About Blog Projects Papers Contact

I said I'd never blog

DeforaOS, NetBSD, reverse-engineering and stuff
pkg_install is segfaulting
Blog post by khorben
on Saturday, April 4 2009, 22:28

Member of

Name
netbsd
segfault
 
Currently analyzing this: 

Core was generated by `pkg_info'.
Program terminated with signal 11, Segmentation fault.
#0  var_get_memory (buf=0x0, variable=0x7f7ffffffed9 "OBJECT_FMT") at var.c:161
161             for (; *buf; buf = next) {
(gdb) bt
#0  var_get_memory (buf=0x0, variable=0x7f7ffffffed9 "OBJECT_FMT") at var.c:161
#1  0x000000000040524b in show_var (buf=0x7f7ffffffed9 "OBJECT_FMT", 
   variable=0x7f7ffd209b25 "[ $wrapper_re") at show.c:137
#2  0x00000000004043d2 in pkg_do (pkg=0x7f7ffd205080 "nasm-2.05.01")
   at perform.c:371
#3  0x00000000004048fb in pkg_perform (pkghead=0x51dcc0) at perform.c:624
#4  0x0000000000403de2 in main (argc=<value optimized out>, 
   argv=<value optimized out>) at main.c:352
(gdb) print buf
$1 = 0x0
First, it doesn't look like 30276.

The calls to malloc and realloc might gain being checked for errors: 

In pkg_install-20081013/lib/var.c, function var_get_memory:

147 char *
148 var_get_memory(const char *buf, const char *variable)
149 {
[...]
173                 if (value) {
174                         value = realloc(value, valuelen+thislen+2);
175                         value[valuelen++] = '\n';
176                 }
177                 else {
178                         value = malloc(thislen+1);
179                 }
180                 sprintf(value + valuelen, "%.*s", (int)thislen, data);
(they were replaced by xmalloc and xrealloc in the last version, not sure if they abort in case of error or whatever)

This code is only called when using pkg_info -Q (from reading info/main.c and info/perform.c). I get this: 

# /usr/pkg/sbin/pkg_info -Q OBJECT_FMT nasm                                    
Memory fault (core dumped)
# gdb /usr/pkg/sbin/pkg_info pkg_info.core
[...]
(gdb) set print elements 0
(gdb) break var_get_memory
(gdb) run -Q OBJECT_FMT nasm
[...]
(gdb) x/s buf
[...]
(gdb) next
[...]
(gdb) break 166
The code goes all the way until the end of the string, and crashes when it can't find the desired value (shortly after hitting line 166). But even after modifying the code for clarity, it gets really weird: 

161             while (buf && *buf) {
(gdb) print buf
$2 = 0x7f7ffd207b25 "[ $wrapper_re"
(gdb) step

Program received signal SIGSEGV, Segmentation fault.
0x000000000040def7 in var_get_memory (buf=0x0, 
   variable=0x7f7fffffff02 "OBJECT_FMT") at var.c:161
161             while (buf && *buf) {
(gdb) print buf
$3 = 0x0
I feel just like losing time... :(
read Read

Come back...

Creative Commons License RSS