bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Seg fault in 1.12.5


From: Steve McIntyre
Subject: Seg fault in 1.12.5
Date: Sat, 21 Feb 2004 16:58:50 +0000
User-agent: Mutt/1.5.5.1+cvs20040105i

Guys,

I've just had a bug reported in Debian about 1.12.5:

===========================================================================

$ cvs update -jupstream_version_2_12_0-CVS20031225 
-jupstream_version_2_13_0-rc1-CVS20040221
AUTHORS already contains the differences between 1.1.1.1 and 1.1.1.2
ChangeLog already contains the differences between 1.1.1.3 and 1.1.1.5
INSTALL already contains the differences between 1.1.1.1 and 1.1.1.3
R INSTALL.jp
Makefile.am already contains the differences between 1.1.1.3 and
1.1.1.5
cvs update: use `cvs add' to create an entry for `Makefile.in'
Segmentation fault

See attached ltrace.  Tarball of the repository is available upon
request.

Severity grave because:
 1) This renders cvs unusable if you hit the bug
 2) strcmp something to NULL makes me suspicious that it is part of
    a security hole

This bug was reproduced in the 1.12.2-2 version of the package.
Package version 1.12.1-7 did not exibit the bug. (I love
snapshot.debian.net
:) ), and managed to apply the update.

===========================================================================

The end of the trace output looks like:

__ctype_b_loc(0x080e3300, 0x080dc0e0, 3, 0x080d7088, 13794) = 0x4bee4fb8
strlen("upstream_version_2_12_0-CVS20031"...)    = 35
strchr("upstream_version_2_13_0-rc1-CVS2"..., 'u') = 
"upstream_version_2_13_0-rc1-CVS2"...
strncmp("upstream_version_2_13_0-rc1-CVS2"..., 
"upstream_version_2_12_0-CVS20031"..., 35) = 1
strchr("\n\tupstream_version_2_13_0-rc1:1."..., 'u') = 
"upstream_version_2_13_0-rc1:1.1."...
strncmp("upstream_version_2_13_0-rc1:1.1."..., 
"upstream_version_2_12_0-CVS20031"..., 35) = 1
strchr("\n\tupstream_version_2_12_0-CVS200"..., 'u') = 
"upstream_version_2_12_0-CVS20031"...
strncmp("upstream_version_2_12_0-CVS20031"..., 
"upstream_version_2_12_0-CVS20031"..., 35) = 0
malloc(8)                                        = 0x080dc118
strncpy(0x080dc118, "1.1.1.3", 7)                = 0x080dc118
strrchr("1.1.1.3", '.')                          = ".3"
strlen("1.1.1.3")                                = 7
malloc(8)                                        = 0x080dc128
sprintf(".0.", ".%d.", 0)                        = 3
strlen(".0.")                                    = 3
strncmp(".0.", ".1.3", 3)                        = -1
free(0x080dc128)                                 = <void>
strlen("1.1.1.3")                                = 7
strcmp("1.1.1.3", "1.1.1.3")                     = 0
strcmp("1.1.1.5", "1.1.1.5")                     = 0
strcmp("1.1.1.3", "1.1.1.5")                     = -2
strcmp("Sun Dec 28 02:49:35 2003", NULL <unfinished ...>

The reporter has given me his repository and I can reproduce the bug,
to the point of getting a core dump myself. Back trace shows the
crash comes from strmcp() in join_file(); ts_rcs is NULL:

(gdb) bt
#0  0x400f77d4 in strcmp () from /lib/libc.so.6
#1  0x0809a52e in join_file (finfo=0xbffff390, vers=0x80dba38) at
update.c:2299
#2  0x08097b92 in update_fileproc (callerdat=0x0, finfo=0xbffff390) at
update.c:764
#3  0x08086ea0 in do_file_proc (p=0x0, closure=0xbffff380) at
recurse.c:931
#4  0x08065ccd in walklist (list=0x80da798, proc=0x8086e20
<do_file_proc>, closure=0xbffff380) at hash.c:362
#5  0x08086a46 in do_recursion (frame=0xbffff420) at recurse.c:828
#6  0x08087244 in do_dir_proc (p=0x0, closure=0xbffff4d8) at
recurse.c:1211
#7  0x08065ccd in walklist (list=0x80d8380, proc=0x8086f50
<do_dir_proc>, closure=0xbffff4d8) at hash.c:362
#8  0x08086b56 in do_recursion (frame=0xbffff5a0) at recurse.c:858
#9  0x08086399 in start_recursion (fileproc=0x8097a30
<update_fileproc>, 
    filesdoneproc=0x8097fc0 <update_filesdone_proc>,
    direntproc=0x8098120 <update_dirent_proc>, 
    dirleaveproc=0x80984e0 <update_dirleave_proc>, callerdat=0x0,
    argc=0, argv=0x80d7768, local=0, which=7, 
    aflag=0, locktype=1, update_preload=0x0, dosrcs=1,
    repository_in=0xbffff5a0 "0z\t\b\177\t\b \201\t\b#10 0x080979e7 in
    do_update (argc=0, argv=0x0, xoptions=0x0, xtag=0x0, xdate=0x0,
    xforce=0, local=0, xbuild=0, 
    xaflag=0, xprune=0, xpipeout=0, which=0, xjoin_rev1=0x0,
    xjoin_rev2=0x0, preload_update_dir=0x0, xdotemplate=0, 
    repository=0x0) at update.c:502
#11 0x08097693 in update (argc=0, argv=0x80d7348) at update.c:416
#12 0x08073466 in main (argc=4, argv=0x80d7338) at main.c:1057
(gdb) up
#1  0x0809a52e in join_file (finfo=0xbffff390, vers=0x80dba38) at update.c:2299
2299            && strcmp (vers->ts_user, vers->ts_rcs) == 0
(gdb) p *vers
$1 = {vn_user = 0x0, vn_rcs = 0x80dc620 "1.5", vn_tag = 0x80dc610 "1.5", 
  ts_user = 0x80dc260 "Sun Dec 28 02:49:35 2003", ts_rcs = 0x0,
  options = 0x80dc5e8 "-ko", ts_conflict = 0x0, 
  tag = 0x0, date = 0x0, nonbranch = 0, entdata = 0x0, srcfile =
  0x80dc2f0}

I've never looked through this area of the code myself, so some help
here would be appreciated. The repository in question is quite small
(<10MB as a tar.bz2) if anybody wants a copy...

-- 
Steve McIntyre, Cambridge, UK.                                address@hidden
"It's actually quite entertaining to watch ag129 prop his foot up on
 the desk so he can get a better aim."          [ seen in ucam.chat ]

Attachment: signature.asc
Description: Digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]