From owner-freebsd-bugs@FreeBSD.ORG  Thu Dec 13 10:50:00 2012
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id E3C98777
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Thu, 13 Dec 2012 10:50:00 +0000 (UTC)
 (envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx1.freebsd.org (Postfix) with ESMTP id B3B0B8FC0C
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Thu, 13 Dec 2012 10:50:00 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id qBDAo0ZC066835
 for <freebsd-bugs@freefall.freebsd.org>; Thu, 13 Dec 2012 10:50:00 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.5/8.14.5/Submit) id qBDAo07t066834;
 Thu, 13 Dec 2012 10:50:00 GMT (envelope-from gnats)
Resent-Date: Thu, 13 Dec 2012 10:50:00 GMT
Resent-Message-Id: <201212131050.qBDAo07t066834@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
 Poul-Henning Kamp <phk@critter.freebsd.dk>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 962EF2B5
 for <FreeBSD-gnats-submit@freebsd.org>; Thu, 13 Dec 2012 10:42:46 +0000 (UTC)
 (envelope-from phk@critter.freebsd.dk)
Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222])
 by mx1.freebsd.org (Postfix) with ESMTP id 4B6D58FC08
 for <FreeBSD-gnats-submit@freebsd.org>; Thu, 13 Dec 2012 10:42:46 +0000 (UTC)
Received: from critter.freebsd.dk (critter.freebsd.dk [192.168.61.3])
 by phk.freebsd.dk (Postfix) with ESMTP id 4FA5F8A3FC
 for <FreeBSD-gnats-submit@freebsd.org>; Thu, 13 Dec 2012 10:42:39 +0000 (UTC)
Received: from critter.freebsd.dk (localhost [127.0.0.1])
 by critter.freebsd.dk (8.14.5/8.14.5) with ESMTP id qBDAgdaV008195
 for <FreeBSD-gnats-submit@freebsd.org>; Thu, 13 Dec 2012 10:42:39 GMT
 (envelope-from phk@critter.freebsd.dk)
Received: (from phk@localhost)
 by critter.freebsd.dk (8.14.5/8.14.5/Submit) id qBDAgdjG008194;
 Thu, 13 Dec 2012 10:42:39 GMT (envelope-from phk)
Message-Id: <201212131042.qBDAgdjG008194@critter.freebsd.dk>
Date: Thu, 13 Dec 2012 10:42:39 GMT
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: bin/174411: pw(8) core dump
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: Poul-Henning Kamp <phk@critter.freebsd.dk>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Dec 2012 10:50:01 -0000


>Number:         174411
>Category:       bin
>Synopsis:       pw(8) core dump
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 13 10:50:00 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Poul-Henning Kamp
>Release:        FreeBSD 10.0-CURRENT amd64
>Organization:
>Environment:

FreeBSD c9.freebsd.dk 10.0-CURRENT FreeBSD 10.0-CURRENT #0 r244088: Mon Dec 10 16:36:05 UTC 2012     root@c9.freebsd.dk:/usr/obj/freebsd/svn_src/head/sys/GENERIC  amd64


>Description:

	The pw(8) program coredumps on bad memory management

>How-To-Repeat:

	On a freshly installed -current, executing:

	/usr/sbin/pw useradd phk -u 488 -d /home/phk \
		-c "Poul-Henning Kamp" -G "wheel,operator,dialer" \
		-s /bin/csh -w none

	This coredumps in jemalloc, from the call in line 761 in
	src/usr.sbin/pw/pw_user.c:

		if (j == 0)
			grp->gr_mem = NULL;
	>>>>>	grp->gr_mem = reallocf(grp->gr_mem, sizeof(*grp->gr_mem) *
						    (j + 2));
		grp->gr_mem[j] = pwd->pw_name;

	Reading the getgrent(3) manual page, it is far from clear to me
	that there is any reason to assume that grp->gr_mem is a malloced
	pointer.

	On the other hand, it is not clear to me that getgrent() is what
	is being called in the first place.

	Notice also the missing error handling on reallocf() failure,
	something more helpful than a somewhat-NULL pointer deref
	coredump could be called for.

>Fix:

	Rather than reallocf() a dedicated malloc() + memcopy() seems
	called for.
>Release-Note:
>Audit-Trail:
>Unformatted: