[bug #27328] find-4.5.5 -exec + segfaults in quotearg_buffer_restyled()

URL:
  <http://savannah.gnu.org/bugs/?27328>

                 Summary: find-4.5.5 -exec + segfaults in
quotearg_buffer_restyled()
                 Project: findutils
            Submitted by: vapier
            Submitted on: Thu 27 Aug 2009 07:28:51 AM GMT
                Category: None
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name:
        Originator Email:
             Open/Closed: Open
         Discussion Lock: Any
                 Release: None
           Fixed Release: None

    _______________________________________________________

Details:

$ find --version
find (GNU findutils) 4.5.5
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Eric B. Decker, James Youngman, and Kevin Dalley.
Built using GNU gnulib version 533b27747fe3d0d67f727d4d7ba6c97f8a5b4060
Features enabled: D_TYPE O_NOFOLLOW(enabled) LEAF_OPTIMISATION FTS(FTS_CWDFD)
CBO(level=2)



$ find app-* -name '*.ebuild' -exec grep /etc/portage/patches {} +
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
Segmentation fault (core dumped)



system is x86_64, linux-2.6.30.4, gcc-4.4.1, glibc-2.10.1.  filesystem in
question is ext3 mounted with rw,noatime,errors=continue,data=writeback



building findutils-4.5.5 with -O0 -g cflags gives:

$ gdb --args find app-* -name '*.ebuild' -exec grep /etc/portage/patches {}
+
(gdb) r
Starting program: /usr/bin/find app-accessibility app-admin app-antivirus
app-arch app-backup app-benchmarks app-cdr app-crypt app-dicts app-doc
app-editors app-emacs app-emulation app-forensics app-i18n app-laptop app-misc
app-mobilephone app-office app-pda app-portage app-shells app-text app-vim
app-xemacs -name \*.ebuild -exec grep /etc/portage/patches \{\} +
[Thread debugging using libthread_db enabled]
Detaching after fork from child process 20192.
Detaching after fork from child process 20193.
Detaching after fork from child process 20194.
Detaching after fork from child process 20195.
Detaching after fork from child process 20196.
Detaching after fork from child process 20197.
Detaching after fork from child process 20198.
Detaching after fork from child process 20199.
Detaching after fork from child process 20200.
Detaching after fork from child process 20201.
Detaching after fork from child process 20202.
Detaching after fork from child process 20203.
Detaching after fork from child process 20204.
Detaching after fork from child process 20205.
Detaching after fork from child process 20206.
Detaching after fork from child process 20207.
Detaching after fork from child process 20208.
Detaching after fork from child process 20209.
Detaching after fork from child process 20210.
Detaching after fork from child process 20211.
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
Detaching after fork from child process 20212.

Program received signal SIGSEGV, Segmentation fault.
0x0000000000420683 in quotearg_buffer_restyled (buffer=0x6314e0 "`",
buffersize=0x100, arg=0x0, argsize=0xffffffffffffffff,
quoting_style=locale_quoting_style, flags=0x1, quote_these_too=0x7fffffffcb88)
at quotearg.c:279
279     quotearg.c: No such file or directory.
        in quotearg.c
(gdb) bt
#0  0x0000000000420683 in quotearg_buffer_restyled (buffer=0x6314e0 "`",
buffersize=0x100, arg=0x0, argsize=0xffffffffffffffff,
quoting_style=locale_quoting_style, flags=0x1, quote_these_too=0x7fffffffcb88)
at quotearg.c:279
#1  0x0000000000420b8c in quotearg_n_options (n=0x0, arg=0x0,
argsize=0xffffffffffffffff, options=0x7fffffffcb80) at quotearg.c:704
#2  0x0000000000420d39 in quotearg_n_style (n=0x0, s=locale_quoting_style,
arg=0x0) at quotearg.c:751
#3  0x0000000000407877 in launch (ctl=0x6335f0, buildstate=0x633648) at
pred.c:2009
#4  0x00000000004133bc in bc_do_exec (ctl=0x6335f0, state=0x633648) at
buildcmd.c:236
#5  0x0000000000413627 in bc_push_arg (ctl=0x6335f0, state=0x633648,
arg=0x633980 "app-misc/digitemp/digitemp-3.2.0.ebuild", len=0x28, prefix=0x0,
pfxlen=0x0, initial_args=0x0) at buildcmd.c:332
#6  0x0000000000404e52 in new_impl_pred_exec (dir_fd=0x7, pathname=0x633980
"app-misc/digitemp/digitemp-3.2.0.ebuild", stat_buf=0x7fffffffcf10,
pred_ptr=0x6335b0, prefix=0x0, pfxlen=0x0) at pred.c:519
#7  0x0000000000404f74 in pred_exec (pathname=0x633980
"app-misc/digitemp/digitemp-3.2.0.ebuild", stat_buf=0x7fffffffcf10,
pred_ptr=0x6335b0) at pred.c:558
#8  0x000000000040caee in apply_predicate (pathname=0x633980
"app-misc/digitemp/digitemp-3.2.0.ebuild", stat_buf=0x7fffffffcf10,
p=0x6335b0) at util.c:1029
#9  0x00000000004047d3 in pred_and (pathname=0x633980
"app-misc/digitemp/digitemp-3.2.0.ebuild", stat_buf=0x7fffffffcf10,
pred_ptr=0x633480) at pred.c:327
#10 0x000000000040caee in apply_predicate (pathname=0x633980
"app-misc/digitemp/digitemp-3.2.0.ebuild", stat_buf=0x7fffffffcf10,
p=0x633480) at util.c:1029
#11 0x000000000040359e in visit (p=0x6338f0, ent=0x63d360,
pstat=0x7fffffffcf10) at ftsfind.c:236
#12 0x0000000000404034 in consider_visiting (p=0x6338f0, ent=0x63d360) at
ftsfind.c:559
#13 0x00000000004041ed in find (arg=0x7fffffffd69e "app-misc") at
ftsfind.c:634
#14 0x0000000000404272 in process_all_startpoints (argc=0x20,
argv=0x7fffffffd190) at ftsfind.c:651
#15 0x000000000040443c in main (argc=0x21, argv=0x7fffffffd188) at
ftsfind.c:748
(gdb) bt full
#0  0x0000000000420683 in quotearg_buffer_restyled (buffer=0x6314e0 "`",
buffersize=0x100, arg=0x0, argsize=0xffffffffffffffff,
quoting_style=locale_quoting_style, flags=0x1, quote_these_too=0x7fffffffcb88)
at quotearg.c:279
        i = 0x0
        len = 0x1
        quote_string = 0x429464 "'"
        quote_string_len = 0x1
        backslash_escapes = 0x1
        unibyte_locale = 0x0
        elide_outer_quotes = 0x0
#1  0x0000000000420b8c in quotearg_n_options (n=0x0, arg=0x0,
argsize=0xffffffffffffffff, options=0x7fffffffcb80) at quotearg.c:704
        size = 0x100
        val = 0x6314e0 "`"
        flags = 0x1
        qsize = 0x0
        e = 0x0
        n0 = 0x0
        sv = 0x630c10
#2  0x0000000000420d39 in quotearg_n_style (n=0x0, s=locale_quoting_style,
arg=0x0) at quotearg.c:751
        o = {
          style = locale_quoting_style,
          flags = 0x0,
          quote_these_too = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}
        }
#3  0x0000000000407877 in launch (ctl=0x6335f0, buildstate=0x633648) at
pred.c:2009
        wait_status = 0x8b
        child_pid = 0x4ef4
        first_time = 0x0
        execp = 0x6335e8
        __PRETTY_FUNCTION__ = "launch"
#4  0x00000000004133bc in bc_do_exec (ctl=0x6335f0, state=0x633648) at
buildcmd.c:236
        r = 0x0
        divider = 0xffffffec
        swapped_out = 0x7ffff7fd2010 "grep"
        argc_orig = 0xb64
        argv_orig = 0x63de40
        initial_args = 0x63ddb0
        i = 0x2
        pos = 0xffffffec
        done = 0x0
        argc_current = 0x0
#5  0x0000000000413627 in bc_push_arg (ctl=0x6335f0, state=0x633648,
arg=0x633980 "app-misc/digitemp/digitemp-3.2.0.ebuild", len=0x28, prefix=0x0,
pfxlen=0x0, initial_args=0x0) at buildcmd.c:332
No locals.
#6  0x0000000000404e52 in new_impl_pred_exec (dir_fd=0x7, pathname=0x633980
"app-misc/digitemp/digitemp-3.2.0.ebuild", stat_buf=0x7fffffffcf10,
pred_ptr=0x6335b0, prefix=0x0, pfxlen=0x0) at pred.c:519
        execp = 0x6335e8
        len = 0x27
#7  0x0000000000404f74 in pred_exec (pathname=0x633980
"app-misc/digitemp/digitemp-3.2.0.ebuild", stat_buf=0x7fffffffcf10,
pred_ptr=0x6335b0) at pred.c:558
No locals.
#8  0x000000000040caee in apply_predicate (pathname=0x633980
"app-misc/digitemp/digitemp-3.2.0.ebuild", stat_buf=0x7fffffffcf10,
p=0x6335b0) at util.c:1029
No locals.
#9  0x00000000004047d3 in pred_and (pathname=0x633980
"app-misc/digitemp/digitemp-3.2.0.ebuild", stat_buf=0x7fffffffcf10,
pred_ptr=0x633480) at pred.c:327
No locals.
#10 0x000000000040caee in apply_predicate (pathname=0x633980
"app-misc/digitemp/digitemp-3.2.0.ebuild", stat_buf=0x7fffffffcf10,
p=0x633480) at util.c:1029
No locals.
#11 0x000000000040359e in visit (p=0x6338f0, ent=0x63d360,
pstat=0x7fffffffcf10) at ftsfind.c:236
        eval_tree = 0x633480
#12 0x0000000000404034 in consider_visiting (p=0x6338f0, ent=0x63d360) at
ftsfind.c:559
        statbuf = {
          st_dev = 0x820,
          st_ino = 0x10e6000,
          st_nlink = 0x2,
          st_mode = 0x8000,
          st_uid = 0x3ea,
          st_gid = 0xfa,
          __pad0 = 0x0,
          st_rdev = 0x0,
          st_size = 0x1000,
          st_blksize = 0x1000,
          st_blocks = 0x8,
          st_atim = {
            tv_sec = 0x4a9632a8,
            tv_nsec = 0x0
          },
          st_mtim = {
            tv_sec = 0x63d466,
            tv_nsec = 0x633998
          },
          st_ctim = {
            tv_sec = 0x7ffff767ab1e,
            tv_nsec = 0x63d230
          },
          __unused = {0x63d360, 0x7fffffffcfe0, 0x6338f0}
        }
        mode = 0x8000
        ignore = 0x0
        isdir = 0x0
        __PRETTY_FUNCTION__ = "consider_visiting"
#13 0x00000000004041ed in find (arg=0x7fffffffd69e "app-misc") at
ftsfind.c:634
        arglist = {0x7fffffffd69e "app-misc", 0x0}
        p = 0x6338f0
        ent = 0x63d360
#14 0x0000000000404272 in process_all_startpoints (argc=0x20,
argv=0x7fffffffd190) at ftsfind.c:651
        i = 0x10
#15 0x000000000040443c in main (argc=0x21, argv=0x7fffffffd188) at
ftsfind.c:748
        end_of_leading_options = 0x1
        eval_tree = 0x633480
(gdb)




