340.o7ODe2eT092224@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Martin Beran <mb@tns.cz>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 0414D1065670
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue, 24 Aug 2010 13:31:35 +0000 (UTC) (envelope-from mb@tns.cz)
Received: from pha.tns.cz (pha.tns.cz [62.245.67.254])
	by mx1.freebsd.org (Postfix) with ESMTP id BA3038FC14
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue, 24 Aug 2010 13:31:34 +0000 (UTC)
Received: from pha.tns.cz (localhost [127.0.0.1])
	by pha.tns.cz (Postfix) with ESMTP id C488437DA4A
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue, 24 Aug 2010 15:16:14 +0200 (CEST)
Received: by pha.tns.cz with ESMTP id 4OTV63O001WIBYQ27P5;
	Tue, 24 Aug 2010 15:16:14 +0200 (CEST)
Message-Id: <20100824131613.DC8502A6826@mb.tns.cz>
Date: Tue, 24 Aug 2010 15:16:13 +0200 (CEST)
From: Martin Beran <mb@tns.cz>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: bin/149936: [patch] wrong handling of decompression utilities in
	libmagic 
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Martin Beran <mb@tns.cz>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Aug 2010 13:40:03 -0000


>Number:         149936
>Category:       bin
>Synopsis:       [patch] wrong handling of decompression utilities in libmagic
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 24 13:40:02 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Martin Beran
>Release:        FreeBSD 8.0-RELEASE-p2 i386
>Organization:
Trusted Network Solutions, a. s.
>Environment:
System: FreeBSD mb.tns.cz 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #11: Thu Jul 29 16:49:38 CEST 2010 root@mb.tns.cz:/usr/obj/usr/src/sys/GENERIC i386

Observed also on FreeBSD 7.1.
>Description:
	Function magic_buffer() from libmagic(3) uses external utilities for
	decompression of compressed files. Data from an input in-memory buffer
	should be passed to the external program via a pipe. Due to an
	incorrect condition, the pipe is not initialized, hence no data are
	passed to the program. Moreover, calling close(2) with an argument
	taken from an unitialized memory location causes closing of two
	indeterministically selected file descriptors. If the descriptor
	intended for reading from the decompression process is closed, the
	libmagic code will be stuck in an endless loop, using 100 % CPU,
	calling select(2) that always fails with EBADF.
>How-To-Repeat:
	Call magic_buffer(m, buf, sz) for m obtained by a prior call of
	magic_open(MAGIC_COMPRESS), with buf containing data compressed by
	bzip2.
>Fix:

	Apply the attached patch in /usr/src, recompile and reinstall
	/usr/src/lib/libmagic:

diff -ru contrib.orig/file/compress.c contrib/file/compress.c
--- contrib.orig/file/compress.c	2009-05-19 00:34:33.000000000 +0200
+++ contrib/file/compress.c	2010-08-24 15:09:11.000000000 +0200
@@ -197,6 +197,7 @@
 			if (selrv == -1) {
 				if (errno == EINTR || errno == EAGAIN)
 					continue;
+				return -1;
 			} else if (selrv == 0 && cnt >= 5) {
 				return 0;
 			} else
@@ -381,7 +382,7 @@
 	(void)fflush(stdout);
 	(void)fflush(stderr);
 
-	if ((fd != -1 && pipe(fdin) == -1) || pipe(fdout) == -1) {
+	if ((fd == -1 && pipe(fdin) == -1) || pipe(fdout) == -1) {
 		file_error(ms, errno, "cannot create pipe");	
 		return NODATA;
 	}
>Release-Note:
>Audit-Trail:
>Unformatted: