Options parsing causes memory errors when using refuse library

[GoogleCodeExporter]

Reported by Thomas Klausner.

Hi!

After all the bug reports you've been sending us, I thought I'd give
fuse-zip a try and built it on NetBSD :)

I needed the attached patch to make it compile; the header doesn't
exist on NetBSD and removing it didn't stop the compilation.

However, when I try to mount a file system, I get:
# ./work.x86_64/fuse-zip-0.2.11/fuse-zip /tmp/test.zip /mnt
Memory fault (core dumped)
# gdb  ./work.x86_64/fuse-zip-0.2.11/fuse-zip fuse-zip.core
GNU gdb 6.5
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64--netbsd"...
Reading symbols from /usr/lib/librefuse.so.1...done.
Loaded symbols for /usr/lib/librefuse.so.1
Reading symbols from /usr/pkg/lib/libzip.so.1...done.
Loaded symbols for /usr/pkg/lib/libzip.so.1
Reading symbols from /usr/lib/libz.so.1...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /usr/lib/libstdc++.so.7...done.
Loaded symbols for /usr/lib/libstdc++.so.7
Reading symbols from /usr/lib/libm.so.0...done.
Loaded symbols for /usr/lib/libm.so.0
Reading symbols from /usr/lib/libgcc_s.so.1...done.
Loaded symbols for /usr/lib/libgcc_s.so.1
Reading symbols from /usr/lib/libc.so.12...done.
Loaded symbols for /usr/lib/libc.so.12
Reading symbols from /usr/lib/libpuffs.so.1...done.
Loaded symbols for /usr/lib/libpuffs.so.1
Reading symbols from /usr/lib/libpthread.so.1...done.
Loaded symbols for /usr/lib/libpthread.so.1
Reading symbols from /usr/libexec/ld.elf_so...done.
Loaded symbols for /usr/libexec/ld.elf_so
Core was generated by `fuse-zip'.
Program terminated with signal 11, Segmentation fault.
#0  0x0000000000402b8c in process_arg (data=0x40aa40,
    arg=0x7f7ffffff6b7 "/tmp/test.zip", key=-2, outargs=0x7f7fffffd380)
    at fuse-zip.cpp:572
572                 ++param->strArgCount;
(gdb) bt
#0  0x0000000000402b8c in process_arg (data=0x40aa40,
    arg=0x7f7ffffff6b7 "/tmp/test.zip", key=-2, outargs=0x7f7fffffd380)
    at fuse-zip.cpp:572
#1  0x00007f7ffd8034a2 in fuse_opt_parse (args=0x7f7fffffd380,
    data=<value optimized out>, opts=0x40aa40, proc=0x402b14 <process_arg>)
    at /archive/cvs/src/lib/librefuse/refuse_opt.c:298
#2  0x00000000004028f7 in main (argc=3, argv=0x7f7fffffd3e8)
    at fuse-zip.cpp:617
(gdb) fr 0
#0  0x0000000000402b8c in process_arg (data=0x40aa40,
    arg=0x7f7ffffff6b7 "/tmp/test.zip", key=-2, outargs=0x7f7fffffd380)
    at fuse-zip.cpp:572
572                 ++param->strArgCount;
(gdb) l
567                 param->version = true;
568                 return KEEP;
569             }
570
571             case FUSE_OPT_KEY_NONOPT: {
572                 ++param->strArgCount;
573                 switch (param->strArgCount) {
574                     case 1: {
575                         // zip file name
576                         param->fileName = arg;
(gdb) p param
$1 = (fusezip_param *) 0x40aa40
(gdb) p *param
$2 = {help = 22, version = 170, strArgCount = 0,
  fileName = 0xffffffff <Address 0xffffffff out of bounds>}

Any ideas?

Cheers,
 Thomas

[patch-aa  text/plain (243B)]
$NetBSD$

--- fuse-zip.cpp.orig   2010-01-26 12:00:17.000000000 +0000
+++ fuse-zip.cpp
@@ -34,7 +34,6 @@
 #include <unistd.h>
 #include <limits.h>
 #include <syslog.h>
-#include <sys/xattr.h>
 #include <sys/types.h>
 #include <sys/statvfs.h>

Original issue reported on code.google.com by alexander.galanin on 16 Mar 2010 at 4:38

[GoogleCodeExporter]

> After all the bug reports you've been sending us, I thought I'd give
> fuse-zip a try and built it on NetBSD :)
> 
> I needed the attached patch to make it compile; the header doesn't
> exist on NetBSD and removing it didn't stop the compilation.

