From owner-freebsd-bugs@FreeBSD.ORG Fri Jan 16 22:10:02 2009 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 09320106574E for ; Fri, 16 Jan 2009 22:10:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D06988FC1C for ; Fri, 16 Jan 2009 22:10:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n0GMA1iF018857 for ; Fri, 16 Jan 2009 22:10:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n0GMA18V018856; Fri, 16 Jan 2009 22:10:01 GMT (envelope-from gnats) Resent-Date: Fri, 16 Jan 2009 22:10:01 GMT Resent-Message-Id: <200901162210.n0GMA18V018856@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Dimitry Andric Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4DF01106566B for ; Fri, 16 Jan 2009 22:06:15 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 22B0B8FC12 for ; Fri, 16 Jan 2009 22:06:15 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n0GM6EDY088883 for ; Fri, 16 Jan 2009 22:06:14 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id n0GM6EDJ088882; Fri, 16 Jan 2009 22:06:14 GMT (envelope-from nobody) Message-Id: <200901162206.n0GM6EDJ088882@www.freebsd.org> Date: Fri, 16 Jan 2009 22:06:14 GMT From: Dimitry Andric To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: bin/130632: gpart assert failure if used from FreeBSD Live CD X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jan 2009 22:10:02 -0000 >Number: 130632 >Category: bin >Synopsis: gpart assert failure if used from FreeBSD Live CD >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jan 16 22:10:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Dimitry Andric >Release: FreeBSD 8.0-CURRENT i386 >Organization: n/a >Environment: System: FreeBSD vfbsd8.home.andric.com 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Thu Jan 15 23:55:45 CET 2009 dim@vfbsd8.home.andric.com:/usr/obj/usr/src/sys/GENERIC i386 >Description: If you run gpart(8) from a recent FreeBSD -CURRENT Live CD, it will crash with the following assertion failure: Assertion failed: (diff == regind * size), function arena_run_reg_dalloc, file /usr/src/lib/libc/stdlib/malloc.c, line 2536. Abort trap: 6 (core dumped) This is due to incorrect usage of strsep(3) in the function load_library() in /usr/src/sbin/geom/core/geom.c, and caused by the Live CD having set GEOM_LIBRARY_PATH to "/mnt2/lib/geom:/lib/geom". In load_library(), you see the following: totalpath = strdup(libpath); ... if (strchr(totalpath, ':') != NULL) curpath = strsep(&totalpath, ":"); ... free(totalpath); The problem here is that strsep(3) modifies totalpath, to point at the next token. If you then attempt to free it later, the behaviour is undefined. The newer malloc in -CURRENT apparently catches this. Note this ONLY occurs if GEOM_LIBRARY_PATH exists, contains more than one directory, and the geom .so files are found in the first directory. >How-To-Repeat: This is easily reproduced on -CURRENT, by running: $ GEOM_LIBRARY_PATH=/lib/geom:/foo /sbin/gpart Assertion failed: (diff == regind * size), function arena_run_reg_dalloc, file /usr/src/lib/libc/stdlib/malloc.c, line 2536. Abort trap: 6 (core dumped) >Fix: Here is a patch, following the strsep(3) manpage example. Index: sbin/geom/core/geom.c =================================================================== RCS file: /home/ncvs/src/sbin/geom/core/geom.c,v retrieving revision 1.36 diff -u -p -r1.36 geom.c --- sbin/geom/core/geom.c 4 Jun 2008 20:07:59 -0000 1.36 +++ sbin/geom/core/geom.c 16 Jan 2009 21:40:54 -0000 @@ -487,13 +487,13 @@ library_path(void) static void load_library(void) { - char *curpath, path[MAXPATHLEN], *totalpath; + char *curpath, path[MAXPATHLEN], *totalpath, *tofree; uint32_t *lib_version; void *dlh; int ret; ret = 0; - totalpath = strdup(library_path()); + tofree = totalpath = strdup(library_path()); if (totalpath == NULL) err(EXIT_FAILURE, "Not enough memory for library path"); @@ -519,7 +519,7 @@ load_library(void) } break; } - free(totalpath); + free(tofree); /* No library was found, but standard commands can still be used */ if (ret == -1) return; >Release-Note: >Audit-Trail: >Unformatted: