kern/53948: fopen(NULL, "r") instant panic

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/53948: fopen(NULL, "r") instant panic
From: n54%gmx.com@localhost
Date: Tue, 5 Feb 2019 04:15:00 +0000 (UTC)

>Number:         53948
>Category:       kern
>Synopsis:       fopen(NULL, "r") instant panic
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Feb 05 04:15:00 +0000 2019
>Originator:     Kamil Rytarowski
>Release:        NetBSD 8.99.33 amd64
>Organization:
TNF
>Environment:
NetBSD chieftec 8.99.33 NetBSD 8.99.33 (GENERIC) #2: Fri Feb  1 22:51:28 CET 2019  root@chieftec:/public/netbsd-root/sys/arch/amd64/compile/GENERIC amd64
>Description:
fopen(NULL, "r") results in instant panic after 


   1627 static int
   1628 do_sys_openat(lwp_t *l, int fdat, const char *path, int flags,
   1629     int mode, int *fd)
   1630 {
   1631 	file_t *dfp = NULL;
   1632 	struct vnode *dvp = NULL;
   1633 	struct pathbuf *pb;
   1634 	const char *pathstring = NULL;
   1635 	int error;
   1636 
   1637 	if (path == NULL) {
   1638 		MODULE_CALL_HOOK(vfs_openat_10_hook, (&pb), 0, error);
   1639 		if (error)
   1640 			return error;
   1641 	} else {
   1642 		error = pathbuf_copyin(path, &pb);
   1643 		if (error)
   1644 			return error;
   1645 	}
   1646 
   1647 	pathstring = pathbuf_stringcopy_get(pb);


The path == NULL codepath apparently no longer catches NULL parameter.


#16 0xffffffff80dfce7b in pathbuf_stringcopy_get (pb=0x0) at /usr/src/sys/kern/vfs_lookup.c:373
#17 0xffffffff80e0a5d8 in do_sys_openat (l=0xffff84c3a78b7620, fdat=-100, path=0x0, flags=0, mode=438, fd=0xffffba002a0a8ef8)
    at /usr/src/sys/kern/vfs_syscalls.c:1647
#18 0xffffffff80e0a6ba in sys_open (l=0xffff84c3a78b7620, uap=0xffffba002a0a9000, retval=0xffffba002a0a8fe0)
    at /usr/src/sys/kern/vfs_syscalls.c:1683
#19 0xffffffff802625fd in sy_call (sy=0xffffffff81c58eb8 <sysent+120>, l=0xffff84c3a78b7620, uap=0xffffba002a0a9000, 
    rval=0xffffba002a0a8fe0) at /usr/src/sys/sys/syscallvar.h:65
#20 0xffffffff802626e9 in sy_invoke (sy=0xffffffff81c58eb8 <sysent+120>, l=0xffff84c3a78b7620, uap=0xffffba002a0a9000, 
    rval=0xffffba002a0a8fe0, code=5) at /usr/src/sys/sys/syscallvar.h:94
#21 0xffffffff802629b9 in syscall (frame=0xffffba002a0a9000) at /usr/src/sys/arch/x86/x86/syscall.c:140
#22 0xffffffff802096dd in handle_syscall ()
(gdb) 

>How-To-Repeat:
$ cat test.c
#include <stdio.h>
int main() { fopen(NULL, "r"); } 
$ gcc test.c
$ ./a.out
>Fix:
N/A

Prev by Date: Re: lib/53273: sem_init() with pshared=1 does not actually work
Next by Date: Re: kern/53948 (fopen(NULL, "r") instant panic)
Previous by Thread: PR/53943 CVS commit: src/sys/fs/puffs
Next by Thread: Re: kern/53948 (fopen(NULL, "r") instant panic)
Indexes:

Home | Main Index | Thread Index | Old Index