locate command assumes that a database file is perfect, but it dumps a core file with a broken database. I don't think it should not dump a core file even if it uses a broken database. Fix: I think a check routine is needed in locate/fastfind.c near...: 290 if (*s == cc 291 #ifdef FF_ICASE 292 || TOLOWER(*s) == cc 293 #endif /* FF_ICASE */ 294 ) { /* fast first char check */ 295 for (p = patend - 1, q = s - 1; *p != '\0'; 296 p--, q--) 297 if (*q != *p 298 #ifdef FF_ICASE 299 && TOLOWER(*q) != *p How-To-Repeat: % cat /var/db/locate.db ~/somefile >locate.db % locate -d ./locate.db word (some search results) Segmentation fault (core dumped)
State Changed From-To: open->feedback Looks like nobody's stepped forward to claim this one. Since this doesn't seem to be something a lot of people complain about, you may want to try come up with a patch yourself. Please post followup to freebsd-gnats-submit@FreeBSD.org if you come up with something.
Responsible Changed From-To: freebsd-bugs->wosch I'm the maintainer of locate
State Changed From-To: feedback->open
State Changed From-To: open->feedback To submitter: is this still a problem with modern versions of FreeBSD? http://www.freebsd.org/cgi/query-pr.cgi?pr=32686 Adding to audit trail from personal email: Yes, it is still a problem with 4.10-STABLE. Try following, please. % cat /var/db/locate.db ~/somefile >locate.db % locate -d ./locate.db word (some search results) Segmentation fault (core dumped) -- Koga, Youichirou
State Changed From-To: feedback->open Feedback received some time ago.
Following patch adds a basic check which fixes the test case for me. There are probably still ways to make locate crash with corrupted databases. -- Jaakko
On 2008-03-18, Jaakko Heinonen wrote: > > > + if (count < 0 || count >= MAXPATHLEN) > > > + errx(1, "corrupted database: %s", database); > > I think that the latter test should be count > MAXPATHLEN. Updated patch > is attached. Submit updated patch also to the PR so it doesn't get lost. -- Jaakko
Responsible Changed From-To: wosch->freebsd-bugs wosch has had his src bit taken in for safekeeping.
State Changed From-To: open->analyzed Patch looks reasonable to me. I will take this.
Responsible Changed From-To: freebsd-bugs->murray Patch looks reasonable to me. I will take this.
Responsible Changed From-To: murray->delphij Take
State Changed From-To: analyzed->patched Patch applied against -HEAD.
Author: delphij Date: Thu Apr 2 21:23:04 2009 New Revision: 190656 URL: http://svn.freebsd.org/changeset/base/190656 Log: Don't crash when we have an invalid count number. PR: bin/32686 Submitted by: Jaakko Heinonen <jh saunalahti.fi> MFC after: 1 week Modified: head/usr.bin/locate/locate/fastfind.c Modified: head/usr.bin/locate/locate/fastfind.c ============================================================================== --- head/usr.bin/locate/locate/fastfind.c Thu Apr 2 21:16:20 2009 (r190655) +++ head/usr.bin/locate/locate/fastfind.c Thu Apr 2 21:23:04 2009 (r190656) @@ -216,6 +216,8 @@ fastfind count += c - OFFSET; } + if (count < 0 || count > MAXPATHLEN) + errx(1, "corrupted database: %s", database); /* overlay old path */ p = path + count; foundchar = p - 1; _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Author: delphij Date: Sat Apr 11 14:10:42 2009 New Revision: 190920 URL: http://svn.freebsd.org/changeset/base/190920 Log: MFC r190656: Fix a crash when corrupted data file is found. PR: bin/32686 Approved by: re (kib) Modified: stable/7/usr.bin/locate/ (props changed) stable/7/usr.bin/locate/locate/fastfind.c Modified: stable/7/usr.bin/locate/locate/fastfind.c ============================================================================== --- stable/7/usr.bin/locate/locate/fastfind.c Sat Apr 11 14:01:01 2009 (r190919) +++ stable/7/usr.bin/locate/locate/fastfind.c Sat Apr 11 14:10:42 2009 (r190920) @@ -216,6 +216,8 @@ fastfind count += c - OFFSET; } + if (count < 0 || count > MAXPATHLEN) + errx(1, "corrupted database: %s", database); /* overlay old path */ p = path + count; foundchar = p - 1; _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Author: delphij Date: Sat Apr 11 14:13:39 2009 New Revision: 190922 URL: http://svn.freebsd.org/changeset/base/190922 Log: MFC r190656: Fix a crash when corrupted data file is found. PR: bin/32686 Modified: stable/6/usr.bin/locate/ (props changed) stable/6/usr.bin/locate/locate/fastfind.c Modified: stable/6/usr.bin/locate/locate/fastfind.c ============================================================================== --- stable/6/usr.bin/locate/locate/fastfind.c Sat Apr 11 14:12:44 2009 (r190921) +++ stable/6/usr.bin/locate/locate/fastfind.c Sat Apr 11 14:13:39 2009 (r190922) @@ -216,6 +216,8 @@ fastfind count += c - OFFSET; } + if (count < 0 || count > MAXPATHLEN) + errx(1, "corrupted database: %s", database); /* overlay old path */ p = path + count; foundchar = p - 1; _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
State Changed From-To: patched->closed Fix has been committed on all supported -STABLE branches (stable/7 and stable/6).
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=b7a74bbc41b38fc7f43d66ba868e22a97f08f660 commit b7a74bbc41b38fc7f43d66ba868e22a97f08f660 Author: Wolfram Schneider <wosch@FreeBSD.org> AuthorDate: 2022-01-25 15:58:29 +0000 Commit: Wolfram Schneider <wosch@FreeBSD.org> CommitDate: 2022-01-25 15:59:41 +0000 stop on error and display the statstics anyway PR: 32686 usr.bin/locate/locate/fastfind.c | 6 ++++++ 1 file changed, 6 insertions(+)