Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 16 Jan 2009 22:06:14 GMT
From:      Dimitry Andric <dimitry@andric.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   bin/130632: gpart assert failure if used from FreeBSD Live CD
Message-ID:  <200901162206.n0GM6EDJ088882@www.freebsd.org>
Resent-Message-ID: <200901162210.n0GMA18V018856@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         130632
>Category:       bin
>Synopsis:       gpart assert failure if used from FreeBSD Live CD
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 16 22:10:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Dimitry Andric
>Release:        FreeBSD 8.0-CURRENT i386
>Organization:
n/a
>Environment:
System: FreeBSD vfbsd8.home.andric.com 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Thu Jan 15 23:55:45 CET 2009 dim@vfbsd8.home.andric.com:/usr/obj/usr/src/sys/GENERIC i386
>Description:
If you run gpart(8) from a recent FreeBSD -CURRENT Live CD, it will
crash with the following assertion failure:

Assertion failed: (diff == regind * size), function arena_run_reg_dalloc, file /usr/src/lib/libc/stdlib/malloc.c, line 2536.
Abort trap: 6 (core dumped)

This is due to incorrect usage of strsep(3) in the function
load_library() in /usr/src/sbin/geom/core/geom.c, and caused by the
Live CD having set GEOM_LIBRARY_PATH to "/mnt2/lib/geom:/lib/geom".

In load_library(), you see the following:

	totalpath = strdup(libpath);
	...
	if (strchr(totalpath, ':') != NULL)
		curpath = strsep(&totalpath, ":");
	...
	free(totalpath);

The problem here is that strsep(3) modifies totalpath, to point at the
next token.  If you then attempt to free it later, the behaviour is
undefined.  The newer malloc in -CURRENT apparently catches this.

Note this ONLY occurs if GEOM_LIBRARY_PATH exists, contains more than
one directory, and the geom .so files are found in the first
directory.

>How-To-Repeat:
This is easily reproduced on -CURRENT, by running:

$ GEOM_LIBRARY_PATH=/lib/geom:/foo /sbin/gpart
Assertion failed: (diff == regind * size), function arena_run_reg_dalloc, file /usr/src/lib/libc/stdlib/malloc.c, line 2536.
Abort trap: 6 (core dumped)

>Fix:
Here is a patch, following the strsep(3) manpage example.

Index: sbin/geom/core/geom.c
===================================================================
RCS file: /home/ncvs/src/sbin/geom/core/geom.c,v
retrieving revision 1.36
diff -u -p -r1.36 geom.c
--- sbin/geom/core/geom.c	4 Jun 2008 20:07:59 -0000	1.36
+++ sbin/geom/core/geom.c	16 Jan 2009 21:40:54 -0000
@@ -487,13 +487,13 @@ library_path(void)
 static void
 load_library(void)
 {
-	char *curpath, path[MAXPATHLEN], *totalpath;
+	char *curpath, path[MAXPATHLEN], *totalpath, *tofree;
 	uint32_t *lib_version;
 	void *dlh;
 	int ret;
 
 	ret = 0;
-	totalpath = strdup(library_path());
+	tofree = totalpath = strdup(library_path());
 	if (totalpath == NULL)
 		err(EXIT_FAILURE, "Not enough memory for library path");
 
@@ -519,7 +519,7 @@ load_library(void)
 		}
 		break;
 	}
-	free(totalpath);
+	free(tofree);
 	/* No library was found, but standard commands can still be used */
 	if (ret == -1)
 		return;


>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200901162206.n0GM6EDJ088882>