Date: Thu, 25 Sep 2008 11:29:41 -0800 (AKDT) From: Mel <mel.xyzzy@rachie.is-a-geek.net> To: FreeBSD-gnats-submit@FreeBSD.org Cc: MAINTAINER <ahze@FreeBSD.org> Subject: ports/127639: Segfault in x_realloc devel/ccache Message-ID: <20080925192941.B65FAAFBC02@mail.rachie.is-a-geek.net> Resent-Message-ID: <200809251950.m8PJo2Yf003234@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 127639
>Category: ports
>Synopsis: Segfault in x_realloc devel/ccache
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Sep 25 19:50:02 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Mel
>Release: FreeBSD 6.3-RELEASE-p4 amd64
>Organization:
>Environment:
System: FreeBSD smell.example.com 6.3-RELEASE-p4 FreeBSD 6.3-RELEASE-p4 #0: Tue Sep 23 13:02:08 AKDT 2008 root@smell.example.com:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
util.c:
184 this is like realloc() but dies if the malloc fails
185 */
186 void *x_realloc(void *ptr, size_t size)
187 {
188 void *p2;
189 if (!ptr) return x_malloc(size);
190 p2 = malloc(size);
191 if (!p2) {
192 fatal("out of memory in x_realloc");
193 }
194 if (ptr) {
195 memcpy(p2, ptr, size);
196 free(ptr);
197 }
198 return p2;
199 }
args.c:
38 void args_add(ARGS *args, const char *s)
39 {
40 args->argv = (char**)x_realloc(args->argv, (args->argc + 2) * sizeof(char *));
41 args->argv[args->argc] = x_strdup(s);
42 args->argc++;
43 args->argv[args->argc] = NULL;
44 }
Line 195 copies newsize of oldpointer to new pointer which can produce the following backtrace:
(gdb) bt
#0 0x0000000800816b86 in memcpy () from /lib/libc.so.6
#1 0x0000000000403fec in x_realloc (ptr=0x514800, size=2056) at util.c:195
#2 0x0000000000404512 in args_add (args=0x512040,
s=0x7fffffffe2c3 "p12_key.So") at args.c:40
#3 0x00000000004045a1 in args_init (init_argc=455, init_args=0x7fffffffcf20)
at args.c:32
#4 0x0000000000402a14 in main (argc=455, argv=0x7fffffffc720) at ccache.c:564
>How-To-Repeat:
I can't reproduce this using a test like this:
ln -s ccache cc
./cc -L/usr/lib -shared `jot -w 'file%04u.So' 452 1 452`
However, the following reproduces the bug reliably:
#!/bin/sh
SRCDIR=${SRCDIR:="/usr/src"}
cd ${SRCDIR}/secure/lib/libcrypto
rm -f `make -V .OBJDIR`/libcrypto.so.4
cd ${SRCDIR}
make everything
>Fix:
The following works around the problem by using reallocf, instead of
x_malloc, however, the root of the problem is likely elsewhere.
--- patch-args.c begins here ---
--- args.c.orig 2004-09-13 02:38:30.000000000 -0800
+++ args.c 2008-09-25 04:58:35.000000000 -0800
@@ -37,7 +37,13 @@
void args_add(ARGS *args, const char *s)
{
+#ifndef __FreeBSD__
args->argv = (char**)x_realloc(args->argv, (args->argc + 2) * sizeof(char *));
+#else
+ args->argv = reallocf((char *)args->argv, (args->argc + 2) * sizeof(char *));
+ if( args->argv == NULL )
+ fatal("out of memory in reallocf");
+#endif
args->argv[args->argc] = x_strdup(s);
args->argc++;
args->argv[args->argc] = NULL;
--- patch-args.c ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080925192941.B65FAAFBC02>