From nobody Sun Jul 23 15:30:05 2023 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4R86g14xn7z4nlfk for ; Sun, 23 Jul 2023 15:30:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4R86g13M6Zz3D25 for ; Sun, 23 Jul 2023 15:30:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690126205; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Moj+zbUqjuGzN0H8vnVsXEUV01mz0sp82Vko2iZOTgc=; b=C20sjJsdrYIgbaO6OgBT3Dgfr9dj5IzJbGEQxYtzHAFdJXfwNu7igptWZc6ULcwL23i7D/ p7JnybtPKKxozYK1+nmXheCtSVsXElAHLX6qpt4YxTNAwVKv1znevhHNKxsQKNn1iCGpLN eHx0LPF6+VoUViFzPde3EqdCdlwxh2CAjFkjBZPN4u7tVHStTF5E7CDCsO4FZV58ww6BhD owgLC+8eUCZ7+5CehZ3M+BbPymn0nyUdCeG/bhVdTx1UGvCMi4u/KRPPP2ssPLLuGfBH9Y 5GtJ8LOFulQsMyAeMGUlVkHjLzMe0MBvqQtGSsqUfEzDspqkpkEAAr5GO5hRhA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1690126205; a=rsa-sha256; cv=none; b=E66KVQPZWJgwrLM6QV+DjkQbSt8Fu0yZPP5tfXGXW+dfIMwnhrmysEd8ZaTCV+bcWxT478 263jeRPUkK2NUYzThC/bBlwuKWhSgJ3/o9HQ+75JtVxr65gAPUnLHDaVMu2UUd4EZ7Gijh jq3b98OUcuVS3Vc7PY7VN0HXBuSqtzT/rPjOH0WT/gwOtXw+Zp65S3HR8cYzYLFZDvhLWv LE07BVei6LwzryFasuUCUuR7aPfz0h6n1xdqLgbjunmW1cM6sWW5RDlDYw3bW50OelR3NJ H8GRKQR/5I2/L2z56vxS/iGNf09RZv2zupF1Nt1HKMXrBkaiWihNH1/lqp00Yw== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4R86g12RspzhFN for ; Sun, 23 Jul 2023 15:30:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 36NFU5tv051980 for ; Sun, 23 Jul 2023 15:30:05 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 36NFU5To051979 for bugs@FreeBSD.org; Sun, 23 Jul 2023 15:30:05 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 192839] Duplicate entries in an mtree file cause nmtree to coredump Date: Sun, 23 Jul 2023 15:30:05 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: felix.dietrich+freebsd-bugtracker@sperrhaken.name X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D192839 --- Comment #7 from Felix Dietrich --- The problem that brought me here is a segmentation fault resulting from fee= ding the following example to nmtree: /set type=3Ddir . dup .. dup child_entry type=3Dfile Line numbers in the following paragraph are according to FreeBSD 12.4-RELEASE-p2 (git hash 149768b65d619833331bcf0c2fb121b20643f2f1). The segmentation fault is caused by using the memory pointed to by centry (=E2=80=9Clast =3D cenry=E2=80=9D in the =E2=80=9Cspec=E2=80=9D function [s= pec.c:252]) after it has been freed in replacenode (=E2=80=9Cfree(new)=E2=80=9D [spec.c:536]). (A comment in the = addchild function [spec.c:775] indicates that at least addchild is aware that replacenode will free the centry.) The memory gets reused for the next centry (=E2=80=9Ccen= try =3D calloc(=E2=80=A6=E2=80=9D [spec.c:207]) and assigned the global defaults (= =E2=80=9C*centry =3D ginfo=E2=80=9D [spec.c:209]). The parent member of the ginfo record is NULL [spec.c:122], and, as a consequence of the faulty memory reuse, addchild gets passed NULL (=E2=80=9Caddchild(last->parent, centry)=E2=80=9D [spec.c:260]) for its pat= hparent parameter.=20 This results in a segmentation fault early in addchild because of a NULL dereference (=E2=80=9Ccur =3D pathparent->child=E2=80=9D [spec.c:734]). Al= so note that last->type gets overridden and set to F_FILE [spec.c:215], and, therefore, = not the branch =E2=80=9Clast->type =3D=3D F_DIR && !(last->flags & F_DONE)=E2= =80=9D [spec.c:245] is taken, as one would expect by correct operation, but the final else branch = =E2=80=9Cnew relative child in parent dir=E2=80=9D [spec.c:253]. I have not reasoned much about solutions. It might be possible for a quick= and dirty fix to dispense with the =E2=80=9Cfree(new)=E2=80=9D call in replacen= ode [spec.c:536] at the cost of leaking memory and making the code even harder to reason about.= =20 Another solutions could make replacenode actually replace the node (removing =E2=80=9Ccur=E2=80=9D from the data structure and emplacing =E2=80=9Cnew=E2= =80=9D in its stead) instead of overwriting the members of the existing =E2=80=9Ccur=E2=80=9D node =E2=80= =93 but I have not tried to understand and follow the assumptions addchild makes of replacenode=CA=BCs operations. --=20 You are receiving this mail because: You are the assignee for the bug.=