This line has no effect on Linux too :) Thanks.

> However, when I try to mount a file system, I get:
> # ./work.x86_64/fuse-zip-0.2.11/fuse-zip /tmp/test.zip /mnt
> Memory fault (core dumped)

> #0  0x0000000000402b8c in process_arg (data=0x40aa40,
>     arg=0x7f7ffffff6b7 "/tmp/test.zip", key=-2, outargs=0x7f7fffffd380)
>     at fuse-zip.cpp:572
> 572                 ++param->strArgCount;

> Any ideas?

According to comment in ReFUSE's refuse_opt.c, author does not know how
to handle 'data' argument in fuse_opt_parse. So 'data' argument passed
to fuse-zip's process_arg() unitialized.

To fix this issue you can try to replace all occurencies of 'foo.data'
in function fuse_opt_parse (refuse_opt.c) with 'data'. Patch:

--- refuse_opt.c-old    2010-02-05 00:02:47.000000000 +0300
+++ refuse_opt.c        2010-02-05 00:36:27.000000000 +0300
@@ -283,7 +283,7 @@
                return 0;

        if (args->argc == 1)
-               return proc(foo.data, *args->argv, FUSE_OPT_KEY_OPT, args);
+               return proc(data, *args->argv, FUSE_OPT_KEY_OPT, args);

        /* the real loop to process the arguments */
        for (i = 1; i < args->argc; i++) {
@@ -295,7 +295,7 @@
                if (buf[0] != '-') {

                        foo.key = FUSE_OPT_KEY_NONOPT;
-                       rv = proc(foo.data, foo.option, foo.key, args);
+                       rv = proc(data, foo.option, foo.key, args);
                        if (rv != 0)
                                break;

@@ -345,12 +345,12 @@
                                /* process help/version argument */
                                if (foo.key != KEY_VERBOSE &&
                                    foo.key != FUSE_OPT_KEY_KEEP) {
-                                       rv = proc(foo.data, foo.option,
+                                       rv = proc(data, foo.option,
                                                  foo.key, args);
                                        break;
                                } else {
                                        /* process verbose argument */
-                                       rv = proc(foo.data, foo.option,
+                                       rv = proc(data, foo.option,
                                                       foo.key, args);
                                        if (rv != 0)
                                                break;

Original comment by alexander.galanin on 16 Mar 2010 at 4:39

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

From Thomas Klausner:

> According to comment in ReFUSE's refuse_opt.c, author does not know how
> to handle 'data' argument in fuse_opt_parse. So 'data' argument passed
> to fuse-zip's process_arg() unitialized.
> 
> To fix this issue you can try to replace all occurencies of 'foo.data'
> in function fuse_opt_parse (refuse_opt.c) with 'data'. Patch:

When using this patch, I get another core dump:

Memory fault (core dumped)

gdb says:
#0  idalloc (ptr=0x7f7ffffff680) at 
/archive/cvs/src/lib/libc/stdlib/jemalloc.c:2512
2512                    size = bin->reg_size;
(gdb) bt
#0  idalloc (ptr=0x7f7ffffff680) at 
/archive/cvs/src/lib/libc/stdlib/jemalloc.c:2512
#1  0x00007f7ffc08bc73 in free (ptr=0x7f7ffffff680) at
/archive/cvs/src/lib/libc/stdlib/jemalloc.c:3867
#2  0x00007f7ffd80367d in fuse_opt_free_args (ap=0x7f7fffffd360) at
/archive/cvs/src/lib/librefuse/refuse_opt.c:143
#3  0x0000000000402665 in main ()
(gdb)

Ideas?

Original comment by alexander.galanin on 16 Mar 2010 at 4:40

[GoogleCodeExporter]

Seems that option parsing algorithm in refuse are broken. I will try to make a 
patch.

Original comment by alexander.galanin on 16 Mar 2010 at 4:41

[GoogleCodeExporter]

Original comment by alexander.galanin on 14 Jun 2013 at 8:50

• Changed state: Accepted