From davidn@sdev.usn.blaze.net.au Mon Oct 28 08:07:43 1996 Received: from sdev.usn.blaze.net.au (sdev.usn.blaze.net.au [203.17.53.19]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id IAA03994 for ; Mon, 28 Oct 1996 08:07:31 -0800 (PST) Received: (from root@localhost) by sdev.usn.blaze.net.au (8.7.6/8.6.9) id DAA10189; Tue, 29 Oct 1996 03:07:23 +1100 (EST) Message-Id: <199610281607.DAA10189@sdev.usn.blaze.net.au> Date: Tue, 29 Oct 1996 03:07:23 +1100 (EST) From: David Nugent Reply-To: davidn@sdev.usn.blaze.net.au To: FreeBSD-gnats-submit@freebsd.org Subject: List management bug in last, shows up with /etc/malloc.conf -> AJ X-Send-Pr-Version: 3.2 >Number: 1916 >Category: bin >Synopsis: A linked list bug in last.c causes last to dump core >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Oct 28 08:10:01 PST 1996 >Closed-Date: Mon Oct 28 22:52:57 MET 1996 >Last-Modified: Mon Oct 28 14:00:03 PST 1996 >Originator: David Nugent - davidn@blaze.net.au >Release: FreeBSD 2.2-CURRENT i386 >Organization: Unique Computing, Melbourne, Australia >Environment: Under some circumstances, last from -current dumps core. A sample wtmp file (uuencoded attached below) demonstrates the problem. >Description: A pointer is free(3)'ed, and subsequently used in the wtmp() function in last.c. With MALLOC_OPTIONS set to AJ, the contents of the memory pointed to by the free pointer are no longer valid, causing a core dump. >How-To-Repeat: Run 'last' on the attached wtmp. >Fix: Diff attached: *** /usr/src/usr.bin/last/last.c.orig Tue Oct 29 02:57:23 1996 --- /usr/src/usr.bin/last/last.c Tue Oct 29 02:59:10 1996 *************** *** 191,199 **** */ if (bp->ut_line[0] == '~' && !bp->ut_line[1]) { /* everybody just logged out */ ! for (tt = ttylist.lh_first; tt; tt = tt->list.le_next) { LIST_REMOVE(tt, list); free(tt); } currentout = -bp->ut_time; crmsg = strncmp(bp->ut_name, "shutdown", --- 191,202 ---- */ if (bp->ut_line[0] == '~' && !bp->ut_line[1]) { /* everybody just logged out */ ! tt = ttylist.lh_first; ! while (tt) { ! struct ttytab * tn = tt->list.le_next; LIST_REMOVE(tt, list); free(tt); + tt = tn; } currentout = -bp->ut_time; crmsg = strncmp(bp->ut_name, "shutdown", Encoded wtmp which demonstrates the problem. begin 644 wtmp.gz M'XL(`,'1=#(``XV=>U1591J'R0NB96EC7E`;M=%)2Q00D$30(R(B*)*:$WQDH"7RD0S=$C%U*S)IIN*MU1(K6598V7EJ`F890H=8 M&=]^WF^U9O7';Y[W]]Z^O<_I9!D9ST[U<')RFIR6EN%4S_EA?