[Bug 211195] pw userdel Segmentation fault (core dumped)

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Wed Jul 20 21:58:52 UTC 2016


rday <ryan at ryanday.net> changed:

           What    |Removed                     |Added
                 CC|                            |ryan at ryanday.net

--- Comment #3 from rday <ryan at ryanday.net> ---
Created attachment 172760
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=172760&action=edit
Patch for 211195

The crash occurs in the rm_r() function, however the core dump issue looks a
little more subtle than not having a home directory. For example, the commands

# pw user add someuser -g somegroup -d "/home/someuser" -s "/usr/sbin/nologin"
# pw user del someuser -r

Won't core dump. /home/someuser doesn't exist, and the problematic code never

In your example the home directory was "/dev/null", which *does* exist even
though -m wasn't specified. The program uses openat(2) with the O_DIRECTORY
flag to open "/dev/null" which is not a directory. openat() returns an
unchecked error, and the program crashes when it tries to open the invalid

I was able to reproduce this in the master branch on the Github repo. I
attached a patch for the rm_r() function to check the return value of openat().
It looks like openat()'s return value isn't checked in a couple other locations
in the code as well. Those code paths may not be accessible though.

You are receiving this mail because:
You are on the CC list for the bug.

More information about the freebsd-amd64 mailing list