bin/61690: fsdb seqfaults in cmd. parsing routine

Jan-Espen Pettersen sigsegv at leakingmemory.org
Wed Jan 28 14:30:30 PST 2004 

The following reply was made to PR bin/61690; it has been noted by GNATS.

From: Jan-Espen Pettersen <sigsegv at leakingmemory.org>
To: freebsd-gnats-submit at FreeBSD.org, hsn at netmag.cz
Cc: sigsegv at leakingmemory.org
Subject: Re: bin/61690: fsdb seqfaults in cmd. parsing routine
Date: Wed, 28 Jan 2004 23:26:36 +0100

 Debug info from gdb:
 
 (gdb) run /dev/ad0s1a
 Starting program: /usr/obj/usr/src/FreeBSD-CURRENT/sbin/fsdb/fsdb 
 /dev/ad0s1a
 ** /dev/ad0s1a (NO WRITE)
 Editing file system `/dev/ad0s1a'
 Last Mounted on /
 current inode: directory
 I=2 MODE=40755 SIZE=512
         MTIME=Jan 25 14:26:13 2004 [0 nsec]
         CTIME=Jan 25 14:26:13 2004 [0 nsec]
         ATIME=Jan 28 03:01:06 2004 [0 nsec]
 OWNER=root GRP=wheel LINKCNT=24 FLAGS=0 BLKCNT=4 GEN=7aca51f8
 fsdb (inum: 2)> help test
 
 Breakpoint 1, recrack (line=0x80c6060 "help test\n", argc=0xbfbfeb0c, 
 argc_max=1)
     at /usr/src/FreeBSD-CURRENT/sbin/fsdb/fsdbutil.c:82
 82          for (p = line, i = 0; p != NULL && i < 8 && i < argc_max - 
 1; i++) {
 (gdb) bt
 #0  recrack (line=0x80c6060 "help test\n", argc=0xbfbfeb0c, argc_max=1) 
 at /usr/src/FreeBSD-CURRENT/sbin/fsdb/fsdbutil.c:82
 #1  0x08049a33 in cmdloop () at 
 /usr/src/FreeBSD-CURRENT/sbin/fsdb/fsdb.c:260
 #2  0x08049664 in main (argc=1, argv=0xbfbfeb74) at 
 /usr/src/FreeBSD-CURRENT/sbin/fsdb/fsdb.c:107
 #3  0x08049452 in _start ()
 (gdb) next
 90          argv[i] = argv[i - 1] + strlen(argv[i - 1]) + 1;
 (gdb)
 
 Program received signal SIGSEGV, Segmentation fault.
 0x281032f9 in strlen () from /lib/libc.so.5
 (gdb) bt full
 #0  0x281032f9 in strlen () from /lib/libc.so.5
 No symbol table info available.
 #1  0xbfbfeb70 in ?? ()
 No symbol table info available.
 #2  0x08049a33 in cmdloop () at 
 /usr/src/FreeBSD-CURRENT/sbin/fsdb/fsdb.c:260
         line = 0x80c6060 "help test\n"
         elline = 0x80cb800 "help test\n"
         cmd_argc = 2
         rval = 0
         known = 0
         cmd_argv = (char **) 0x80618a0
         cmdp = (struct cmdtable *) 0x80602a0
         hist = (History *) 0x80b0140
         elptr = (EditLine *) 0x80c5000
         he = {num = 1, str = 0x80c6050 "help test\n"}
 #3  0x08049664 in main (argc=1, argv=0xbfbfeb74) at 
 /usr/src/FreeBSD-CURRENT/sbin/fsdb/fsdb.c:107
         ch = -1
         rval = 2
         fsys = 0xbfbfec98 "/dev/ad0s1a"
 #4  0x08049452 in _start ()
 No symbol table info available.
 
 Patch:
 
 http://www.leakingmemory.org/patches/fsdb/fsdb_segf.diff
 
 
 The crash is caused by an underflow where i = 0, and an attempt to read 
 at argv[i - 1].
 
 Regards,
 Jan-Espen Pettersen

More information about the freebsd-bugs mailing list