>Number: 6423
>Category: user
>Synopsis: ci -l may segfault if message is zero length
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Jul 07 01:00:01 GMT 2010
>Closed-Date:
>Last-Modified:
>Originator:
>Release:
>Organization:
>Environment:
System : OpenBSD 4.7
Details : OpenBSD 4.7-stable (GENERIC) #0: Sat Jul 3 22:40:17 UTC
2010
[email protected]:/usr/src/sys/arch/i386/compile/GENERIC
Architecture: OpenBSD.i386
Machine : i386
>Description:
The "ci -l" command may segfault if it receives a zero length message.
A zero length message may be entered interactively although it may not
be possible from the command line. When "ci" segfaults, it unfortunately
takes the working file with it. It occurs in about 1 of 200 checkins.
The problem is caused by a buffer underrun in rcs.c at line 500.
>How-To-Repeat:
Check in a file with a zero length message over and over again until
it segfaults. The zero length message is achieved by entering "."
only on the the interactive ">>>" message line.
This script will cause the fault reliably:
#!/bin/sh
# Modifies file and then checks it in with no comment over and over
# again. Stops if a core file appears or if the working file
# disappears.
# Installed ci.
cmd="/usr/bin/ci"
while(true); do
uname -a >> test
date >> test
echo "." | $cmd -l test
if [ -e ci.core ]; then
echo "ci dumped core."
exit
fi
if [ ! -e test ]; then
echo "test disappeared."
exit 1
fi
done
>Fix:
There is a buffer underrun at line 500 in rcs.c version 1.54, which is
used by OpenBSD 4.7 and current. The code assumes that "len" is at
least one. Inserting a printf in the code shows experimentally that
"len" is occasionally zero, resulting in a buffer underrun. This happens
when a zero length message is submitted interactively.
I have a core dump if needed, but this patch fixes the problem:
--- rcs.c Tue Jul 6 23:08:46 2010
+++ rcs.c.new Thu Apr 15 23:09:25 2010
@@ -497,8 +497,10 @@
if (rdp->rd_log != NULL) {
len = strlen(rdp->rd_log);
rcs_strprint((const u_char *)rdp->rd_log, len, fp);
- if (rdp->rd_log[len-1] != '\n')
- fputc('\n', fp);
+ if(len == 0)
+ fputc('\n', fp);
+ else if(rdp->rd_log[len-1] == '\n')
+ fputc('\n', fp);
}
fputs("@\ntext\n@", fp);
if (rdp->rd_text != NULL)
dmesg:
OpenBSD 4.7-stable (GENERIC) #0: Sat Jul 3 22:40:17 UTC 2010
[email protected]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II ("GenuineIntel" 686-class) 2.22 GHz
cpu0:
FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,PGE,CMOV,PAT,MMX,FXSR,SSE,SSE2,SSE3
real mem = 402210816 (383MB)
avail mem = 381005824 (363MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 06/23/99, BIOS32 rev. 0 @ 0xff046, SMBIOS
rev. 2.4 @ 0x17fffef0 (10 entries)
bios0: vendor Bochs version "Bochs" date 01/01/2007
bios0: Bochs Bochs
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP SSDT APIC HPET
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
acpihpet0 at acpi0: 100000000 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
mpbios0 at bios0: Intel MP Specification 1.4
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 1000MHz
mpbios0: bus 0 is type PCI
mpbios0: bus 1 is type ISA
ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 11, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 1
bios0: ROM list: 0xc0000/0x8c00 0xc9000/0x2200
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <QEMU HARDDISK>
wd0: 16-sector PIO, LBA48, 17408MB, 35651584 sectors
wd1 at pciide0 channel 0 drive 1: <QEMU HARDDISK>
wd1: 16-sector PIO, LBA48, 100MB, 204800 sectors
wd0(pciide0:0:0): using PIO mode 0, DMA mode 2
wd1(pciide0:0:1): using PIO mode 0, DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <QEMU, QEMU DVD-ROM, 0.12> ATAPI 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 0
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 1 int 9
(irq 9)
iic0 at piixpm0
iic0: addr 0x18 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words
00=0000 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000
iic0: addr 0x1a 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words
00=0000 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000
iic0: addr 0x1c 0f=d0 words 00=0000 01=0000 02=0000 03=0000 04=0000 05=0000
06=0000 07=0000
iic0: addr 0x1d 0f=d0 words 00=0000 01=0000 02=0000 03=0000 04=0000 05=0000
06=0000 07=0000
iic0: addr 0x4c 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words
00=0000 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000
iic0: addr 0x4e 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words
00=0000 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000
vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em0 at pci0 dev 3 function 0 "Intel PRO/1000MT (82540EM)" rev 0x03: apic 1 int
11 (irq 11), address 52:54:00:12:34:56
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: probed fifo depth: 0 bytes
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: density unknown
fd1 at fdc0 drive 1: density unknown
nvram: invalid checksum
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
clock: unknown CMOS layout
>Release-Note:
>Audit-Trail:
>Unformatted:
