Bug 243759

Summary: SIGBUS from "rpcinfo -m"
Product: Base System Reporter: martin
Component: binAssignee: Mark Johnston <markj>
Status: Closed FIXED    
Severity: Affects Only Me CC: emaste, markj
Priority: ---    
Version: 11.3-RELEASE   
Hardware: Any   
OS: Any   

Description martin 2020-01-31 13:49:53 UTC 
Running rpcinfo -m gets a SIGBUS with the following backtrace:

#0  xdr_rpcbs_rmtcalllist (xdrs=0x800e25418, objp=0xa486010001000000) at /usr/src/lib/libc/rpc/rpcb_st_xdr.c:151
#1  0x0000000800902d3f in xdr_pointer (xdrs=0x800e25418, objpp=0x800fb91ec, obj_size=<value optimized out>, xdr_obj=0x800871160 <xdr_rpcbs_rmtcalllist>) at /usr/src/lib/libc/xdr/xdr_reference.c:97
#2  0x0000000800871260 in xdr_rpcbs_rmtcalllist (xdrs=0x800e25418, objp=<value optimized out>) from /lib/libc.so.7
#3  0x0000000800902d3f in xdr_pointer (xdrs=0x800e25418, objpp=0x7fffffffe9c8, obj_size=<value optimized out>, xdr_obj=0x800871160 <xdr_rpcbs_rmtcalllist>) at /usr/src/lib/libc/xdr/xdr_reference.c:97
#4  0x0000000800871444 in xdr_rpcb_stat (xdrs=0x800e25418, objp=<value optimized out>) at /usr/src/lib/libc/rpc/rpcb_st_xdr.c:220
#5  0x000000080090d04b in xdr_vector (xdrs=0x800e25418, basep=0x7fffffffe980 "\022\001", nelem=3, elemsize=80, xdr_elem=0x8008713c0 <xdr_rpcb_stat>) at /usr/src/lib/libc/xdr/xdr_array.c:154
#6  0x000000080087147a in xdr_rpcb_stat_byvers (xdrs=<value optimized out>, objp=<value optimized out>) at /usr/src/lib/libc/rpc/rpcb_st_xdr.c:256
#7  0x0000000800909d89 in clnt_vc_call (cl=0x800e2a000, proc=12, xdr_args=0x401654 <xdr_void@plt>, args_ptr=0x0, xdr_results=0x401934 <xdr_rpcb_stat_byvers@plt>, results_ptr=0x7fffffffe980, timeout={tv_sec = 60, tv_usec = 0}) at /usr/src/lib/libc/rpc/clnt_vc.c:432
#8  0x00000000004022c4 in main (argc=<value optimized out>, argv=0x7fffffffeaf8) at /usr/src/usr.bin/rpcinfo/rpcinfo.c:1025
#9  0x0000000000401a2d in _start ()
#10 0x0000000800629000 in ?? ()
#11 0x0000000000000000 in ?? ()

I think the problem might be caused by base r173763, where the variable pnext in xdr_rpcbs_rmtcalllist is uninitialized in 2 of the 3 calls to xdr_pointer.  Probably ``pnext = &objp->next;'' should be moved outside the if statements.
Comment 1 Mark Johnston freebsd_committer freebsd_triage 2020-02-05 00:44:31 UTC 
(In reply to martin from comment #0)
I think you are right.  It took me a minute to see what you're talking about since the indentation in that function is completely wrong. :(
Comment 2 commit-hook freebsd_committer freebsd_triage 2020-02-05 16:10:41 UTC 
A commit references this bug:

Author: markj
Date: Wed Feb  5 16:10:09 UTC 2020
New revision: 357576
URL: https://svnweb.freebsd.org/changeset/base/357576

Log:
  Fix a use of an uninitialized pointer in xdr_rpcbs_rmtcalllist().

  This appears to have been introduced in r173763.  Also fix the confusing
  indentation that probably led to the bug in the first place.

  PR:		243759
  Diagnosed by:	martin@lispworks.com
  MFC after:	2 weeks
  Sponsored by:	The FreeBSD Foundation

Changes:
  head/lib/libc/rpc/rpcb_st_xdr.c
Comment 3 commit-hook freebsd_committer freebsd_triage 2020-02-19 16:18:40 UTC 
A commit references this bug:

Author: markj
Date: Wed Feb 19 16:17:51 UTC 2020
New revision: 358121
URL: https://svnweb.freebsd.org/changeset/base/358121

Log:
  MFC r357576:
  Fix a use of an uninitialized pointer in xdr_rpcbs_rmtcalllist().

  PR:	243759

Changes:
_U  stable/12/
  stable/12/lib/libc/rpc/rpcb_st_xdr.c
Comment 4 commit-hook freebsd_committer freebsd_triage 2020-02-19 16:18:41 UTC 
A commit references this bug:

Author: markj
Date: Wed Feb 19 16:18:27 UTC 2020
New revision: 358122
URL: https://svnweb.freebsd.org/changeset/base/358122

Log:
  MFC r357576:
  Fix a use of an uninitialized pointer in xdr_rpcbs_rmtcalllist().

  PR:	243759

Changes:
_U  stable/11/
  stable/11/lib/libc/rpc/rpcb_st_xdr.c
Comment 5 Mark Johnston freebsd_committer freebsd_triage 2020-02-19 16:19:42 UTC 
Thank you for the report.