From owner-freebsd-current@FreeBSD.ORG Tue Dec 18 08:59:55 2007 Return-Path: Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9149E16A417 for ; Tue, 18 Dec 2007 08:59:55 +0000 (UTC) (envelope-from Yuriy.Tsibizov@gfk.com) Received: from mx2.gfk.ru (mx2.gfk.ru [84.21.231.139]) by mx1.freebsd.org (Postfix) with ESMTP id F227913C458 for ; Tue, 18 Dec 2007 08:59:54 +0000 (UTC) (envelope-from Yuriy.Tsibizov@gfk.com) Received: from ex.hhp.local by mx2.gfk.ru (MDaemon PRO v9.6.0) with ESMTP id md50000728731.msg; Tue, 18 Dec 2007 12:00:42 +0300 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Tue, 18 Dec 2007 12:00:38 +0300 Message-ID: <78664C02FF341B4FAC63E561846E3BCC0EEA58@ex.hhp.local> In-Reply-To: <20071218085316.GB24316@VARK.MIT.EDU> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: story about lost %ebx (stack corruption in inet_aton ?) thread-index: AchBU5z6Uv/tjTIlSXm+1g3BiuQQ3wAAHNTg References: <78664C02FF341B4FAC63E561846E3BCC0EEA52@ex.hhp.local> <78664C02FF341B4FAC63E561846E3BCC0EEA56@ex.hhp.local> <20071218085316.GB24316@VARK.MIT.EDU> From: "Yuriy Tsibizov" To: "David Schultz" X-Spam-Processed: mx2.gfk.ru, Tue, 18 Dec 2007 12:00:42 +0300 (not processed: message from valid local sender) X-MDRemoteIP: 10.0.0.30 X-Return-Path: Yuriy.Tsibizov@gfk.com X-Envelope-From: Yuriy.Tsibizov@gfk.com X-MDAV-Processed: mx2.gfk.ru, Tue, 18 Dec 2007 12:00:42 +0300 Cc: freebsd-current@FreeBSD.ORG Subject: RE: story about lost %ebx (stack corruption in inet_aton ?) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Dec 2007 08:59:55 -0000 =20 > -----Original Message----- > From: David Schultz [mailto:das@FreeBSD.ORG]=20 > Sent: Tuesday, December 18, 2007 11:53 AM > To: Yuriy Tsibizov > Cc: freebsd-current@FreeBSD.ORG > Subject: Re: story about lost %ebx (stack corruption in inet_aton ?) >=20 > On Tue, Dec 18, 2007, Yuriy Tsibizov wrote: > > > My first impression was that there is a bug in gcc=20 > compiler on 7-BETA > > > and 8-CURRENT (i386 only, and only if optimization is=20 > enabled), but it > > > seems to be incorrect. Most probably source is stack corruption in > > > inet_aton() > >=20 > > mistyped, it is inet_network() that fails... > >=20 > > testcase: > >=20 > > #include > > #include > > #include > > #include > > #include > >=20 > > int main(){ > > int val; > > char s[]=3D"10.10.0.10.0/12"; // four dots here! > > char *q; > >=20 > > q =3D strchr(s,'/'); > > if (q) { > > *q =3D '\0'; > > if ((val =3D inet_network(s)) !=3D INADDR_NONE) { > > printf("OK\n"); > > return (0); > > } > > printf("q=3D %08x\n", q); > > *q =3D '/'; > > } > > } > >=20 > >=20 > > (should be built with -O1 or -O2 to expose that bug) >=20 > This isn't the compiler's fault. It looks like an off-by-one error > in BIND 9.4.1 that's clobbering the saved %ebx on the stack. > Try this: >=20 > Index: lib/libc/inet/inet_network.c > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /usr/cvs/src/lib/libc/inet/inet_network.c,v > retrieving revision 1.4 > diff -u -r1.4 inet_network.c > --- lib/libc/inet/inet_network.c 3 Jun 2007 17:20:26=20 > -0000 1.4 > +++ lib/libc/inet/inet_network.c 18 Dec 2007 08:50:08 -0000 > @@ -83,7 +83,7 @@ > if (!digit) > return (INADDR_NONE); > if (*cp =3D=3D '.') { > - if (pp >=3D parts + 4 || val > 0xffU) > + if (pp >=3D parts + 3 || val > 0xffU) > return (INADDR_NONE); > *pp++ =3D val, cp++; > goto again; >=20 should it be=20 --------- --- inet_network.c.orig 2007-06-03 21:20:26.000000000 +0400 +++ inet_network.c 2007-12-18 11:11:33.000000000 +0300 @@ -53,7 +53,7 @@ { in_addr_t val, base, n; char c; - in_addr_t parts[4], *pp =3D parts; + in_addr_t parts[5], *pp =3D parts; int i, digit; =20 again: ----------- because later " n =3D pp - parts; if (n > 4U) return (INADDR_NONE); " Yuriy.