NetBSD Problem Report #53948
From www@NetBSD.org Tue Feb 5 04:10:14 2019
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 453827A1CB
for <gnats-bugs@gnats.NetBSD.org>; Tue, 5 Feb 2019 04:10:14 +0000 (UTC)
Message-Id: <20190205041013.4804F7A1F7@mollari.NetBSD.org>
Date: Tue, 5 Feb 2019 04:10:13 +0000 (UTC)
From: n54@gmx.com
Reply-To: n54@gmx.com
To: gnats-bugs@NetBSD.org
Subject: fopen(NULL, "r") instant panic
X-Send-Pr-Version: www-1.0
>Number: 53948
>Category: kern
>Synopsis: fopen(NULL, "r") instant panic
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: pgoyette
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Feb 05 04:15:00 +0000 2019
>Closed-Date: Tue Feb 05 08:54:15 +0000 2019
>Last-Modified: Tue Feb 05 17:35:01 +0000 2019
>Originator: Kamil Rytarowski
>Release: NetBSD 8.99.33 amd64
>Organization:
TNF
>Environment:
NetBSD chieftec 8.99.33 NetBSD 8.99.33 (GENERIC) #2: Fri Feb 1 22:51:28 CET 2019 root@chieftec:/public/netbsd-root/sys/arch/amd64/compile/GENERIC amd64
>Description:
fopen(NULL, "r") results in instant panic after
1627 static int
1628 do_sys_openat(lwp_t *l, int fdat, const char *path, int flags,
1629 int mode, int *fd)
1630 {
1631 file_t *dfp = NULL;
1632 struct vnode *dvp = NULL;
1633 struct pathbuf *pb;
1634 const char *pathstring = NULL;
1635 int error;
1636
1637 if (path == NULL) {
1638 MODULE_CALL_HOOK(vfs_openat_10_hook, (&pb), 0, error);
1639 if (error)
1640 return error;
1641 } else {
1642 error = pathbuf_copyin(path, &pb);
1643 if (error)
1644 return error;
1645 }
1646
1647 pathstring = pathbuf_stringcopy_get(pb);
The path == NULL codepath apparently no longer catches NULL parameter.
#16 0xffffffff80dfce7b in pathbuf_stringcopy_get (pb=0x0) at /usr/src/sys/kern/vfs_lookup.c:373
#17 0xffffffff80e0a5d8 in do_sys_openat (l=0xffff84c3a78b7620, fdat=-100, path=0x0, flags=0, mode=438, fd=0xffffba002a0a8ef8)
at /usr/src/sys/kern/vfs_syscalls.c:1647
#18 0xffffffff80e0a6ba in sys_open (l=0xffff84c3a78b7620, uap=0xffffba002a0a9000, retval=0xffffba002a0a8fe0)
at /usr/src/sys/kern/vfs_syscalls.c:1683
#19 0xffffffff802625fd in sy_call (sy=0xffffffff81c58eb8 <sysent+120>, l=0xffff84c3a78b7620, uap=0xffffba002a0a9000,
rval=0xffffba002a0a8fe0) at /usr/src/sys/sys/syscallvar.h:65
#20 0xffffffff802626e9 in sy_invoke (sy=0xffffffff81c58eb8 <sysent+120>, l=0xffff84c3a78b7620, uap=0xffffba002a0a9000,
rval=0xffffba002a0a8fe0, code=5) at /usr/src/sys/sys/syscallvar.h:94
#21 0xffffffff802629b9 in syscall (frame=0xffffba002a0a9000) at /usr/src/sys/arch/x86/x86/syscall.c:140
#22 0xffffffff802096dd in handle_syscall ()
(gdb)
>How-To-Repeat:
$ cat test.c
#include <stdio.h>
int main() { fopen(NULL, "r"); }
$ gcc test.c
$ ./a.out
>Fix:
N/A
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: kern-bug-people->pgoyette
Responsible-Changed-By: pgoyette@NetBSD.org
Responsible-Changed-When: Tue, 05 Feb 2019 05:28:42 +0000
Responsible-Changed-Why:
Take - almost certainly it's mine
State-Changed-From-To: open->closed
State-Changed-By: pgoyette@NetBSD.org
State-Changed-When: Tue, 05 Feb 2019 08:54:15 +0000
State-Changed-Why:
Fix committed and verified by submitter.
From: "Kamil Rytarowski" <kamil@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/53948 CVS commit: src/sys/kern
Date: Tue, 5 Feb 2019 13:50:10 +0000
Module Name: src
Committed By: kamil
Date: Tue Feb 5 13:50:10 UTC 2019
Modified Files:
src/sys/kern: vfs_syscalls.c
Log Message:
The panic for fopen(NULL, ... is back, fix it
Restore the original behavior before merging the compat refactoring branch.
Now:
- no compat_10 -> perform pathbuf_copyin() and report EFAULT
- compat_10 and error -> report error
- compat_10 and success -> return file descriptor for "."
PR kern/53948
To generate a diff of this commit:
cvs rdiff -u -r1.523 -r1.524 src/sys/kern/vfs_syscalls.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Kamil Rytarowski" <kamil@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/53948 CVS commit: src/tests/lib/libc/stdio
Date: Tue, 5 Feb 2019 17:30:19 +0000
Module Name: src
Committed By: kamil
Date: Tue Feb 5 17:30:19 UTC 2019
Modified Files:
src/tests/lib/libc/stdio: t_fopen.c
Log Message:
Add 2 new tests in t_fopen
Added:
- fopen_nullptr (without COMPAT_10)
- fopen_nullptr_compat10 (with COMPAT_10)
PR kern/53948
Reviewed by <mgorny>
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/tests/lib/libc/stdio/t_fopen.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.