    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?27328>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

Follow-up Comment #1, bug #27328 (project findutils):

The immediate problem is these lines:

   1992   /* In parent; set up for next time. */
   1993   bc_clear_args(ctl, buildstate);

The effect of this is that this code...

   2007   if (WIFSIGNALED (wait_status))
   2008     {
   2009       error (0, 0, _("%s terminated by signal %d"),
   2010              quotearg_n_style(0, options.err_quoting_style,
   2011                               buildstate->cmd_argv[0]),
   2012              WTERMSIG (wait_status));

... causes a SIGSEGV since buildstate->cmd_argv[0] is NULL.


    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?27328>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

Follow-up Comment #2, bug #27328 (project findutils):

Hmm, spoke too soon.

buildstate->cmd_argv[0] appears to be NULL.  

It looks there is a bug somewhere in the for loop in bc_do_exec, in which the
success case (where "goto fin" doesn't happen) incorrectly updates the data
when preparing for the next loop iteration.


    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?27328>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

Follow-up Comment #3, bug #27328 (project findutils):

Essentially there was a bug in the code that was supposed to deal with the
situation where exec fails due to an over-long command line.   Since the code
tries not to exceed ARG_MAX anyway, this code was rarely exercised and so
nobody noticed the bug until now.  

I have a patch which looks very promising, but it's large and I haven't fully
tested it yet.   I'll attach it to this bug RSN.

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?27328>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

Follow-up Comment #4, bug #27328 (project findutils):

Please try the attached patch and let me know if it resolves your problem.



(file #19150)
    _______________________________________________________

Additional Item Attachment:

File name: 0001-Fix-Savannah-bug-27328-segfault-if-the-initial-exec.patch
Size:23 KB


    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?27328>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

Update of bug #27328 (project findutils):

                  Status:                    None => Need Info              
             Assigned to:                    None => jay                    


    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?27328>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

Follow-up Comment #5, bug #27328 (project findutils):

findutils 4.5.5 freshly compiled crashes.  applying just that patch and it no
longer crashes.

i hit this issue a few times on and off (sometimes it'd segfault, sometimes
it'd hang).  when i hit these cases again, i'll try the patched find to make
sure it fixes the issues.

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?27328>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

Update of bug #27328 (project findutils):

                  Status:               Need Info => Fixed                  

    _______________________________________________________

Follow-up Comment #6:

I've applied and pushed the patch now.

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?27328>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/