[C'+.WOIR1G M9EC3IJ7>K;GFT&1H'-7Y7=.X"S2]07/'S^3$A'I=MSRDETH0?XMQ+CS"G,C"BKLXJ3=>@".Q%[K`(S/UF9@3V/<9G M'.8UP:&A?MW4.&9U=NX[#NO32M.8S;.OIO$TT20$U&KZF&@^'\"Y7[2,PQI6 M6,9A+ZY;=#^J\ZM%SXLT9K/QJX7[E1G(_=H[6*^/JH8?#N;QG>RCW?4>H[D=U]H;J?E3G0.@XO,>.AO*,G0KEO,Z&TQUA['GQ"/:\9`3W8MD(SLLGG/-:'$ MOLLJS*^=]O*?CRV M,B>AB.*:(_7Q9Q'ZV;V<_']=J[,98Z9FV%*.XDT&C.JNW M#^ZHU<2;>.ZT@^^-A)TZ1W4F[&3/R3MY#O<7\^XLW/LI^T)KG/' M$SP;EYI%XCW_=O-(O.=/=(S$W)N.BZSS;$N=9*LOKR\,&M69;8W$&KYLC<1^ ME5DYUN=6KH]E:!36YXF1ND9U.DF,:MA@$-#-0PV<%0G MS,!1S<;[MZ)PG@]J&K-YWEX5A?UJ>C@:[XVU/T5CG4,N16/N(PT:E9_1`DZ< M0T.]B#=H5'4N<8GA=P"#1G62FS(GI2ESE@LX+PDX>0+.6DUC-C_[#!K5>5_3 MF,W8?H-&=0YH&K-]/V+0J,Y105ZSF^M^5/O>L#7[J6C+]7G;C7-_QXWS>L^- M^_Z10:/*ZZ!#0[MS0A#KE(&CVJ_`7NQG>"_F'.S-G*.]]5ZH-*W=.58O;]Z= MJ4\P)\*?/=O\F7,]D#E.@SGWV4'<]T[!/,]=@WDV[FC,[@3?<-ZO5J.X/A^. MY?H<&_Q?#?GK%LI]E5I[G=HDQ==]YJC29-LYK MS3.%:?3.8P[[B1;$VC*/<[MY9SOZVAO-JMX[RZKF//;ZQC/T7KV(_'1O8S8"/[&5'(?D85LI\& M6]A/LRWLQU;$?M**V$]I&?LY5\9^9IQG/R^<9S\_.<>BG^N:QFPONMP?ZY&4 M8>_KZ>E5=R=X]/9T<_=Q\W+\;\TKV`8O7:,Z6=ZQF'L+OUC,O8U?+.Y@&S_. M_?_]8K&&!P2<8WZ//L4H"V+-1H_*S<"#[63F09\S; MPIH^@]CS^D">C4V!7)_;&LH]*8AS3PUBSTN"V,^*H-K]\G+O7=\.UOQ?OS-H M5*=*BV7V.>Z],%VC.AU2.7>O-.[I/].Y7[X&C>J=)$#`N:,Q_3PX7=*0-PYE]MR'X^,6A4O2@1<(X) M_)0).)<%G`H!)Z`1">5M MXG`'[?WC<"\RGN*]F.[0T+.IYUC.:^!8WHO;&GJ>/A"MQU)Y=HWF?BUV:!S/ M0<\^OD[U/2M];FM^G*!K5.>:IO'U5G,LR;I&=88E\_RTM_.L+K9SOU;8^1[+ MLW-/\^S-LSNO"/*ZS M;0'[&;.(ZS/BI1K-GWXOD9EJ2\],U#7?Y.L:U7%>S77>]LI?8QGVHF:C[BOD M6*T+>5;G%_+=LJB0=V=)(?[BYW_[+Q\W[]B?_X+>X[V%O\8R%[N$:OEK-N=NRQ^.,;;XU M'G/?='\\?M\;XZIK5")SGJ]9X[.G@B5SG_T[B6!>G<)WCYK(?ZURNSZ6E7)^K2SFO M:I<$S,O_O@30QY)P/H,?R0!/8_6-&;/Y?A'.*_?=ND=8WP@X3A7,:5C!',]KS/&YQIQD`6>2@/.L@),EX!P0<`YK&K/=^<6@47XG M(_!SMHK]G*M*P'U?Y#2A;G[VGRM\>M.>^1W=@3F4GP?QH&B\33N/.ND9UFG;68ZER#]$T9L\4_\=T MC8I38-?O<.5O4R?S/3\^D^NS!T6,!^NBQ@3J"`$[*`=V>40X._21;X M23)P5-^3G%_`>_J#P'.;APZA5W*_* M7,'S*YL%KS7 MK6/.`4UC]AD_?!