Subject: pkg/11273: iozone 3.9 can dump core when given '-M'
To: None <>
From: None <>
List: netbsd-bugs
Date: 10/19/2000 17:32:12
>Number:         11273
>Category:       pkg
>Synopsis:       iozone 3.9 can dump core when given '-M'
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Oct 19 17:32:00 PDT 2000
>Originator:     Greg A. Woods
>Release:        iozone 3.9
Planix, Inc.; Toronto, Ontario; Canada

System: NetBSD proven 1.4V i386


	iozone 3.9 dumps core when given the '-M' option on some systems.


	First build iozone with '-g' then:

# iozone -M
        Iozone: Performance Test of File I/O
                Version $Revision: 3.9 $
                Compiled for 32 bit mode.

        Contributors:William Norcott, Don Capps, Isom Crawford, Kirby Collins
                     Al Slater, Scott Rhine, Mike Wisner, Ken Goss
                     Steve Landherr, Brad Smith.

        Run began: Thu Oct 19 19:44:51 2000

Bus error (core dumped) 
# gdb ./iozone ./iozone.core                                      
GNU gdb 4.17
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386--netbsd"...
Core was generated by `iozone'.
Program terminated with signal 10, Bus error.
Reading symbols from /usr/libexec/ld.elf_so...done.
Reading symbols from /usr/lib/
#0  0x8049c45 in main (argc=2, argv=0xbfbfcf4c) at iozone.c:913
913                                     m++;
(gdb) where
#0  0x8049c45 in main (argc=2, argv=0xbfbfcf4c) at iozone.c:913
#1  0x80491a9 in ___start ()
(gdb) list
908                     case 'M':       /* Report machine name and OS */
909                             pi=popen("uname -a", "r");
910                             fread(reply,99,1,pi);
911                             m=reply;
912                             while(*m!='\n') /* Strip after new line */
913                                     m++;
914                             *m=0;
915                             printf("\n\tMachine = %s\n",reply);
916                             pclose(pi);
917                             break;
(gdb) print m
$1 = 0xbfbfe000 <Address 0xbfbfe000 out of bounds>
(gdb) print reply
$2 = "NetBSD proven 1.4V NetBSD 1.4V (PROVEN) #0: Fri Jul 28 20:01:18 EDT 2000     woods@proven:/work/woo"


	Programmers who read output from some other program,
	especially one that is simply found in the user's search path,
	into a fixed length buffer, forget to forcibly terminate that
	buffer as a C string, and then wander unchecked off the end
	of that buffer and try to change something wherever they end up
	should really be sent back to school!  :-(

	Never mind that there's no error checking being done.....

	I don't know who's responsible for these particular lines of
	code, so sorry if I offend anyone, but even such a simple
	test program doesn't deserve to be so bug ridden!

	The code should look more like this (untested hack):

		if (!(pi = popen("uname -a", "r"))) {
			perror("popen('uname -a')");
		if ((n = fread(reply, sizeof(reply), 1, pi) == 0)) {
			if (feof(pi))
				fprintf(stderr, "got EOF reading from 'uname -a'\n");
				perror("fread('uname -a')");
		reply[n] = '\0';
		if (pclose(pi) == -1) {
			perror("pclose('uname -a')");
		if ((m = strrchr(reply, '\n')))
			*m = '\0';
		printf("\n\tMachine = %s\n", reply);

	I'd send a real patch but I'm afraid if I tried to edit that
	code I'd end up changing almost every line in the file!

	Note that since the 'uname -a' output is only ever sent to
	stdout, perhaps this code could be simplified to just:

		puts("\n\tMachine = ");
		system("uname -a");