Subject: bin/36636: envstat accessing freed memory (and failing)
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: None <gcw@primenet.com.au>
List: netbsd-bugs
Date: 07/12/2007 10:55:00
>Number: 36636
>Category: bin
>Synopsis: envstat accessing freed memory (and failing)
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Jul 12 10:55:00 +0000 2007
>Originator: Geoff C. Wing
>Release: NetBSD 4.99.23 (2007-07-12)
>Organization:
>Environment:
System: NetBSD g.primenet.com.au 4.99.23 NetBSD 4.99.23 (G) #0: Thu Jul 12 10:52:59 EST 2007 gcw@g.primenet.com.au:/usr/netbsd/src/sys/arch/i386/compile/G i386
Architecture: i386
Machine: i386
>Description:
On an ASUS MB (P5LD2) with aiboost, my /etc/envstat.conf has
aiboost0:MB Temperature:critmax:50
aiboost0:MB Temperature:critmin:30
aiboost0:CPU Temperature:critmax:333.15
aiboost0:CPU Temperature:critmin:303.15
aiboost0:CPU FAN Speed:critmin:3000
to give
CPU Temperature: 56.500 degC max: 60.000 degC min: 30.000 degC
MB Temperature: 41.000 degC max: 50.000 degC min: 30.000 degC
...
CPU FAN Speed: 3391 RPM min: 3000 RPM
...
$ envstat -x
...
<key>aiboost0</key>
<array>
<dict>
<key>critical-max-limit</key>
<integer>333150000</integer>
<key>critical-min-limit</key>
<integer>303150000</integer>
<key>cur-value</key>
<integer>329650000</integer>
<key>description</key>
<string>CPU Temperature</string>
<key>monitoring-supported</key>
<true/>
<key>state</key>
<string>valid</string>
<key>type</key>
<string>Temperature</string>
</dict>
<dict>
<key>critical-max-limit</key>
<integer>323150000</integer>
<key>critical-min-limit</key>
<integer>303150000</integer>
<key>cur-value</key>
<integer>314150000</integer>
<key>description</key>
<string>MB Temperature</string>
<key>monitoring-supported</key>
<true/>
<key>state</key>
<string>valid</string>
<key>type</key>
<string>Temperature</string>
</dict>
...
>How-To-Repeat:
Maybe possible for everyone?
>Fix:
find_sensors() has this little section
------
gesen = esen;
...
out:
free(esen);
return rval;
------
however it's referencing that memory via gesen later on. So, let's
not reference freed memory.
--- usr.sbin/envstat/envstat.c.org 2007-07-06 11:35:29.000000000 +1000
+++ usr.sbin/envstat/envstat.c 2007-07-12 19:03:03.000000000 +1000
@@ -208,6 +208,8 @@
free(userreq);
if (mydevname)
free(mydevname);
+ if (gesen)
+ free(gesen);
(void)close(fd);
return rval;
}
@@ -693,7 +695,8 @@
}
out:
- free(esen);
+ if (rval)
+ free(esen);
return rval;
}