From owner-svn-src-all@FreeBSD.ORG Thu Oct 23 20:01:40 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8ECD0717 for ; Thu, 23 Oct 2014 20:01:40 +0000 (UTC) Received: from o1.l99.sendgrid.net (o1.l99.sendgrid.net [198.37.153.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4194B9CB for ; Thu, 23 Oct 2014 20:01:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.info; h=from:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; s=smtpapi; bh=I84dqj8B5eHEUfPvXEBozW+3ZCI=; b=Sidgl96+B8/OI36NLS G+cZeTYWCTf1V4aV/ueYwNkgwEftEKcx8wCubQWSV+lmU/qtqNxPXzpvW259kv6p sodKWSORw+ZPsZ3cz4SdOKjOUB+KZaNoWQ4v9Fj5nDHmyefG92OBcMIWii1y5RB6 7C1Gk9RfbyIpXMaWhiWySYtFA= Received: by filter0046p1mdw1.sendgrid.net with SMTP id filter0046p1mdw1.32365.54495E9D6 2014-10-23 20:01:33.38457457 +0000 UTC Received: from mail.tarsnap.com (unknown [10.100.60.108]) by ismtpd-015.iad1.sendgrid.net (SG) with ESMTP id 1493e99968d.5728.24b9a7 for ; Thu, 23 Oct 2014 20:01:33 +0000 (GMT) Received: (qmail 83738 invoked from network); 23 Oct 2014 20:01:32 -0000 Received: from unknown (HELO clamshell.daemonology.net) (127.0.0.1) by ec2-107-20-205-189.compute-1.amazonaws.com with ESMTP; 23 Oct 2014 20:01:32 -0000 Received: (qmail 14540 invoked from network); 23 Oct 2014 20:01:19 -0000 Received: from unknown (HELO clamshell.daemonology.net) (127.0.0.1) by clamshell.daemonology.net with SMTP; 23 Oct 2014 20:01:19 -0000 Message-ID: <54495E8E.20408@freebsd.org> Date: Thu, 23 Oct 2014 13:01:18 -0700 From: Colin Percival User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: =?UTF-8?B?SmVhbi1Tw6liYXN0aWVuIFDDqWRyb24=?= , svn-src-all@freebsd.org Subject: Re: svn commit: r273487 - head/sys/kern References: <201410222335.s9MNZW62045167@svn.freebsd.org> <5448F973.8050102@FreeBSD.org> In-Reply-To: <5448F973.8050102@FreeBSD.org> Content-Type: text/plain; charset=utf-8 content-transfer-encoding: quoted-printable X-SG-EID: A6W2xSVPHetogaU8rnzccWwgBYtN+QvIzXyjfe/10PEXaK9+6wsRDqnbC2+kSkDnEVLlO7CMiE4IlgAt5E8S6oqfYChDr+CRJPshCgHDoZH0nmm3BR/4r0zJUsG0AIzmDkgksTM7skrJ3SzP/FZILqzaz3qG+Vwbiag4LrjhhDBliGp1KISy+7NgA2ZgmsOQ X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Oct 2014 20:01:40 -0000 On 10/23/14 05:49, Jean-S=C3=A9bastien P=C3=A9dron wrote:=0D > The following change triggers a kernel trap 12 when env is NULL:=0D > =0D >> @@ -260,8 +262,10 @@ void=0D >> freeenv(char *env)=0D >> {=0D >> =0D >> - if (dynamic_kenv)=0D >> + if (dynamic_kenv) {=0D >> + memset(env, 0, strlen(env));=0D >> free(env, M_KENV);=0D >> + }=0D >> }=0D > =0D > This happens very early in boot for me, just after the lines:=0D > WARNING: WITNESS option enabled, expect reduced performance.=0D > VT: running with driver "vga".=0D =0D This sounds like a bug in the code which is using kern_getenv / freeenv.=0D The comment at kern_getenv says=0D * Look up an environment variable by name.=0D * Return a pointer to the string if found.=0D * The pointer has to be freed with freeenv()=0D * after use.=0D which I interpret to mean that if the environment variable is not found=0D and you don't get a pointer to a string, you shouldn't be freeing it.=0D =0D I'm willing to work around this in freeenv, but since we're in HEAD and=0D this isn't going to be MFCed, it seems like an opportunity to fix the=0D code which is calling freeenv(NULL).=0D =0D > The attached simple patch fixes the problem.=0D > =0D > What I don't know is if the same problem can occur in kern_unsetenv():=0D > =0D >> @@ -437,6 +441,7 @@ kern_unsetenv(const char *name)=0D >> kenvp[i++] =3D kenvp[j];=0D >> kenvp[i] =3D NULL;=0D >> mtx_unlock(&kenv_lock);=0D >> + memset(oldenv, 0, strlen(oldenv));=0D >> free(oldenv, M_KENV);=0D >> return (0);=0D >> }=0D =0D We can only get into that code if cp !=3D NULL, and cp is part of the=0D string pointed to by kenvp[i] (aka. oldenv) so unless I'm missing=0D something we're guaranteed that oldenv is a pointer to a string here.=0D =0D Colin Percival