From owner-freebsd-bugs  Fri Oct 11  7:40:11 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8EAD237B401
	for <freebsd-bugs@hub.freebsd.org>; Fri, 11 Oct 2002 07:40:08 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DA0EB43EA3
	for <freebsd-bugs@hub.freebsd.org>; Fri, 11 Oct 2002 07:40:07 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id g9BEe7Co015534
	for <freebsd-bugs@freefall.freebsd.org>; Fri, 11 Oct 2002 07:40:07 -0700 (PDT)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.6/8.12.6/Submit) id g9BEe7uc015533;
	Fri, 11 Oct 2002 07:40:07 -0700 (PDT)
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 58E1037B401
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 11 Oct 2002 07:37:37 -0700 (PDT)
Received: from citadel.cequrux.com (citadel.cequrux.com [192.96.22.18])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 864A543E6E
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 11 Oct 2002 07:37:30 -0700 (PDT)
	(envelope-from apb@cequrux.com)
Received: (from nobody@localhost) by citadel.cequrux.com (8.8.8/8.6.9) id QAA08813 for <FreeBSD-gnats-submit@freebsd.org>; Fri, 11 Oct 2002 16:37:23 +0200 (SAST)
Received: by citadel.cequrux.com via recvmail id 8747; Fri, 11 Oct 2002 16:36:34 +0200 (SAST)
Message-Id: <200210111443.QAA20762@build.cequrux.com>
Date: Fri, 11 Oct 2002 16:43:35 +0200 (SAST)
From: apb@cequrux.com
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.2
Subject: bin/43930: ldconfig calls bcopy with wrong size
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         43930
>Category:       bin
>Synopsis:       ldconfig calls bcopy with wrong size
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Oct 11 07:40:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Alan Barrett
>Release:        FreeBSD 4.6
>Organization:
Not much
>Environment:
>Description:
        In the enter() function in ldconfig, bcopy is sometimes called
        with the wrong size: MAXDEWEY instead of MAXDEWEY*sixeof(int),
        or sizeof(sbp->dewey).

	The effect of this error is that only the major and minor
	version numbers are copied into the data structure.  The third,
	fourth and later teeny version numbers, if any, are accidentally
	set to zero.

	As a consequence of this error, ldconfig will sometimes end up
	choosing the second-highest numbered shared library instead
	of the highest numbered shared library.  The incorrect choice
	happens when the highest numbered library happens to be the
	first one encountered in the readdir() loop, and when the
	difference between the highest and second-highest numbered
	library is not apparent in the first two (major and minor)
	version number fields, but only in the third or later fields.

>How-To-Repeat:

	The following commands demonstrate the problem under FreeBSD-2.2.
	Demonstrating it under more recent ELF systems is difficult,
	because it's masked by all the ELF library symlinks.

	# cd /usr/lib
	# touch libfoo.so.1.2.3.4
	# touch libfoo.so.1.2.3.1
	# ls -1f | grep libfoo
	libfoo.so.1.2.3.4
	libfoo.so.1.2.3.1
	# ldconfig -R -v | grep libfoo
	Adding /usr/lib/libfoo.so.1.2.3.4
	Updating libfoo.1.2 to /usr/lib/libfoo.1.2.3.1

	Although the first line of ldconfig output shows it adding
	version 1.2.3.4, the bcopy size error makes it act as though
	it added version 1.2.0.0.  Later, version 1.2.3.1 is seen as
	higher than 1.2.0.0, and this causes the "Updating" output.

	The error does not occur if the output from "ls -f" is in the
	opposite order.

>Fix:
Apply the following patch to src/sbin/ldconfig/ldconfig.c in
-current and the RELENG_4_* and RELENG_3_* branches.  Apply it to
src/gnu/usr.bin/ld/ldconfig/ldconfig.c in the RELENG_2_* branches if
anybody cares.

--- ldconfig.c  2002/09/17 01:48:53     1.38
+++ ldconfig.c  2002/10/11 13:56:40
@@ -357,7 +357,7 @@
 	shp = (struct shlib_list *)xmalloc(sizeof *shp);
 	shp->name = strdup(name);
 	shp->path = concat(dir, "/", file);
-	bcopy(dewey, shp->dewey, MAXDEWEY);
+	bcopy(dewey, shp->dewey, sizeof(sbp->dewey));
 	shp->ndewey = ndewey;
 	shp->next = NULL;

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message