Date: 31 Mar 2004 09:23:37 -0000 From: Balazs Nagy <js@iksz.hu> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/64983: regfree() crasher Message-ID: <20040331092337.1655.qmail@smtp.aranyoroszlan.hu> Resent-Message-ID: <200403310930.i2V9UMee053902@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 64983
>Category: kern
>Synopsis: regfree() crasher
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Mar 31 01:30:21 PST 2004
>Closed-Date:
>Last-Modified:
>Originator: Balazs Nagy
>Release: FreeBSD 5.2.1-RELEASE-p1 i386
>Organization:
>Environment:
System: FreeBSD tcb.aranyoroszlan.hu 5.2.1-RELEASE-p1 FreeBSD 5.2.1-RELEASE-p1 #1: Tue Mar 16 08:23:41 CET 2004 root@tcb.aranyoroszlan.hu:/opt/devel/obj/opt/devel/src/sys/SAMU i386
>Description:
regfree() in src/libc/regex/regfree.c doesn't check parameter, and with an
invalid pointer, the application crashes.
>How-To-Repeat:
My problem originated with apache2, which dumps core multiple times. I
recompiled Apache2 with --enable-maintainer-mode, and did a gdb backtrace:
(gdb) bt
#0 0x283b6dcf in kill () from /lib/libc.so.5
#1 0x08076f11 in sig_coredump (sig=11) at mpm_common.c:955
#2 0x28353f34 in _thread_sig_handler () from /usr/lib/libc_r.so.5
#3 0x28353d9d in _thread_sig_handler () from /usr/lib/libc_r.so.5
#4 <signal handler called>
#5 0x285fdd70 in ?? ()
#6 0x0807161f in regex_cleanup (preg=0x0) at util.c:258
#7 0x283123bd in run_cleanups (cref=0x80d1028) at apr_pools.c:1951
#8 0x28311b1c in apr_pool_destroy (pool=0x80d1018) at apr_pools.c:730
#9 0x28311b0b in apr_pool_destroy (pool=0x80cf018) at apr_pools.c:727
#10 0x0806eb31 in destroy_and_exit_process (process=0x0,
process_exit_value=0) at main.c:213
#11 0x0806fb1e in main (argc=4, argv=0xbfbfecb8) at main.c:644
#12 0x0805f8a2 in _start ()
ports/www/apache2/work/httpd-2.0.49/server/util.c:258: regfree((regex_t *) preg);
Bug caught.
>Fix:
begin 0 libc-regfree.patch
M+2TM(&QI8B]L:6)C+W)E9V5X+W)E9V9R964N8RYO<FEG"49R:2!-87(@,C(@
M,C(Z-3(Z-#<@,C`P,@HK*RL@;&EB+VQI8F,O<F5G97@O<F5G9G)E92YC"5=E
M9"!-87(@,S$@,3$Z,#$Z,#`@,C`P-`I`0"`M-C(L-B`K-C(L."!`0`H@>PH@
M"7-T<G5C="!R95]G=71S("IG.PH@"BL):68@*"%P<F5G*0HK"0ER971U<FX[
M"B`):68@*'!R96<M/G)E7VUA9VEC("$]($U!1TE#,2D)+RH@;V]P<R`J+PH@
M"0ER971U<FX["0D)+RH@;FEC92!T;R!C;VUP;&%I;BP@8G5T(&AA<F0@*B\*
"(`H`
`
end
(text:
--- lib/libc/regex/regfree.c.orig Fri Mar 22 22:52:47 2002
+++ lib/libc/regex/regfree.c Wed Mar 31 11:01:00 2004
@@ -62,6 +62,8 @@
{
struct re_guts *g;
+ if (!preg)
+ return;
if (preg->re_magic != MAGIC1) /* oops */
return; /* nice to complain, but hard */
)
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040331092337.1655.qmail>