NetBSD Problem Report #40563

From tkhr.hash@gmail.com  Fri Feb  6 01:10:01 2009
Return-Path: <tkhr.hash@gmail.com>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id 3A4A263C07D
	for <gnats-bugs@gnats.netbsd.org>; Fri,  6 Feb 2009 01:10:01 +0000 (UTC)
Message-Id: <20090206080415.65B3.44A1DAE8@gmail.com>
Date: Fri, 06 Feb 2009 08:10:30 +0900
From: Takahiro Hayashi <tkhr.hash@gmail.com>
To: gnats-bugs@gnats.NetBSD.org
Cc: tkhr.hash@gmail.com
Subject: syslogd(8) refers freed pointer on exiting

>Number:         40563
>Category:       bin
>Synopsis:       syslogd(8) refers freed pointer on exiting
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Feb 06 01:15:00 +0000 2009
>Closed-Date:    Sat Feb 07 13:33:37 +0000 2009
>Last-Modified:  Sat Feb 07 13:33:37 +0000 2009
>Originator:     Takahiro Hayashi
>Release:        NetBSD current (5.99.7) Mon Jan 26 11:40:24 UTC 2009
>Organization:
>Environment:
System: NetBSD halt 5.99.7 NetBSD 5.99.7 (UNION) #0: Mon Jan 26 22:08:48 JST 2009  root@halt:/usr/sources/obj/sys/arch/i386/compile/UNION i386
Architecture: i386
Machine: i386
>Description:
	When syslogd(8) exits on SIGTERM it writes log
	"Exiting on signal 15" in die(), however, die() frees all
	pointers to log descriptors "Files" before calling logerror().
	Found by setting "ln -s J /etc/malloc.conf".

halt# gdb ./syslogd /syslogd.core
GNU gdb 6.5
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386--netbsdelf"...
Reading symbols from /usr/lib/libutil.so.7...done.
Loaded symbols for /usr/lib/libutil.so.7
Reading symbols from /usr/lib/libevent.so.3...done.
Loaded symbols for /usr/lib/libevent.so.3
Reading symbols from /usr/lib/libwrap.so.1...done.
Loaded symbols for /usr/lib/libwrap.so.1
Reading symbols from /usr/lib/libssl.so.7...done.
Loaded symbols for /usr/lib/libssl.so.7
Reading symbols from /usr/lib/libcrypto.so.5...done.
Loaded symbols for /usr/lib/libcrypto.so.5
Reading symbols from /usr/lib/libc.so.12...done.
Loaded symbols for /usr/lib/libc.so.12
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /usr/libexec/ld.elf_so...done.
Loaded symbols for /usr/libexec/ld.elf_so
Core was generated by `syslogd'.
Program terminated with signal 11, Segmentation fault.
#0  0x0804fb36 in logmsg (buffer=0xbb82e040) at syslogd.c:1839
1839			if (!MATCH_PRI(f, fac, prilev)
(gdb) bt
#0  0x0804fb36 in logmsg (buffer=0xbb82e040) at syslogd.c:1839
#1  0x080505c0 in logmsg_async (pri=43, sd=0x0, 
    msg=0xbfbfe6a0 "Exiting on signal 15", flags=4) at syslogd.c:1630
#2  0x08050807 in logerror (fmt=0x8063485 "global_TLS_CTX") at syslogd.c:2751
#3  0x08054dbd in die (fd=15, event=8, ev=0xbb842060) at syslogd.c:2915
#4  0xbbbd2129 in event_base_loop () from /usr/lib/libevent.so.3
#5  0xbbbd24df in event_loop () from /usr/lib/libevent.so.3
#6  0xbbbd24fe in event_dispatch () from /usr/lib/libevent.so.3
#7  0x08058405 in main (argc=-1149124544, argv=Cannot access memory at address 0x7
) at syslogd.c:632
(gdb) p f
$1 = (struct filed *) 0x5a5a5a5a

>How-To-Repeat:
	"ln -s J /etc/malloc.conf",
	"/etc/rc.d/syslogd restart", and
	"/etc/rc.d/syslogd stop".
>Fix:
	It may be better to write logerror() before freeing "Files"
	in die(). Is this patch correct enough?

Index: syslogd.c
===================================================================
RCS file: /cvsroot/src/usr.sbin/syslogd/syslogd.c,v
retrieving revision 1.98
diff -u -r1.98 syslogd.c
--- syslogd.c	22 Jan 2009 21:10:52 -0000	1.98
+++ syslogd.c	5 Feb 2009 22:17:39 -0000
@@ -2817,6 +2817,12 @@
 	/* prevent recursive signals */
 	BLOCK_SIGNALS(omask, newmask);

+	errno = 0;
+	if (ev != NULL)
+		logerror("Exiting on signal %d", fd);
+	else
+		logerror("Fatal error, exiting");
+
 	/*
 	 *  flush any pending output
 	 */
@@ -2907,11 +2913,6 @@
 #endif /* !DISABLE_TLS */

 	FREEPTR(funix);
-	errno = 0;
-	if (ev != NULL)
-		logerror("Exiting on signal %d", fd);
-	else
-		logerror("Fatal error, exiting");
 	for (p = LogPaths; p && *p; p++)
 		unlink(*p);
 	exit(0);

-- 
<tkhr.hash@gmail.com>

>Release-Note:

>Audit-Trail:
From: Martin Schuette <mschuett@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/40563 CVS commit: src/usr.sbin/syslogd
Date: Fri,  6 Feb 2009 21:09:46 +0000 (UTC)

 Module Name:	src
 Committed By:	mschuett
 Date:		Fri Feb  6 21:09:46 UTC 2009

 Modified Files:
 	src/usr.sbin/syslogd: syslogd.c

 Log Message:
 PR/40563: Takahiro Hayashi: syslogd(8) refers freed pointer on exiting


 To generate a diff of this commit:
 cvs rdiff -r1.98 -r1.99 src/usr.sbin/syslogd/syslogd.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: mschuett@NetBSD.org
State-Changed-When: Sat, 07 Feb 2009 13:33:37 +0000
State-Changed-Why:
applied patch


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.