Bug 32686

Summary:

[patch] locate(1) dumps a core file with broken database

Product:

Base System

Reporter:

y-koga <y-koga>

Component:

bin

Assignee:

Xin LI <delphij>

Status:

Closed FIXED

Severity:

Affects Only Me

Priority:

Normal

Version:

4.4-STABLE

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
locate-coredump.diff	none
locate-coredump.diff	none

Description y-koga 2001-12-11 04:20:01 UTC

locate command assumes that a database file is perfect,
but it dumps a core file with a broken database.

I don't think it should not dump a core file
even if it uses a broken database.

Fix: 

I think a check routine is needed in locate/fastfind.c near...:
290                             if (*s == cc
291     #ifdef FF_ICASE
292                                 || TOLOWER(*s) == cc
293     #endif /* FF_ICASE */
294                                 ) { /* fast first char check */
295                                     for (p = patend - 1, q = s - 1; *p != '\0';
296                                          p--, q--)
297                                             if (*q != *p
298     #ifdef FF_ICASE
299                                                 && TOLOWER(*q) != *p
How-To-Repeat: % cat /var/db/locate.db ~/somefile >locate.db
% locate -d ./locate.db word
(some search results)
Segmentation fault (core dumped)

Comment 1 Sheldon Hearn freebsd_committer

2001-12-30 12:28:06 UTC

State Changed
From-To: open->feedback

Looks like nobody's stepped forward to claim this one.  Since this 
doesn't seem to be something a lot of people complain about, you 
may want to try come up with a patch yourself. 

Please post followup to freebsd-gnats-submit@FreeBSD.org if you come 
up with something.

Comment 2 Wolfram Schneider freebsd_committer

2002-01-01 17:57:01 UTC

Responsible Changed
From-To: freebsd-bugs->wosch

I'm the maintainer of locate

Comment 3 Mark Linimon freebsd_committer

2004-12-05 06:26:51 UTC

State Changed
From-To: feedback->open

Comment 4 Mark Linimon freebsd_committer

2004-12-05 06:27:37 UTC

State Changed
From-To: open->feedback

To submitter: is this still a problem with modern versions of FreeBSD? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=32686 

Adding to audit trail from personal email:

Yes, it is still a problem with 4.10-STABLE.

Try following, please.

% cat /var/db/locate.db ~/somefile >locate.db
% locate -d ./locate.db word
(some search results)
Segmentation fault (core dumped)

-- Koga, Youichirou

Comment 5 Mark Linimon freebsd_committer

2005-03-21 06:45:50 UTC

State Changed
From-To: feedback->open

Feedback received some time ago.

Comment 6 Jaakko Heinonen 2008-02-09 12:03:36 UTC

Following patch adds a basic check which fixes the test case for me.
There are probably still ways to make locate crash with corrupted
databases.

-- 
Jaakko

Comment 7 Jaakko Heinonen 2008-10-07 16:37:17 UTC

On 2008-03-18, Jaakko Heinonen wrote:
> > >  +              if (count < 0 || count >= MAXPATHLEN)
> > >  +                      errx(1, "corrupted database: %s", database);
> 
> I think that the latter test should be count > MAXPATHLEN. Updated patch
> is attached.

Submit updated patch also to the PR so it doesn't get lost.

-- 
Jaakko

Comment 8 Mark Linimon freebsd_committer

2008-11-12 15:09:31 UTC

Responsible Changed
From-To: wosch->freebsd-bugs

wosch has had his src bit taken in for safekeeping.

Comment 9 Murray Stokely freebsd_committer

2008-12-16 05:57:09 UTC

State Changed
From-To: open->analyzed

Patch looks reasonable to me.  I will take this.

Comment 10 Murray Stokely freebsd_committer

2008-12-16 05:57:09 UTC

Responsible Changed
From-To: freebsd-bugs->murray

Patch looks reasonable to me.  I will take this.

Comment 11 Xin LI freebsd_committer

2009-04-02 22:17:15 UTC

Responsible Changed
From-To: murray->delphij

Take

Comment 12 Xin LI freebsd_committer

2009-04-02 22:23:12 UTC

State Changed
From-To: analyzed->patched

Patch applied against -HEAD.

