kern/64983: regfree() crasher

Balazs Nagy js at iksz.hu
Wed Mar 31 01:30:22 PST 2004


>Number:         64983
>Category:       kern
>Synopsis:       regfree() crasher
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 31 01:30:21 PST 2004
>Closed-Date:
>Last-Modified:
>Originator:     Balazs Nagy
>Release:        FreeBSD 5.2.1-RELEASE-p1 i386
>Organization:
>Environment:
System: FreeBSD tcb.aranyoroszlan.hu 5.2.1-RELEASE-p1 FreeBSD 5.2.1-RELEASE-p1 #1: Tue Mar 16 08:23:41 CET 2004 root at tcb.aranyoroszlan.hu:/opt/devel/obj/opt/devel/src/sys/SAMU i386


	
>Description:
regfree() in src/libc/regex/regfree.c doesn't check parameter, and with an
invalid pointer, the application crashes.

>How-To-Repeat:

My problem originated with apache2, which dumps core multiple times.  I
recompiled Apache2 with --enable-maintainer-mode, and did a gdb backtrace:

(gdb) bt     
#0  0x283b6dcf in kill () from /lib/libc.so.5
#1  0x08076f11 in sig_coredump (sig=11) at mpm_common.c:955
#2  0x28353f34 in _thread_sig_handler () from /usr/lib/libc_r.so.5
#3  0x28353d9d in _thread_sig_handler () from /usr/lib/libc_r.so.5
#4  <signal handler called>
#5  0x285fdd70 in ?? ()
#6  0x0807161f in regex_cleanup (preg=0x0) at util.c:258
#7  0x283123bd in run_cleanups (cref=0x80d1028) at apr_pools.c:1951
#8  0x28311b1c in apr_pool_destroy (pool=0x80d1018) at apr_pools.c:730
#9  0x28311b0b in apr_pool_destroy (pool=0x80cf018) at apr_pools.c:727
#10 0x0806eb31 in destroy_and_exit_process (process=0x0,
process_exit_value=0) at main.c:213
#11 0x0806fb1e in main (argc=4, argv=0xbfbfecb8) at main.c:644
#12 0x0805f8a2 in _start ()

ports/www/apache2/work/httpd-2.0.49/server/util.c:258: regfree((regex_t *) preg);

Bug caught.

>Fix:

begin 0 libc-regfree.patch
M+2TM(&QI8B]L:6)C+W)E9V5X+W)E9V9R964N8RYO<FEG"49R:2!-87(@,C(@
M,C(Z-3(Z-#<@,C`P, at HK*RL@;&EB+VQI8F,O<F5G97 at O<F5G9G)E92YC"5=E
M9"!-87(@,S$@,3$Z,#$Z,#`@,C`P-`I`0"`M-C(L-B`K-C(L."!`0`H@>PH@
M"7-T<G5C="!R95]G=71S("IG.PH@"BL):68@*"%P<F5G*0HK"0ER971U<FX[
M"B`):68@*'!R96<M/G)E7VUA9VEC("$]($U!1TE#,2D)+RH@;V]P<R`J+PH@
M"0ER971U<FX["0D)+RH@;FEC92!T;R!C;VUP;&%I;BP at 8G5T(&AA<F0@*B\*
"(`H`
`
end

(text:
--- lib/libc/regex/regfree.c.orig	Fri Mar 22 22:52:47 2002
+++ lib/libc/regex/regfree.c	Wed Mar 31 11:01:00 2004
@@ -62,6 +62,8 @@
 {
 	struct re_guts *g;
 
+	if (!preg)
+		return;
 	if (preg->re_magic != MAGIC1)	/* oops */
 		return;			/* nice to complain, but hard */
 
)
>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list