port-macppc/50228: bzero with zero length crashes

To: port-macppc-maintainer%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: port-macppc/50228: bzero with zero length crashes
From: chris%groessler.org@localhost
Date: Thu, 10 Sep 2015 21:15:00 +0000 (UTC)

>Number:         50228
>Category:       port-macppc
>Synopsis:       bzero with zero length crashes
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    port-macppc-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Sep 10 21:15:00 +0000 2015
>Originator:     Christian Groessler
>Release:        NetBSD 7.99.21
>Organization:
private
>Environment:
	
	
System: NetBSD muc-twinppc 7.99.21 NetBSD 7.99.21 (TWINPPC.MP) #0: Thu Sep 10 07:31:03 CEST 2015 chris@muc-twinppc:/local/netbsd-src/obj/sys/arch/macppc/compile/TWINPPC.MP macppc
Architecture: powerpc
Machine: macppc
>Description:
	bzero(buffer, 0) zeroes out everything from <buffer> to 0xffffefff, then it crashes.
>How-To-Repeat:
	Here's a test program:

$ cat test.c 
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>

extern int ret0(void);

int main(void)
{
        char *x;
        int len = ret0();

        x = alloca(0);
        printf("x: %p\n", x);

        bzero(x, len);

        printf("good\n");

        return 0;
}
$ cat test1.c 
int ret0(void) { return 0; }

$ gcc -o t test.c test1.c 
$ ./t 
x: 0xffffdc78
Segmentation fault (core dumped)
$ 
 

bzero(xxx, 0) is optimized away by the compiler, therefore the length comes from the test1.c file. 

>Fix:

Prev by Date: Re: bin/36381
Next by Date: Re: misc/50166
Previous by Thread: Re: bin/36381
Next by Thread: kern/50230: conflict in type declaration of 'idtype_t' from sys/types.h with POSIX sys/wait.h
Indexes:

Home | Main Index | Thread Index | Old Index