NetBSD Problem Report #51452

From  Tue Aug 30 19:39:37 2016
Return-Path: <>
Received: from ( [])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "", Issuer "Postmaster" (verified OK))
	by (Postfix) with ESMTPS id CBBE47A140
	for <>; Tue, 30 Aug 2016 19:39:37 +0000 (UTC)
Message-Id: <>
Date: Tue, 30 Aug 2016 15:39:32 -0400
From: Tom Yu <>
Subject: [patch] bt_conv.c can corrupt btree databases when byte swapping

>Number:         51452
>Category:       lib
>Synopsis:       [patch] bt_conv.c can corrupt btree databases when byte swapping
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Aug 30 19:40:00 +0000 2016
>Originator:     Tom Yu
>Release:        NetBSD-current as of 20160830

Darwin JACOBS-LADDER.MIT.EDU 14.5.0 Darwin Kernel Version 14.5.0: Thu Jun 16 19:58:21 PDT 2016; root:xnu-2782.50.4~1/RELEASE_X86_64 x86_64
Accessing a Berkeley DB btree database of the opposite byte order from
the native byte order can corrupt data.  If there is a record with a
small (non-overflow) key but big (overflow) data, the byte swapping code
in lib/libc/db/bt_conv.c can swap the wrong bytes because it acts as if
there is always an overflow key in the record.

I have not personally confirmed this bug on NetBSD, but it is not
specific to NetBSD.  This bug appears to be original to the Berkeley DB
code as initially imported into NetBSD in 1993 and (at least the btree
part) is largely unchanged in our krb5 tree.  This highly portable bug
is still present in NetBSD-current according to code inspection.  I have
confirmed the bug on at least amd64 Ubuntu 14.04, SPARC Solaris, and Mac

I'm reporting this bug here because out of the major open-source BSDs,
NetBSD seems to be the only one that has applied any byte swapping bug
fixes to the btree code.

Run a test case such as:

The hex dumps are from actual btree databases created on big-endian and
little-endian hosts using the dbtest program.  The bt_conv.c byte
swapping code is internally consistent, so a round trip through it on a
single platform won't display the bug.

The patch that we applied to krb5 is:

It might require BSD->POSIX type name fixups.

There are other regression tests in the pull request

that cover other btree byte swapping issues; you might be interested in
them as well.

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD:,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.