Date: Wed, 20 Jul 2016 21:58:51 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 211195] pw userdel Segmentation fault (core dumped) Message-ID: <bug-211195-8-tvoSYy7ji8@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-211195-8@https.bugs.freebsd.org/bugzilla/> References: <bug-211195-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211195 rday <ryan@ryanday.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ryan@ryanday.net --- Comment #3 from rday <ryan@ryanday.net> --- Created attachment 172760 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D172760&action= =3Dedit Patch for 211195 The crash occurs in the rm_r() function, however the core dump issue looks a little more subtle than not having a home directory. For example, the comma= nds # pw user add someuser -g somegroup -d "/home/someuser" -s "/usr/sbin/nolog= in" # pw user del someuser -r Won't core dump. /home/someuser doesn't exist, and the problematic code nev= er runs. In your example the home directory was "/dev/null", which *does* exist even though -m wasn't specified. The program uses openat(2) with the O_DIRECTORY flag to open "/dev/null" which is not a directory. openat() returns an unchecked error, and the program crashes when it tries to open the invalid descriptor. I was able to reproduce this in the master branch on the Github repo. I attached a patch for the rm_r() function to check the return value of opena= t(). It looks like openat()'s return value isn't checked in a couple other locat= ions in the code as well. Those code paths may not be accessible though. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-211195-8-tvoSYy7ji8>