NetBSD Problem Report #53948

From www@NetBSD.org  Tue Feb  5 04:10:14 2019
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 453827A1CB
	for <gnats-bugs@gnats.NetBSD.org>; Tue,  5 Feb 2019 04:10:14 +0000 (UTC)
Message-Id: <20190205041013.4804F7A1F7@mollari.NetBSD.org>
Date: Tue,  5 Feb 2019 04:10:13 +0000 (UTC)
From: n54@gmx.com
Reply-To: n54@gmx.com
To: gnats-bugs@NetBSD.org
Subject: fopen(NULL, "r") instant panic
X-Send-Pr-Version: www-1.0

>Number:         53948
>Category:       kern
>Synopsis:       fopen(NULL, "r") instant panic
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    pgoyette
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Feb 05 04:15:00 +0000 2019
>Closed-Date:    Tue Feb 05 08:54:15 +0000 2019
>Last-Modified:  Tue Feb 05 17:35:01 +0000 2019
>Originator:     Kamil Rytarowski
>Release:        NetBSD 8.99.33 amd64
>Organization:
TNF
>Environment:
NetBSD chieftec 8.99.33 NetBSD 8.99.33 (GENERIC) #2: Fri Feb  1 22:51:28 CET 2019  root@chieftec:/public/netbsd-root/sys/arch/amd64/compile/GENERIC amd64
>Description:
fopen(NULL, "r") results in instant panic after 


   1627 static int
   1628 do_sys_openat(lwp_t *l, int fdat, const char *path, int flags,
   1629     int mode, int *fd)
   1630 {
   1631 	file_t *dfp = NULL;
   1632 	struct vnode *dvp = NULL;
   1633 	struct pathbuf *pb;
   1634 	const char *pathstring = NULL;
   1635 	int error;
   1636 
   1637 	if (path == NULL) {
   1638 		MODULE_CALL_HOOK(vfs_openat_10_hook, (&pb), 0, error);
   1639 		if (error)
   1640 			return error;
   1641 	} else {
   1642 		error = pathbuf_copyin(path, &pb);
   1643 		if (error)
   1644 			return error;
   1645 	}
   1646 
   1647 	pathstring = pathbuf_stringcopy_get(pb);


The path == NULL codepath apparently no longer catches NULL parameter.


#16 0xffffffff80dfce7b in pathbuf_stringcopy_get (pb=0x0) at /usr/src/sys/kern/vfs_lookup.c:373
#17 0xffffffff80e0a5d8 in do_sys_openat (l=0xffff84c3a78b7620, fdat=-100, path=0x0, flags=0, mode=438, fd=0xffffba002a0a8ef8)
    at /usr/src/sys/kern/vfs_syscalls.c:1647
#18 0xffffffff80e0a6ba in sys_open (l=0xffff84c3a78b7620, uap=0xffffba002a0a9000, retval=0xffffba002a0a8fe0)
    at /usr/src/sys/kern/vfs_syscalls.c:1683
#19 0xffffffff802625fd in sy_call (sy=0xffffffff81c58eb8 <sysent+120>, l=0xffff84c3a78b7620, uap=0xffffba002a0a9000, 
    rval=0xffffba002a0a8fe0) at /usr/src/sys/sys/syscallvar.h:65
#20 0xffffffff802626e9 in sy_invoke (sy=0xffffffff81c58eb8 <sysent+120>, l=0xffff84c3a78b7620, uap=0xffffba002a0a9000, 
    rval=0xffffba002a0a8fe0, code=5) at /usr/src/sys/sys/syscallvar.h:94
#21 0xffffffff802629b9 in syscall (frame=0xffffba002a0a9000) at /usr/src/sys/arch/x86/x86/syscall.c:140
#22 0xffffffff802096dd in handle_syscall ()
(gdb) 

>How-To-Repeat:
$ cat test.c
#include <stdio.h>
int main() { fopen(NULL, "r"); } 
$ gcc test.c
$ ./a.out
>Fix:
N/A

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: kern-bug-people->pgoyette
Responsible-Changed-By: pgoyette@NetBSD.org
Responsible-Changed-When: Tue, 05 Feb 2019 05:28:42 +0000
Responsible-Changed-Why:
Take - almost certainly it's mine


State-Changed-From-To: open->closed
State-Changed-By: pgoyette@NetBSD.org
State-Changed-When: Tue, 05 Feb 2019 08:54:15 +0000
State-Changed-Why:
Fix committed and verified by submitter.


From: "Kamil Rytarowski" <kamil@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/53948 CVS commit: src/sys/kern
Date: Tue, 5 Feb 2019 13:50:10 +0000

 Module Name:	src
 Committed By:	kamil
 Date:		Tue Feb  5 13:50:10 UTC 2019

 Modified Files:
 	src/sys/kern: vfs_syscalls.c

 Log Message:
 The panic for fopen(NULL, ... is back, fix it

 Restore the original behavior before merging the compat refactoring branch.

 Now:
  - no compat_10 -> perform pathbuf_copyin() and report EFAULT
  - compat_10 and error -> report error
  - compat_10 and success -> return file descriptor for "."

 PR kern/53948


 To generate a diff of this commit:
 cvs rdiff -u -r1.523 -r1.524 src/sys/kern/vfs_syscalls.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Kamil Rytarowski" <kamil@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/53948 CVS commit: src/tests/lib/libc/stdio
Date: Tue, 5 Feb 2019 17:30:19 +0000

 Module Name:	src
 Committed By:	kamil
 Date:		Tue Feb  5 17:30:19 UTC 2019

 Modified Files:
 	src/tests/lib/libc/stdio: t_fopen.c

 Log Message:
 Add 2 new tests in t_fopen

 Added:
  - fopen_nullptr (without COMPAT_10)
  - fopen_nullptr_compat10 (with COMPAT_10)

 PR kern/53948

 Reviewed by <mgorny>


 To generate a diff of this commit:
 cvs rdiff -u -r1.5 -r1.6 src/tests/lib/libc/stdio/t_fopen.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.