Date: 09 Feb 2002 01:01:21 +0100 From: Dag-Erling Smorgrav <des@ofug.org> To: current@freebsd.org Subject: double-free in mtree(1) Message-ID: <xzpn0yj7cby.fsf@flood.ping.uio.no>
next in thread | raw e-mail | index | archive | help
I get the following error when running mtree(1) in a jail:
root@p4 /usr/src# gdb =mtree
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb.291/gdb/dbxread.c line 2629 in elfstab_build_psymtabs
Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb.291/gdb/dbxread.c line 935 in fill_symbuf
(gdb) set args -deU -f /etc/mtree/BSD.root.dist -p /
(gdb) run
Starting program: /usr/sbin/mtree -deU -f /etc/mtree/BSD.root.dist -p /
mtree in free(): error: chunk is already free
Program received signal SIGABRT, Aborted.
0x280b4f07 in kill () from /usr/lib/libc.so.5
(gdb) where
#0 0x280b4f07 in kill () from /usr/lib/libc.so.5
#1 0x28108aa1 in abort () at /usr/src/lib/libc/../libc/stdlib/abort.c:70
#2 0x28107534 in wrterror (p=0x2811193b "chunk is already free\n")
at /usr/src/lib/libc/../libc/stdlib/malloc.c:303
#3 0x28107560 in wrtwarning (p=0x2811193b "chunk is already free\n")
at /usr/src/lib/libc/../libc/stdlib/malloc.c:311
#4 0x28108446 in ifree (ptr=0x8055700)
at /usr/src/lib/libc/../libc/stdlib/malloc.c:989
#5 0x281086d1 in free (ptr=0x8055700)
at /usr/src/lib/libc/../libc/stdlib/malloc.c:1121
#6 0x280aff2a in fts_close (sp=0x8059000)
at /usr/src/lib/libc/../libc/gen/fts.c:235
#7 0x804c0d4 in vwalk () at /usr/src/usr.sbin/mtree/verify.c:155
#8 0x804be12 in verify () at /usr/src/usr.sbin/mtree/verify.c:72
#9 0x804b3c1 in main (argc=6, argv=0xbfbff574)
at /usr/src/usr.sbin/mtree/mtree.c:167
#10 0x80493c9 in _start (arguments=0xbfbff688 "/usr/sbin/mtree")
at /usr/src/lib/csu/i386-elf/crt1.c:96
(gdb) up 6
#6 0x280aff2a in fts_close (sp=0x8059000)
at /usr/src/lib/libc/../libc/gen/fts.c:235
235 free(p);
(gdb) p *p
$1 = {fts_cycle = 0xd0d0d0d0, fts_parent = 0xd0d0d0d0, fts_link = 0xd0d0d0d0,
fts_number = -791621424, fts_pointer = 0xd0d0d0d0,
fts_accpath = 0xd0d0d0d0 <Error reading address 0xd0d0d0d0: Bad address>,
fts_path = 0xd0d0d0d0 <Error reading address 0xd0d0d0d0: Bad address>,
fts_errno = -791621424, fts_symfd = -791621424, fts_pathlen = 53456,
fts_namelen = 53456, fts_ino = 3503345872, fts_dev = 3503345872,
fts_nlink = 53456, fts_level = -12080, fts_info = 53456, fts_flags = 53456,
fts_instr = 53456, fts_statp = 0xd0d0d0d0, fts_name = ""}
(gdb) p *sp
$2 = {fts_cur = 0x8055700, fts_child = 0x0, fts_array = 0x0, fts_dev = 29708,
fts_path = 0x805a000 "./proc", fts_rfd = 3, fts_pathlen = 1280,
fts_nitems = 0, fts_compar = 0, fts_options = 528}
(gdb) p *(sp->fts_cur)
$3 = {fts_cycle = 0xd0d0d0d0, fts_parent = 0xd0d0d0d0, fts_link = 0xd0d0d0d0,
fts_number = -791621424, fts_pointer = 0xd0d0d0d0,
fts_accpath = 0xd0d0d0d0 <Error reading address 0xd0d0d0d0: Bad address>,
fts_path = 0xd0d0d0d0 <Error reading address 0xd0d0d0d0: Bad address>,
fts_errno = -791621424, fts_symfd = -791621424, fts_pathlen = 53456,
fts_namelen = 53456, fts_ino = 3503345872, fts_dev = 3503345872,
fts_nlink = 53456, fts_level = -12080, fts_info = 53456, fts_flags = 53456,
fts_instr = 53456, fts_statp = 0xd0d0d0d0, fts_name = ""}
(gdb)
Same thing happens when I run it outside the jail, but pointing to the
jail's root directory. Seems like an fts bug, but I was unable to
discover the exact cause.
DES
--
Dag-Erling Smorgrav - des@ofug.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpn0yj7cby.fsf>