\_N\]\P,_<@H_YF=O]4^;XG>']:GZ68ZWYDF.M_Y(Y10+. M=@'G!P'GHH!S6<"Y*N!4"SC.7S%GY%?,&27@-#C/[V--SO->^)SGN[=?K<9N MG/F[__E.P;>Z1G5^_HYG=6=C:]T.JLXU36/VSTJJ'!IZOK=TMJ*?5LY6_AV: M,_O9((C5I(D5>]%8]UJ-';CC-W][R\O[:EK5"?3C3FSW)BSVITY&]R9 M-[XY[=@EW>S??&]-WL^><]O.\W]EKQG23LM!6? M.V&W=([J)%=SK)1JKL^%[HE8YTJ'AOSO&'AOK]A MX7Z-'\1Y/3V(/0\)8LZP(.;$"#CC@WA^!@1S#;."F9,MX"P78@+-+P'E;P"D1<(Z& M<`W+0KB&IP6UX5Z]'I'"L@BV,-RN)G2N!)?C:%G&1.?!ES)CLT21EV M7]_>'O7]WJ_FCXA;U3^I3J,ZNQT:\C-[9!+6,$O3F/X^7-.8S7.VIC';BT4& MCJKO.8)8JQT:VM,U!HUJOYI4/8U^BAHDHY]B@T:Y7YK&;`,N_S.IF2< M^46O)^,<7OF&\QK1TX9Y/6G0J,[/0YES3=.8S4^_$!O6QS^$_23,L.%>O#"# M_>1H&K/=V:AIS/9TZPRNS\X9G->DP;-JYM>WFXAY%6L:,S\N]HFX7P\X M-+3+;>TU[KH&CJL\KFL9LQC;9)^(N.YV9B'M:_17G5>XU"7OQBZ8Q MF^??-(U9[L[>DS"OJ/Q)N!=?9Z2@YV\UC>EG:H-&-3^7'!K\,ZL%L7XW<)3_ M3LV_V$^/N1RK178*]J)U=@KV8L>\%)S5[S2-V1PVR$G!^0G,84Z(@%.:P_7Y M.H?K(ZYM@TC=F[UDR#1G5F"?SD"?RL M%7`V"SA;#!K5[GPJX!P7^%FVGCFYZYDS[37F//<:YY6X@3DY&YBS4L"Y*.!< M$7`>+.#ZM"U@3F-S.FQD3F[!)R]`D[?3[J!>7!S$G,^&I-5\S^;MHVON_BZN?(FN49VJ M)6DX8Q MCOW*+$_'W)\O3\>[9;:!H]KW.0X-_OS@GOA5\$]/=ET"O;K .@Q,9'G\`3-'?,.!J``"! ` end >Release-Note: >Audit-Trail: State-Changed-From-To: open->closed State-Changed-By: joerg State-Changed-When: Mon Oct 28 22:52:57 MET 1996 State-Changed-Why: Dup for PR 1909, already fixed in rev 1.5 of last.c. From: J Wunsch To: davidn@sdev.usn.blaze.net.au Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: bin/1916: List management bug in last, shows up with /etc/malloc.conf -> AJ Date: Mon, 28 Oct 1996 21:42:51 +0100 (MET) As David Nugent wrote: > Under some circumstances, last from -current dumps core. A sample The `some circumstances' are simply a "shutdown" entry. > wtmp file (uuencoded attached below) demonstrates the problem. > > >Description: > > A pointer is free(3)'ed, and subsequently used in the wtmp() function > in last.c. With MALLOC_OPTIONS set to AJ, the contents of the memory > pointed to by the free pointer are no longer valid, causing a core > dump. Sorry to say, but you're already too late. :) The problem has been reported in PR 1909, and fixed a couple of hours later... Needless to say, the fix looks damn similar to yours. -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-) >Unformatted: