NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
bin/40563: syslogd(8) refers freed pointer on exiting
>Number: 40563
>Category: bin
>Synopsis: syslogd(8) refers freed pointer on exiting
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Feb 06 01:15:00 +0000 2009
>Originator: Takahiro Hayashi
>Release: NetBSD current (5.99.7) Mon Jan 26 11:40:24 UTC 2009
>Organization:
>Environment:
System: NetBSD halt 5.99.7 NetBSD 5.99.7 (UNION) #0: Mon Jan 26 22:08:48 JST
2009 root@halt:/usr/sources/obj/sys/arch/i386/compile/UNION i386
Architecture: i386
Machine: i386
>Description:
When syslogd(8) exits on SIGTERM it writes log
"Exiting on signal 15" in die(), however, die() frees all
pointers to log descriptors "Files" before calling logerror().
Found by setting "ln -s J /etc/malloc.conf".
halt# gdb ./syslogd /syslogd.core
GNU gdb 6.5
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386--netbsdelf"...
Reading symbols from /usr/lib/libutil.so.7...done.
Loaded symbols for /usr/lib/libutil.so.7
Reading symbols from /usr/lib/libevent.so.3...done.
Loaded symbols for /usr/lib/libevent.so.3
Reading symbols from /usr/lib/libwrap.so.1...done.
Loaded symbols for /usr/lib/libwrap.so.1
Reading symbols from /usr/lib/libssl.so.7...done.
Loaded symbols for /usr/lib/libssl.so.7
Reading symbols from /usr/lib/libcrypto.so.5...done.
Loaded symbols for /usr/lib/libcrypto.so.5
Reading symbols from /usr/lib/libc.so.12...done.
Loaded symbols for /usr/lib/libc.so.12
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /usr/libexec/ld.elf_so...done.
Loaded symbols for /usr/libexec/ld.elf_so
Core was generated by `syslogd'.
Program terminated with signal 11, Segmentation fault.
#0 0x0804fb36 in logmsg (buffer=0xbb82e040) at syslogd.c:1839
1839 if (!MATCH_PRI(f, fac, prilev)
(gdb) bt
#0 0x0804fb36 in logmsg (buffer=0xbb82e040) at syslogd.c:1839
#1 0x080505c0 in logmsg_async (pri=43, sd=0x0,
msg=0xbfbfe6a0 "Exiting on signal 15", flags=4) at syslogd.c:1630
#2 0x08050807 in logerror (fmt=0x8063485 "global_TLS_CTX") at syslogd.c:2751
#3 0x08054dbd in die (fd=15, event=8, ev=0xbb842060) at syslogd.c:2915
#4 0xbbbd2129 in event_base_loop () from /usr/lib/libevent.so.3
#5 0xbbbd24df in event_loop () from /usr/lib/libevent.so.3
#6 0xbbbd24fe in event_dispatch () from /usr/lib/libevent.so.3
#7 0x08058405 in main (argc=-1149124544, argv=Cannot access memory at address
0x7
) at syslogd.c:632
(gdb) p f
$1 = (struct filed *) 0x5a5a5a5a
>How-To-Repeat:
"ln -s J /etc/malloc.conf",
"/etc/rc.d/syslogd restart", and
"/etc/rc.d/syslogd stop".
>Fix:
It may be better to write logerror() before freeing "Files"
in die(). Is this patch correct enough?
Index: syslogd.c
===================================================================
RCS file: /cvsroot/src/usr.sbin/syslogd/syslogd.c,v
retrieving revision 1.98
diff -u -r1.98 syslogd.c
--- syslogd.c 22 Jan 2009 21:10:52 -0000 1.98
+++ syslogd.c 5 Feb 2009 22:17:39 -0000
@@ -2817,6 +2817,12 @@
/* prevent recursive signals */
BLOCK_SIGNALS(omask, newmask);
+ errno = 0;
+ if (ev != NULL)
+ logerror("Exiting on signal %d", fd);
+ else
+ logerror("Fatal error, exiting");
+
/*
* flush any pending output
*/
@@ -2907,11 +2913,6 @@
#endif /* !DISABLE_TLS */
FREEPTR(funix);
- errno = 0;
- if (ev != NULL)
- logerror("Exiting on signal %d", fd);
- else
- logerror("Fatal error, exiting");
for (p = LogPaths; p && *p; p++)
unlink(*p);
exit(0);
--
<tkhr.hash%gmail.com@localhost>
Home |
Main Index |
Thread Index |
Old Index