Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 23 Jan 1999 00:31:27 PST
From:      Bill Fenner <fenner@parc.xerox.com>
To:        FreeBSD-gnats-submit@FreeBSD.ORG
Subject:   kern/9631: new boot loader uses freed memory if you specify full path to module to load
Message-ID:  <199901230831.AAA00395@fenestro.parc.xerox.com>
index | next in thread | raw e-mail 


>Number:         9631
>Category:       kern
>Synopsis:       new boot loader uses freed memory if you specify full path to module to load
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 23 00:40:01 PST 1999
>Closed-Date:
>Last-Modified:
>Originator:     Bill Fenner
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
Xerox
>Environment:

3.0-RELEASE upgraded to 3.0-CURRENT on 1999/1/20 (including new boot blocks)

>Description:

Typing "load /modules/splash_bmp" causes approximately the error
"can't load module '***': No such file or directory"
where *** is garbage characters

The problem is that mod_searchmodule("/modules/splash_bmp") creates
tn, which is the passed in name with .ko appended to it.  It then
calls mod_searchfile(tn = "/modules/splash_bmp.ko"), which just
returns its argument if its argument exists.  In this case, it does,
so result = tn.  mod_searchmodule() then frees tn, and returns
result.  mod_loadmodule() then tries to load the freed memory, and
prints the error.

>How-To-Repeat:

Type "load /modules/splash_bmp" to new boot loader

>Fix:

mod_searchfile() should not return its argument directly.

cvs diff: Diffing .
Index: module.c
===================================================================
RCS file: /home/ncvs/src/sys/boot/common/module.c,v
retrieving revision 1.7
diff -u -r1.7 module.c
--- module.c	1999/01/11 06:41:31	1.7
+++ module.c	1999/01/23 08:23:28
@@ -452,7 +452,7 @@
     if ((cp != name) || (strchr(name, '/') != NULL)) {
 	/* Qualified, so just see if it exists */
 	if (stat(name, &sb) == 0)
-	    return(name);
+	    return(strdup(name));
 	return(NULL);
     }
     

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199901230831.AAA00395>