BusyBox Bug and Patch Tracking
BusyBox
Main | My View | View Issues | Change Log | Docs
  

Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0000606 [BusyBox] Other crash always 12-19-05 03:23 01-09-06 21:34
Reporter iggarpe View Status public  
Assigned To BusyBox
Priority normal Resolution fixed  
Status closed   Product Version
Summary 0000606: mount -a crashes
Description mount -a causes a crash, at least when used with the attached fstab.

Tested under Fedora Core 4 with latest glibc updates.

The crash is reported by glibc as follows:

*** glibc detected *** ./busybox: double free or corruption (top): 0x09116170 ***
======= Backtrace: =========
/lib/libc.so.6[0x97f124]
/lib/libc.so.6(__libc_free+0x77)[0x97f65f]
/lib/libc.so.6(fclose+0x148)[0x970c40]
./busybox[0x80adaf1]
./busybox[0x804ddfe]
======= Memory map: ========
001e2000-001e7000 r-xp 00000000 08:02 4611405 /lib/libcrypt-2.3.5.so
001e7000-001e8000 r-xp 00004000 08:02 4611405 /lib/libcrypt-2.3.5.so
001e8000-001e9000 rwxp 00005000 08:02 4611405 /lib/libcrypt-2.3.5.so
001e9000-00210000 rwxp 001e9000 00:00 0
0076c000-00775000 r-xp 00000000 08:02 4612099 /lib/libgcc_s-4.0.2-20051126.so.1
00775000-00776000 rwxp 00009000 08:02 4612099 /lib/libgcc_s-4.0.2-20051126.so.1
00801000-00802000 r-xp 00801000 00:00 0 [vdso]
008fe000-00918000 r-xp 00000000 08:02 4611314 /lib/ld-2.3.5.so
00918000-00919000 r-xp 00019000 08:02 4611314 /lib/ld-2.3.5.so
00919000-0091a000 rwxp 0001a000 08:02 4611314 /lib/ld-2.3.5.so
0091c000-00a3f000 r-xp 00000000 08:02 4611317 /lib/libc-2.3.5.so
00a3f000-00a41000 r-xp 00123000 08:02 4611317 /lib/libc-2.3.5.so
00a41000-00a43000 rwxp 00125000 08:02 4611317 /lib/libc-2.3.5.so
00a43000-00a45000 rwxp 00a43000 00:00 0
00a47000-00a6a000 r-xp 00000000 08:02 4611407 /lib/libm-2.3.5.so
00a6a000-00a6b000 r-xp 00022000 08:02 4611407 /lib/libm-2.3.5.so
00a6b000-00a6c000 rwxp 00023000 08:02 4611407 /lib/libm-2.3.5.so
08048000-08108000 r-xp 00000000 08:04 15681076 /home/iggarpe/newroot/temp/busybox/busybox
08108000-0810b000 rw-p 000c0000 08:04 15681076 /home/iggarpe/newroot/temp/busybox/busybox
0810b000-081ea000 rw-p 0810b000 00:00 0
09116000-09137000 rw-p 09116000 00:00 0 [heap]
b7e00000-b7e21000 rw-p b7e00000 00:00 0
b7e21000-b7f00000 ---p b7e21000 00:00 0
b7fbc000-b7fbe000 rw-p b7fbc000 00:00 0
b7fd4000-b7fd5000 rw-p b7fd4000 00:00 0
bf8bf000-bf8d5000 rw-p bf8bf000 00:00 0 [stack]
Aborted
Additional Information
Attached Files  fstab [^] (547 bytes) 12-19-05 03:23
 mount.diff [^] (414 bytes) 12-19-05 04:25

- Relationships

- Notes
(0000799)
iggarpe
12-19-05 03:56
edited on: 12-19-05 04:26

 CHASED: this is a really ugly one, caused by the hideous usage of gotos in the mount.c code. Here we go:

There are several places where the code executed a goto to mount_it_now. Since that label is inside a couple of loops, whose initialization code would not be executed if the goto is executed, there is code in place to break the loops in this special case: f is checked, and if it is NULL, the loop breaks. Thus, all this working depends exclusively on f having a default value of NULL.

But there it is the outer loop that iterates though entries in fstab. If there is an entry of type "auto", and the /proc/filesystems iteration loop gets executed, then f ends up with a non NULL value. Then, if there is another entry in fstab with an specific filesystem type, the goto mount_it_now gets executed, but the loop doesn't break, continues, and since i has an undefined value, BOOM !!!.

The attached patch fixed this issue, though I think what the code actually needs is a rewrite to avoid these error prone practices.

Please also apply my other trivial patch to fix "mount -t auto" (issue 0000534).
 
(0000900)
landley
01-09-06 21:34

 The description of 607 said this was another symptom of that same bug, and applying the patch should fix both. I still haven't got a test environment for this, but I finally understand what the problem was, and yeah the gotos are nasty. (I knew that, but fixing it without increasing the resulting binary size is tricky. I'm holding off until after 1.1.0 for now...)

Ping the mailing list if there's still a problem. I need to do a proper test environment for mount. Tricky to automate the regression testing of something that requires you to be root, chroot, mount /proc, and write an /etc/fstab to test them properly. I'm working on it...
 

- Issue History
Date Modified Username Field Change
12-19-05 03:23 iggarpe New Issue
12-19-05 03:23 iggarpe Status new => assigned
12-19-05 03:23 iggarpe Assigned To  => BusyBox
12-19-05 03:23 iggarpe File Added: fstab
12-19-05 03:56 iggarpe Note Added: 0000799
12-19-05 04:24 iggarpe Note Edited: 0000799
12-19-05 04:25 iggarpe File Added: mount.diff
12-19-05 04:26 iggarpe Note Edited: 0000799
12-19-05 09:27 iggarpe Issue Monitored: iggarpe
12-19-05 09:27 iggarpe Issue End Monitor: iggarpe
01-09-06 21:34 landley Status assigned => closed
01-09-06 21:34 landley Note Added: 0000900
01-09-06 21:34 landley Resolution open => fixed
01-10-06 02:09 robang74 Issue Monitored: robang74

Copyright © 2000 - 2006 Mantis Group
Powered by Mantis Bugtracker