Bug 237368 - /bin/df ; df on more than one unmounted device coredumps
Summary: /bin/df ; df on more than one unmounted device coredumps
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: Mark Johnston
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-18 20:42 UTC by Jamie Landeg-Jones
Modified: 2020-11-25 03:49 UTC (History)
5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jamie Landeg-Jones 2019-04-18 20:42:15 UTC 
I realise "df on unmountd devices is deprecated", but even so, as it stands, there appears to be an invalid free, which causes coredump.

/usr/src/bin/df/df.c:

Line 276 and 277:

if (iov != NULL)
     free_iovec(&iov, &iovlen);

This is called prior to building the mount structure for nmount. If the structure has been used before, it tries to free it, but causes a coredump in the process.

To reproduce, run df on 2 or more unmounted devices (you don't actually need a real unmounted device to trigger the bug, simply doing "df /dev/*" will trigger the above codepath.

[ I tagged this "current" because it still occurs in current, but it's in 12-stable too ]

cheers, Jamie
Comment 1 WHR 2019-06-21 09:08:34 UTC 
Seems also affecting 11.2-RELEASE.
Comment 2 Jamie Landeg-Jones 2019-06-21 14:15:48 UTC 
Cheers, WHR.

Anyone listening?

I'll provide a patch to fix or remove this depracted code if required.
Comment 3 Jamie Landeg-Jones 2019-06-22 17:55:27 UTC 
See also:  https://reviews.freebsd.org/D8801
Comment 4 Conrad Meyer freebsd_committer freebsd_triage 2019-06-22 18:07:52 UTC 
IMO, removing it is a reasonable fix for CURRENT, and maybe 12 (I don't touch stable myself, though).  I can do it for CURRENT if I get an ack from a committer (e.g., Brooks), or Brooks can go ahead and do it (feel free to 'Discussed with: me' the commit).
Comment 5 WHR 2019-06-24 03:26:40 UTC 
I agree removing this feature.
Comment 6 Jamie Landeg-Jones 2019-06-24 16:16:29 UTC 
WHR, the quick fix would be:

17:15 (8) "src" jamie@thompson% diff -u bin//df/Makefile.orig bin/df/Makefile
--- bin//df/Makefile.orig       2017-03-04 11:31:08.753360000 +0000
+++ bin/df/Makefile     2019-04-18 21:54:54.741564000 +0100
@@ -10,7 +10,7 @@

 CFLAGS+= -I${MOUNT}

-CFLAGS+= -DMOUNT_CHAR_DEVS
+# CFLAGS+= -DMOUNT_CHAR_DEVS
 SRCS+= getmntopts.c

 LIBADD=        xo util
Comment 7 Jamie Landeg-Jones 2020-10-23 02:34:58 UTC 
*ping*
Comment 8 commit-hook freebsd_committer freebsd_triage 2020-11-13 16:47:55 UTC 
A commit references this bug:

Author: markj
Date: Fri Nov 13 16:47:42 UTC 2020
New revision: 367642
URL: https://svnweb.freebsd.org/changeset/base/367642

Log:
  df: Remove support for mounting devices

  This was marked deprecated in r329092, over two and a half years ago.
  This functionality is also buggy per PR 237368.

  PR:		237368
  Reviewed by:	brooks, cem, emaste, imp
  Differential Revision:	https://reviews.freebsd.org/D27197

Changes:
  head/bin/df/Makefile
  head/bin/df/df.1
  head/bin/df/df.c
Comment 9 Mark Johnston freebsd_committer freebsd_triage 2020-11-13 18:10:31 UTC 
I'm sorry that it took a while to get this resolved.  I just went ahead and deleted the code in question.

I'm not sure what to do on stable/12.  We probably shouldn't merge the removal.  If there's a patch which fixes the bug I can apply it there, but existing releases will still have the bug, so I'm not sure it's worth the effort at this point.
Comment 10 Mark Johnston freebsd_committer freebsd_triage 2020-11-24 21:37:47 UTC 
(In reply to Mark Johnston from comment #9)
Since there was no feedback I will leave things be on stable/12.
Comment 11 Jamie Landeg-Jones 2020-11-25 03:49:26 UTC 
(In reply to Mark Johnston from comment #10)

Apologies, I missed the notification of your updates.

Thanks for doing this.

As you say, may as well leave FreeBSD 11/12 as they are.

Cheers, Jamie