From dufault@hda.hda.com Mon Jun 1 13:42:54 1998 Received: from hda.hda.com (hda-bicnet.bicnet.net [208.220.66.37]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA28929 for ; Mon, 1 Jun 1998 13:42:44 -0700 (PDT) (envelope-from dufault@hda.hda.com) Received: (from dufault@localhost) by hda.hda.com (8.8.5/8.8.5) id QAA05579; Mon, 1 Jun 1998 16:18:32 -0400 (EDT) Message-Id: <199806012018.QAA05579@hda.hda.com> Date: Mon, 1 Jun 1998 16:18:32 -0400 (EDT) From: Peter Dufault Reply-To: dufault@hda.com To: FreeBSD-gnats-submit@freebsd.org Subject: cd9660_mount NULL pointer deref for no CDROM drive X-Send-Pr-Version: 3.2 >Number: 6820 >Category: kern >Synopsis: cd9660_mount NULL pointer deref for no CDROM drive >Confidential: no >Severity: non-critical >Priority: low >Responsible: jesper >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jun 1 13:50:00 PDT 1998 >Closed-Date: Sun Jan 11 08:35:40 PST 2004 >Last-Modified: Sun Jan 11 08:35:40 PST 2004 >Originator: Peter Dufault >Release: FreeBSD 3.0-Current Sun May 31 >Organization: Peter Dufault (dufault@hda.com) Realtime development, Machine control, HD Associates, Inc. Safety critical systems, Agency approval >Environment: >Description: >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: From: Bruce Evans To: dufault@hda.com, FreeBSD-gnats-submit@FreeBSD.ORG Cc: Subject: Re: kern/6820: cd9660_mount NULL pointer deref for no CDROM drive Date: Tue, 2 Jun 1998 17:22:57 +1000 >I tried to mount a CD on my crash box. Unfortunately I don't have a >CDROM drive there. cd9660_mount crashes with a NULL pointer dereference >of bdevsw[major(devvp->v_rdev)]: > >> if ((mp->mnt_flag & MNT_UPDATE) == 0) { >> if (bdevsw[major(devvp->v_rdev)]->d_flags & D_NOCLUSTERR) >> mp->mnt_flag |= MNT_NOCLUSTERR; >> error = iso_mountfs(devvp, mp, p, &args); >> } else { > >This may have been added in 1.29 in the CLUSTERRING commit. ffs has the same bug. The device node exists but not the device. It doesn't help that mount() would later return ENXIO, since the devsw is accessed before the device is opened. This bug is often masked by sloppy initialization using SYSINIT(). The devsw entries get initialized although no device is present. Bruce State-Changed-From-To: open->suspended State-Changed-By: jesper State-Changed-When: Sun May 27 17:10:34 PDT 2001 State-Changed-Why: No description of the problem, how to reproduce. Please submit more information. Responsible-Changed-From-To: freebsd-bugs->jesper Responsible-Changed-By: jesper Responsible-Changed-When: Sun May 27 17:10:34 PDT 2001 Responsible-Changed-Why: keep it on the radarscreen http://www.FreeBSD.org/cgi/query-pr.cgi?pr=6820 State-Changed-From-To: suspended->closed State-Changed-By: iedowse State-Changed-When: Sun Jan 11 08:32:12 PST 2004 State-Changed-Why: The code in question was removed a long time ago (1999) so I assume this is fixed (Jesper, hope it's ok with you to close this - I had already looked up the code before I noticed you owned the PR). http://www.freebsd.org/cgi/query-pr.cgi?pr=6820 >Unformatted: I tried to mount a CD on my crash box. Unfortunately I don't have a CDROM drive there. cd9660_mount crashes with a NULL pointer dereference of bdevsw[major(devvp->v_rdev)]: > if ((mp->mnt_flag & MNT_UPDATE) == 0) { > if (bdevsw[major(devvp->v_rdev)]->d_flags & D_NOCLUSTERR) > mp->mnt_flag |= MNT_NOCLUSTERR; > error = iso_mountfs(devvp, mp, p, &args); > } else { This may have been added in 1.29 in the CLUSTERRING commit.