Comment 13 dfilter service freebsd_committer

2009-04-02 22:23:29 UTC

Author: delphij
Date: Thu Apr  2 21:23:04 2009
New Revision: 190656
URL: http://svn.freebsd.org/changeset/base/190656

Log:
  Don't crash when we have an invalid count number.
  
  PR:		bin/32686
  Submitted by:	Jaakko Heinonen <jh saunalahti.fi>
  MFC after:	1 week

Modified:
  head/usr.bin/locate/locate/fastfind.c

Modified: head/usr.bin/locate/locate/fastfind.c
==============================================================================
--- head/usr.bin/locate/locate/fastfind.c	Thu Apr  2 21:16:20 2009	(r190655)
+++ head/usr.bin/locate/locate/fastfind.c	Thu Apr  2 21:23:04 2009	(r190656)
@@ -216,6 +216,8 @@ fastfind
 			count += c - OFFSET;
 		}
 
+		if (count < 0 || count > MAXPATHLEN)
+			errx(1, "corrupted database: %s", database);
 		/* overlay old path */
 		p = path + count;
 		foundchar = p - 1;
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"

Comment 14 dfilter service freebsd_committer

2009-04-11 15:10:58 UTC

Author: delphij
Date: Sat Apr 11 14:10:42 2009
New Revision: 190920
URL: http://svn.freebsd.org/changeset/base/190920

Log:
  MFC r190656:
  
  Fix a crash when corrupted data file is found.
  
  PR:		bin/32686
  Approved by:	re (kib)

Modified:
  stable/7/usr.bin/locate/   (props changed)
  stable/7/usr.bin/locate/locate/fastfind.c

Modified: stable/7/usr.bin/locate/locate/fastfind.c
==============================================================================
--- stable/7/usr.bin/locate/locate/fastfind.c	Sat Apr 11 14:01:01 2009	(r190919)
+++ stable/7/usr.bin/locate/locate/fastfind.c	Sat Apr 11 14:10:42 2009	(r190920)
@@ -216,6 +216,8 @@ fastfind
 			count += c - OFFSET;
 		}
 
+		if (count < 0 || count > MAXPATHLEN)
+			errx(1, "corrupted database: %s", database);
 		/* overlay old path */
 		p = path + count;
 		foundchar = p - 1;
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"

Comment 15 dfilter service freebsd_committer

2009-04-11 15:13:49 UTC

Author: delphij
Date: Sat Apr 11 14:13:39 2009
New Revision: 190922
URL: http://svn.freebsd.org/changeset/base/190922

Log:
  MFC r190656:
  
  Fix a crash when corrupted data file is found.
  
  PR:             bin/32686

Modified:
  stable/6/usr.bin/locate/   (props changed)
  stable/6/usr.bin/locate/locate/fastfind.c

Modified: stable/6/usr.bin/locate/locate/fastfind.c
==============================================================================
--- stable/6/usr.bin/locate/locate/fastfind.c	Sat Apr 11 14:12:44 2009	(r190921)
+++ stable/6/usr.bin/locate/locate/fastfind.c	Sat Apr 11 14:13:39 2009	(r190922)
@@ -216,6 +216,8 @@ fastfind
 			count += c - OFFSET;
 		}
 
+		if (count < 0 || count > MAXPATHLEN)
+			errx(1, "corrupted database: %s", database);
 		/* overlay old path */
 		p = path + count;
 		foundchar = p - 1;
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"

Comment 16 Xin LI freebsd_committer

2009-04-11 15:13:50 UTC

State Changed
From-To: patched->closed

Fix has been committed on all supported -STABLE branches 
(stable/7 and stable/6).

Comment 17 commit-hook freebsd_committer

2022-01-25 16:01:30 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=b7a74bbc41b38fc7f43d66ba868e22a97f08f660

commit b7a74bbc41b38fc7f43d66ba868e22a97f08f660
Author:     Wolfram Schneider <wosch@FreeBSD.org>
AuthorDate: 2022-01-25 15:58:29 +0000
Commit:     Wolfram Schneider <wosch@FreeBSD.org>
CommitDate: 2022-01-25 15:59:41 +0000

    stop on error and display the statstics anyway

    PR:             32686

 usr.bin/locate/locate/fastfind.c | 6 ++++++
 1 file changed, 6 insertions(+)