From owner-freebsd-bugs@FreeBSD.ORG Wed Mar 31 01:30:22 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 749DF16A4D0 for ; Wed, 31 Mar 2004 01:30:22 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5384C43D54 for ; Wed, 31 Mar 2004 01:30:22 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) i2V9UMbv053903 for ; Wed, 31 Mar 2004 01:30:22 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i2V9UMee053902; Wed, 31 Mar 2004 01:30:22 -0800 (PST) (envelope-from gnats) Resent-Date: Wed, 31 Mar 2004 01:30:22 -0800 (PST) Resent-Message-Id: <200403310930.i2V9UMee053902@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Balazs Nagy Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C850416A52E for ; Wed, 31 Mar 2004 01:20:39 -0800 (PST) Received: from smtp.aranyoroszlan.hu (smtp.aranyoroszlan.hu [195.56.77.57]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FE5B43D75 for ; Wed, 31 Mar 2004 01:20:36 -0800 (PST) (envelope-from root@smtp.aranyoroszlan.hu) Received: (qmail 1668 invoked by uid 0); 31 Mar 2004 09:23:37 -0000 Message-Id: <20040331092337.1655.qmail@smtp.aranyoroszlan.hu> Date: 31 Mar 2004 09:23:37 -0000 From: Balazs Nagy To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: kern/64983: regfree() crasher X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Balazs Nagy List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Mar 2004 09:30:22 -0000 >Number: 64983 >Category: kern >Synopsis: regfree() crasher >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Mar 31 01:30:21 PST 2004 >Closed-Date: >Last-Modified: >Originator: Balazs Nagy >Release: FreeBSD 5.2.1-RELEASE-p1 i386 >Organization: >Environment: System: FreeBSD tcb.aranyoroszlan.hu 5.2.1-RELEASE-p1 FreeBSD 5.2.1-RELEASE-p1 #1: Tue Mar 16 08:23:41 CET 2004 root@tcb.aranyoroszlan.hu:/opt/devel/obj/opt/devel/src/sys/SAMU i386 >Description: regfree() in src/libc/regex/regfree.c doesn't check parameter, and with an invalid pointer, the application crashes. >How-To-Repeat: My problem originated with apache2, which dumps core multiple times. I recompiled Apache2 with --enable-maintainer-mode, and did a gdb backtrace: (gdb) bt #0 0x283b6dcf in kill () from /lib/libc.so.5 #1 0x08076f11 in sig_coredump (sig=11) at mpm_common.c:955 #2 0x28353f34 in _thread_sig_handler () from /usr/lib/libc_r.so.5 #3 0x28353d9d in _thread_sig_handler () from /usr/lib/libc_r.so.5 #4 #5 0x285fdd70 in ?? () #6 0x0807161f in regex_cleanup (preg=0x0) at util.c:258 #7 0x283123bd in run_cleanups (cref=0x80d1028) at apr_pools.c:1951 #8 0x28311b1c in apr_pool_destroy (pool=0x80d1018) at apr_pools.c:730 #9 0x28311b0b in apr_pool_destroy (pool=0x80cf018) at apr_pools.c:727 #10 0x0806eb31 in destroy_and_exit_process (process=0x0, process_exit_value=0) at main.c:213 #11 0x0806fb1e in main (argc=4, argv=0xbfbfecb8) at main.c:644 #12 0x0805f8a2 in _start () ports/www/apache2/work/httpd-2.0.49/server/util.c:258: regfree((regex_t *) preg); Bug caught. >Fix: begin 0 libc-regfree.patch M+2TM(&QI8B]L:6)C+W)E9V5X+W)E9V9R964N8RYOPH@ M"7-Tre_magic != MAGIC1) /* oops */ return; /* nice to complain, but hard */ ) >Release-Note: >Audit-Trail: >Unformatted: