ports/127639: Segfault in x_realloc devel/ccache

[Mel]

>Number:         127639
>Category:       ports
>Synopsis:       Segfault in x_realloc devel/ccache
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 25 19:50:02 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Mel
>Release:        FreeBSD 6.3-RELEASE-p4 amd64
>Organization:
>Environment:
System: FreeBSD smell.example.com 6.3-RELEASE-p4 FreeBSD 6.3-RELEASE-p4 #0: Tue Sep 23 13:02:08 AKDT 2008 root at smell.example.com:/usr/obj/usr/src/sys/GENERIC amd64


	
>Description:
util.c:
   184    this is like realloc() but dies if the malloc fails
   185  */
   186  void *x_realloc(void *ptr, size_t size)
   187  {
   188          void *p2;
   189          if (!ptr) return x_malloc(size);
   190          p2 = malloc(size);
   191          if (!p2) {
   192                  fatal("out of memory in x_realloc");
   193          }
   194          if (ptr) {
   195                  memcpy(p2, ptr, size);
   196                  free(ptr);
   197          }
   198          return p2;
   199  }

args.c:
    38  void args_add(ARGS *args, const char *s)
    39  {
    40          args->argv = (char**)x_realloc(args->argv, (args->argc + 2) * sizeof(char *));
    41          args->argv[args->argc] = x_strdup(s);
    42          args->argc++;
    43          args->argv[args->argc] = NULL;
    44  }

Line 195 copies newsize of oldpointer to new pointer which can produce the following backtrace:
(gdb) bt
#0  0x0000000800816b86 in memcpy () from /lib/libc.so.6
#1  0x0000000000403fec in x_realloc (ptr=0x514800, size=2056) at util.c:195
#2  0x0000000000404512 in args_add (args=0x512040,
    s=0x7fffffffe2c3 "p12_key.So") at args.c:40
#3  0x00000000004045a1 in args_init (init_argc=455, init_args=0x7fffffffcf20)
    at args.c:32
#4  0x0000000000402a14 in main (argc=455, argv=0x7fffffffc720) at ccache.c:564

>How-To-Repeat:
I can't reproduce this using a test like this:
ln -s ccache cc
./cc -L/usr/lib -shared `jot -w 'file%04u.So' 452 1 452`

However, the following reproduces the bug reliably:
#!/bin/sh

SRCDIR=${SRCDIR:="/usr/src"}

cd ${SRCDIR}/secure/lib/libcrypto
rm -f `make -V .OBJDIR`/libcrypto.so.4
cd ${SRCDIR}
make everything

>Fix:

The following works around the problem by using reallocf, instead of
x_malloc, however, the root of the problem is likely elsewhere.

--- patch-args.c begins here ---
--- args.c.orig	2004-09-13 02:38:30.000000000 -0800
+++ args.c	2008-09-25 04:58:35.000000000 -0800
@@ -37,7 +37,13 @@
 
 void args_add(ARGS *args, const char *s)
 {
+#ifndef __FreeBSD__
 	args->argv = (char**)x_realloc(args->argv, (args->argc + 2) * sizeof(char *));
+#else
+	args->argv = reallocf((char *)args->argv, (args->argc + 2) * sizeof(char *));
+	if( args->argv == NULL )
+		fatal("out of memory in reallocf");
+#endif
 	args->argv[args->argc] = x_strdup(s);
 	args->argc++;
 	args->argv[args->argc] = NULL;
--- patch-args.c ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted: