From e627f1b9c5cae54e3e45d208e414b6ae62a737cd Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Tue, 23 Jun 2015 15:41:42 +0200
Subject: [PATCH 01/11] nmtree: Do not abort() in case of unknown node type

---
 contrib/mtree/misc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contrib/mtree/misc.c b/contrib/mtree/misc.c
index b99f1ce..a6fc782 100644
--- a/contrib/mtree/misc.c
+++ b/contrib/mtree/misc.c
@@ -267,7 +267,7 @@ nodetoino(u_int type)
 #endif
 	default:
 		printf("unknown type %d", type);
-		abort();
+		return(-1);
 	}
 	/* NOTREACHED */
 }
-- 
2.6.3


From 54cabc86053662622cc70d58a2231c86535fbaa8 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Tue, 23 Jun 2015 16:00:08 +0200
Subject: [PATCH 02/11] nmtree: Do not crash in case of new relative nodes
 without parents

... in invalid input files created with afl-fuzz.
---
 contrib/mtree/spec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/contrib/mtree/spec.c b/contrib/mtree/spec.c
index 0fb921d..175ad4f 100644
--- a/contrib/mtree/spec.c
+++ b/contrib/mtree/spec.c
@@ -256,6 +256,8 @@ noparent:		mtree_err("no parent node");
 				 * (after encountering ".." entry);
 				 * add or replace
 				 */
+			if (last->parent == NULL)
+				mtree_err("new relative child without parent");
 			centry->parent = last->parent;
 			addchild(last->parent, centry);
 			last = centry;
-- 
2.6.3


From 5893a46ccfde8c1f9dd291120f54d0edfc25fffb Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Tue, 23 Jun 2015 16:13:08 +0200
Subject: [PATCH 03/11] Add test input for the previous commit. Not yet
 connected to anything.

---
 .../mtree/id:000000,sig:11,src:000000,op:havoc,rep:16     | Bin 0 -> 194 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 contrib/netbsd-tests/usr.sbin/mtree/id:000000,sig:11,src:000000,op:havoc,rep:16

diff --git a/contrib/netbsd-tests/usr.sbin/mtree/id:000000,sig:11,src:000000,op:havoc,rep:16 b/contrib/netbsd-tests/usr.sbin/mtree/id:000000,sig:11,src:000000,op:havoc,rep:16
new file mode 100644
index 0000000000000000000000000000000000000000..a98e461cb491723483a0f0d7c29590718ec3debd
GIT binary patch
literal 194
zcmY#Z&|}muPAyR=sVqpfP0P$lRVd9&u~lF&FjPnfG7Jq247v0aAONf;C9_DOBr`YF
z*3eSV!qmXPfJ<E&Bwd`5Xk==Zl9`@bTw<GQ3sZ(up#snh{6-<n6kq_EX`IBRr^m&`
PrL54EYHJL%9n1v)>)SFR

literal 0
HcmV?d00001

-- 
2.6.3


From 79b1db3f76176492883d45a85c79e1649816a8f3 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Tue, 23 Jun 2015 17:04:46 +0200
Subject: [PATCH 04/11] Add another mtree test input that can cause mtree to
 segfault

(gdb) r
Starting program: /usr/sbin/mtree -C -f id:000013,sig:06,src:000248,op:ext_AO,pos:24

Program received signal SIGSEGV, Segmentation fault.
0x0000000800f08024 in __je_arena_dalloc_bin_locked (arena=0x8014000c0, chunk=0x801800000, ptr=0x80180c040, mapelm=0x8018000c0) at jemalloc_arena.c:1888
warning: Source file is more recent than executable.
1888			size = bin_info->reg_size;
(gdb) where
 #0  0x0000000800f08024 in __je_arena_dalloc_bin_locked (arena=0x8014000c0, chunk=0x801800000, ptr=0x80180c040, mapelm=0x8018000c0) at jemalloc_arena.c:1888
 #1  0x0000000800f08983 in __je_arena_dalloc_bin (arena=0x8014000c0, chunk=0x801800000, ptr=0x80180c040, pageind=12, mapelm=0x8018000c0) at jemalloc_arena.c:1917
 #2  0x0000000800f08a07 in __je_arena_dalloc_small (arena=0x8014000c0, chunk=0x801800000, ptr=0x80180c040, pageind=12) at jemalloc_arena.c:1933
 #3  0x0000000800f1fdfe in __je_arena_dalloc (arena=0x8014000c0, chunk=0x801800000, ptr=0x80180c040, try_tcache=true) at /usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/arena.h:1046
 #4  __je_idalloct (ptr=0x80180c040, try_tcache=true) at /usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/jemalloc_internal.h:898
 #5  __je_iqalloct (ptr=0x80180c040, try_tcache=true) at /usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/jemalloc_internal.h:917
 #6  __je_iqalloc (ptr=0x80180c040) at /usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/jemalloc_internal.h:924
 #7  ifree (ptr=0x80180c040) at jemalloc_jemalloc.c:1238
 #8  0x0000000800f202a3 in __free (ptr=0x80180c040) at jemalloc_jemalloc.c:1313
 #9  0x000000000040df20 in replacenode (cur=0x801808180, new=0x801808240) at /usr/src/usr.sbin/nmtree/../../contrib/mtree/spec.c:530
 #10 0x000000000040daed in addchild (pathparent=0x8018080c0, centry=0x801808240) at /usr/src/usr.sbin/nmtree/../../contrib/mtree/spec.c:781
 #11 0x000000000040cbb0 in spec (fp=0x801271fe0) at /usr/src/usr.sbin/nmtree/../../contrib/mtree/spec.c:238
 #12 0x000000000040bf83 in main (argc=0, argv=0x7fffffffe820) at /usr/src/usr.sbin/nmtree/../../contrib/mtree/mtree.c:303
---
 .../mtree/id:000013,sig:06,src:000248,op:ext_AO,pos:24        | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 contrib/netbsd-tests/usr.sbin/mtree/id:000013,sig:06,src:000248,op:ext_AO,pos:24

diff --git a/contrib/netbsd-tests/usr.sbin/mtree/id:000013,sig:06,src:000248,op:ext_AO,pos:24 b/contrib/netbsd-tests/usr.sbin/mtree/id:000013,sig:06,src:000248,op:ext_AO,pos:24
new file mode 100644
index 0000000..32e843a
--- /dev/null
+++ b/contrib/netbsd-tests/usr.sbin/mtree/id:000013,sig:06,src:000248,op:ext_AO,pos:24
@@ -0,0 +1,11 @@
+  .
+/set type=file uid=1   sha1digest=       type=dir time=19.85000
+
+  ./in
+in   uid=000
+
+  ./in
+in    type=dir time=19.0
+
+  ./in
+30
\ No newline at end of file
-- 
2.6.3


From 53f9ad1686c27b5d0287f8d4f8d19e1692366e19 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Tue, 23 Jun 2015 17:14:00 +0200
Subject: [PATCH 05/11] Another mtree test input file that causes an
 undiagnosed crash

(gdb) r
Starting program: /usr/sbin/mtree -C -f id:000013,sig:06,src:000248,op:ext_AO,pos:24

Program received signal SIGSEGV, Segmentation fault.
0x0000000800f08024 in __je_arena_dalloc_bin_locked (arena=0x8014000c0, chunk=0x801800000, ptr=0x80180c040, mapelm=0x8018000c0) at jemalloc_arena.c:1888
warning: Source file is more recent than executable.
1888			size = bin_info->reg_size;
(gdb) where
---
 .../mtree/id:000017,sig:06,src:000207,op:ext_AO,pos:8        | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 contrib/netbsd-tests/usr.sbin/mtree/id:000017,sig:06,src:000207,op:ext_AO,pos:8

diff --git a/contrib/netbsd-tests/usr.sbin/mtree/id:000017,sig:06,src:000207,op:ext_AO,pos:8 b/contrib/netbsd-tests/usr.sbin/mtree/id:000017,sig:06,src:000207,op:ext_AO,pos:8
new file mode 100644
index 0000000..8d1aa4d
--- /dev/null
+++ b/contrib/netbsd-tests/usr.sbin/mtree/id:000017,sig:06,src:000207,op:ext_AO,pos:8
@@ -0,0 +1,12 @@
+  .
+/set  sha1 ile  gid=1001
+.   type=dir time=19.85000
+
+ timuid=1001 gid=1001
+.   type=dir time=19.0
+
+ time=14.45300
+  ir time=14.4
+    m   
+ timuid=1001 gid=1001
+.   type=dir time=19.siz
\ No newline at end of file
-- 
2.6.3


From 2b34098523e2c99e353b2e71b53f9feb442026a6 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Tue, 23 Jun 2015 18:13:12 +0200
Subject: [PATCH 06/11] Add mtree test case that causes a use after free

fk@r500 /usr/src $valgrind mtree -C -f /usr/jails/porttest/home/fk/fuzz/mtree/out/crashes/id\:000016,*
==18515== Memcheck, a memory error detector
==18515== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==18515== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==18515== Command: mtree -C -f /usr/jails/porttest/home/fk/fuzz/mtree/out/crashes/id:000016,sig:10,src:000163,op:ext_AO,pos:178
==18515==
==18515== Invalid read of size 4
==18515==    at 0x40C6F9: spec (spec.c:160)
==18515==    by 0x40BF82: main (mtree.c:303)
==18515==  Address 0x5c019bc is 172 bytes inside a block of size 186 free'd
==18515==    at 0x4C2F2DC: free (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==18515==    by 0x40E065: replacenode (spec.c:537)
==18515==    by 0x40DAEC: addchild (spec.c:781)
==18515==    by 0x40CC8A: spec (spec.c:262)
==18515==    by 0x40BF82: main (mtree.c:303)
==18515==
==18515== Invalid read of size 4
==18515==    at 0x40C70D: spec (spec.c:160)
==18515==    by 0x40BF82: main (mtree.c:303)
==18515==  Address 0x5c019b8 is 168 bytes inside a block of size 186 free'd
==18515==    at 0x4C2F2DC: free (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==18515==    by 0x40E065: replacenode (spec.c:537)
==18515==    by 0x40DAEC: addchild (spec.c:781)
==18515==    by 0x40CC8A: spec (spec.c:262)
==18515==    by 0x40BF82: main (mtree.c:303)
==18515==
==18515== Invalid read of size 4
==18515==    at 0x40C74A: spec (spec.c:165)
==18515==    by 0x40BF82: main (mtree.c:303)
==18515==  Address 0x5c019b8 is 168 bytes inside a block of size 186 free'd
==18515==    at 0x4C2F2DC: free (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==18515==    by 0x40E065: replacenode (spec.c:537)
==18515==    by 0x40DAEC: addchild (spec.c:781)
==18515==    by 0x40CC8A: spec (spec.c:262)
==18515==    by 0x40BF82: main (mtree.c:303)
==18515==
==18515== Invalid write of size 4
==18515==    at 0x40C756: spec (spec.c:165)
==18515==    by 0x40BF82: main (mtree.c:303)
==18515==  Address 0x5c019b8 is 168 bytes inside a block of size 186 free'd
==18515==    at 0x4C2F2DC: free (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==18515==    by 0x40E065: replacenode (spec.c:537)
==18515==    by 0x40DAEC: addchild (spec.c:781)
==18515==    by 0x40CC8A: spec (spec.c:262)
==18515==    by 0x40BF82: main (mtree.c:303)
==18515==
. type=dir gid=1001
./in type=dir gid=1001 time=39.000000008
./in/m gid=1001 size=0 time=10.000000045
==18515==
==18515== HEAP SUMMARY:
==18515==     in use at exit: 8,765 bytes in 10 blocks
==18515==   total heap usage: 33 allocs, 23 frees, 9,618 bytes allocated
==18515==
==18515== LEAK SUMMARY:
==18515==    definitely lost: 188 bytes in 2 blocks
==18515==    indirectly lost: 385 bytes in 6 blocks
==18515==      possibly lost: 0 bytes in 0 blocks
==18515==    still reachable: 8,192 bytes in 2 blocks
==18515==         suppressed: 0 bytes in 0 blocks
==18515== Rerun with --leak-check=full to see details of leaked memory
==18515==
==18515== For counts of detected and suppressed errors, rerun with: -v
==18515== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 0 from 0)
---
 .../mtree/id:000016,sig:10,src:000163,op:ext_AO,pos:178    | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 contrib/netbsd-tests/usr.sbin/mtree/id:000016,sig:10,src:000163,op:ext_AO,pos:178

diff --git a/contrib/netbsd-tests/usr.sbin/mtree/id:000016,sig:10,src:000163,op:ext_AO,pos:178 b/contrib/netbsd-tests/usr.sbin/mtree/id:000016,sig:10,src:000163,op:ext_AO,pos:178
new file mode 100644
index 0000000..ad72c69
--- /dev/null
+++ b/contrib/netbsd-tests/usr.sbin/mtree/id:000016,sig:10,src:000163,op:ext_AO,pos:178
@@ -0,0 +1,14 @@
+# .
+/set sha1digest=001 gid=1001
+.       type=dir  sha1digest=0
+
+# ./in
+in      type=dir sha1digest=00
+    m   size=0 time=10.45      sha1digest=da3    sha256digest=e3b
+..
+
+
+# t
+in              type=dir time=39.8
+..
+
-- 
2.6.3


From 1e0b1a8601e774781a1d4246881be9165a20c66d Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Wed, 24 Jun 2015 13:36:37 +0200
Subject: [PATCH 07/11] contrib/netbsd-tests: Add test input file that results
 in invalid reads

valgrind mtree -C -f id\:000031\,src\:000360\,op\:ext_AO\,pos\:460
==8435== Memcheck, a memory error detector
==8435== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==8435== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==8435== Command: mtree -C -f id:000031,src:000360,op:ext_AO,pos:460
==8435==
==8435== Invalid read of size 4
==8435==    at 0x40CBFA: spec (spec.c:245)
==8435==    by 0x40BF82: main (mtree.c:303)
==8435==  Address 0x5c014bc is 172 bytes inside a block of size 186 free'd
==8435==    at 0x4C2F2DC: free (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==8435==    by 0x40E065: replacenode (spec.c:538)
==8435==    by 0x40DAEC: addchild (spec.c:782)
==8435==    by 0x40CBAF: spec (spec.c:238)
==8435==    by 0x40BF82: main (mtree.c:303)
==8435==
==8435== Invalid read of size 8
==8435==    at 0x40CC4F: spec (spec.c:259)
==8435==    by 0x40BF82: main (mtree.c:303)
==8435==  Address 0x5c01410 is 0 bytes inside a block of size 186 free'd
==8435==    at 0x4C2F2DC: free (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==8435==    by 0x40E065: replacenode (spec.c:538)
==8435==    by 0x40DAEC: addchild (spec.c:782)
==8435==    by 0x40CBAF: spec (spec.c:238)
==8435==    by 0x40BF82: main (mtree.c:303)
==8435==
==8435== Invalid read of size 8
==8435==    at 0x40CC71: spec (spec.c:261)
==8435==    by 0x40BF82: main (mtree.c:303)
==8435==  Address 0x5c01410 is 0 bytes inside a block of size 186 free'd
==8435==    at 0x4C2F2DC: free (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==8435==    by 0x40E065: replacenode (spec.c:538)
==8435==    by 0x40DAEC: addchild (spec.c:782)
==8435==    by 0x40CBAF: spec (spec.c:238)
==8435==    by 0x40BF82: main (mtree.c:303)
==8435==
==8435== Invalid read of size 8
==8435==    at 0x40CC7F: spec (spec.c:262)
==8435==    by 0x40BF82: main (mtree.c:303)
==8435==  Address 0x5c01410 is 0 bytes inside a block of size 186 free'd
==8435==    at 0x4C2F2DC: free (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==8435==    by 0x40E065: replacenode (spec.c:538)
==8435==    by 0x40DAEC: addchild (spec.c:782)
==8435==    by 0x40CBAF: spec (spec.c:238)
==8435==    by 0x40BF82: main (mtree.c:303)
==8435==
.
./in
./9.0
==8435==
==8435== HEAP SUMMARY:
==8435==     in use at exit: 8,755 bytes in 6 blocks
==8435==   total heap usage: 21 allocs, 15 frees, 9,399 bytes allocated
==8435==
==8435== LEAK SUMMARY:
==8435==    definitely lost: 190 bytes in 2 blocks
==8435==    indirectly lost: 373 bytes in 2 blocks
==8435==      possibly lost: 0 bytes in 0 blocks
==8435==    still reachable: 8,192 bytes in 2 blocks
==8435==         suppressed: 0 bytes in 0 blocks
==8435== Rerun with --leak-check=full to see details of leaked memory
==8435==
==8435== For counts of detected and suppressed errors, rerun with: -v
==8435== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 0 from 0)
---
 contrib/netbsd-tests/usr.sbin/mtree/d_convert_duplicate_paths.in | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 contrib/netbsd-tests/usr.sbin/mtree/d_convert_duplicate_paths.in

diff --git a/contrib/netbsd-tests/usr.sbin/mtree/d_convert_duplicate_paths.in b/contrib/netbsd-tests/usr.sbin/mtree/d_convert_duplicate_paths.in
new file mode 100644
index 0000000..edd21c1
--- /dev/null
+++ b/contrib/netbsd-tests/usr.sbin/mtree/d_convert_duplicate_paths.in
@@ -0,0 +1,4 @@
+.
+./in
+./in
+9.0
-- 
2.6.3


From 798d49e2de05e1283f7f89b3b2e16df2b74876ce Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Wed, 24 Jun 2015 15:31:16 +0200
Subject: [PATCH 08/11] contrib/netbsd-tests: Add test input file that results
 in crashes due to use after free

valgrind /usr/sbin/mtree -C -f id\:000000\,sig\:10\,src\:000187\,op\:havoc\,rep\:4
==10193== Memcheck, a memory error detector
==10193== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==10193== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==10193== Command: /usr/sbin/mtree -C -f id:000000,sig:10,src:000187,op:havoc,rep:4
==10193==
==10193== Invalid read of size 4
==10193==    at 0x40CBFA: spec (spec.c:245)
==10193==    by 0x40BF82: main (mtree.c:303)
==10193==  Address 0x5c014bc is 172 bytes inside a block of size 187 free'd
==10193==    at 0x4C2F2DC: free (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==10193==    by 0x40E065: replacenode (spec.c:537)
==10193==    by 0x40DAEC: addchild (spec.c:781)
==10193==    by 0x40CC8A: spec (spec.c:262)
==10193==    by 0x40BF82: main (mtree.c:303)
==10193==
==10193== Invalid read of size 8
==10193==    at 0x40CC4F: spec (spec.c:259)
==10193==    by 0x40BF82: main (mtree.c:303)
==10193==  Address 0x5c01410 is 0 bytes inside a block of size 187 free'd
==10193==    at 0x4C2F2DC: free (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==10193==    by 0x40E065: replacenode (spec.c:537)
==10193==    by 0x40DAEC: addchild (spec.c:781)
==10193==    by 0x40CC8A: spec (spec.c:262)
==10193==    by 0x40BF82: main (mtree.c:303)
==10193==
==10193== Invalid read of size 8
==10193==    at 0x40CC71: spec (spec.c:261)
==10193==    by 0x40BF82: main (mtree.c:303)
==10193==  Address 0x5c01410 is 0 bytes inside a block of size 187 free'd
==10193==    at 0x4C2F2DC: free (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==10193==    by 0x40E065: replacenode (spec.c:537)
==10193==    by 0x40DAEC: addchild (spec.c:781)
==10193==    by 0x40CC8A: spec (spec.c:262)
==10193==    by 0x40BF82: main (mtree.c:303)
==10193==
==10193== Invalid read of size 8
==10193==    at 0x40CC7F: spec (spec.c:262)
==10193==    by 0x40BF82: main (mtree.c:303)
==10193==  Address 0x5c01410 is 0 bytes inside a block of size 187 free'd
==10193==    at 0x4C2F2DC: free (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==10193==    by 0x40E065: replacenode (spec.c:537)
==10193==    by 0x40DAEC: addchild (spec.c:781)
==10193==    by 0x40CC8A: spec (spec.c:262)
==10193==    by 0x40BF82: main (mtree.c:303)
==10193==

(gdb) r
Starting program: /usr/sbin/mtree -C -f id:000000,sig:10,src:000187,op:havoc,rep:4

Breakpoint 1, addchild (pathparent=0x8018080c0, centry=0x801808240) at /usr/src/usr.sbin/nmtree/../../contrib/mtree/spec.c:781
781			replacenode(samename, centry);
(gdb) n
782			if (samename == replacepos) {
(gdb) n
784				return;
(gdb) p centry
$1 = (NODE *) 0x801808240
(gdb) p samename
$2 = (NODE *) 0x801808180
(gdb) p *centry
$3 = {parent = 0x5a5a5a5a5a5a5a5a, child = 0x5a5a5a5a5a5a5a5a, prev = 0x5a5a5a5a5a5a5a5a, next = 0x5a5a5a5a5a5a5a5a, st_size = 6510615555426900570, st_mtim = {tv_sec = 6510615555426900570,
    tv_nsec = 6510615555426900570}, slink = 0x5a5a5a5a5a5a5a5a <error: Cannot access memory at address 0x5a5a5a5a5a5a5a5a>, st_uid = 1515870810, st_gid = 1515870810, st_mode = 23130, st_rdev = 1515870810,
  st_flags = 6510615555426900570, st_nlink = 23130, cksum = 6510615555426900570, md5digest = 0x5a5a5a5a5a5a5a5a <error: Cannot access memory at address 0x5a5a5a5a5a5a5a5a>,
  rmd160digest = 0x5a5a5a5a5a5a5a5a <error: Cannot access memory at address 0x5a5a5a5a5a5a5a5a>, sha1digest = 0x5a5a5a5a5a5a5a5a <error: Cannot access memory at address 0x5a5a5a5a5a5a5a5a>,
  sha256digest = 0x5a5a5a5a5a5a5a5a <error: Cannot access memory at address 0x5a5a5a5a5a5a5a5a>, sha384digest = 0x5a5a5a5a5a5a5a5a <error: Cannot access memory at address 0x5a5a5a5a5a5a5a5a>,
  sha512digest = 0x5a5a5a5a5a5a5a5a <error: Cannot access memory at address 0x5a5a5a5a5a5a5a5a>, tags = 0x5a5a5a5a5a5a5a5a <error: Cannot access memory at address 0x5a5a5a5a5a5a5a5a>,
  lineno = 6510615555426900570, flags = 1515870810, type = 1515870810, name = "Z"}
(gdb) c
Continuing.

Program received signal SIGBUS, Bus error.
0x000000000040d9b4 in addchild (pathparent=0x5a5a5a5a5a5a5a5a, centry=0x80180c100) at /usr/src/usr.sbin/nmtree/../../contrib/mtree/spec.c:735
735		cur = pathparent->child;
---
 contrib/netbsd-tests/usr.sbin/mtree/d_convert_duplicate_crash.in | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 contrib/netbsd-tests/usr.sbin/mtree/d_convert_duplicate_crash.in

diff --git a/contrib/netbsd-tests/usr.sbin/mtree/d_convert_duplicate_crash.in b/contrib/netbsd-tests/usr.sbin/mtree/d_convert_duplicate_crash.in
new file mode 100644
index 0000000..f249c11
--- /dev/null
+++ b/contrib/netbsd-tests/usr.sbin/mtree/d_convert_duplicate_crash.in
@@ -0,0 +1,4 @@
+.
+bla
+bla
+ÀÀÀÀÀÀÀÀK
-- 
2.6.3


From f526397c4a1338184265302f79e8f5c48180fb9d Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Wed, 24 Jun 2015 15:36:38 +0200
Subject: [PATCH 09/11] nmtree: Fix crashes due to use after-free in case of
 duplicated files. Needs more testing.

---
 contrib/mtree/spec.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/contrib/mtree/spec.c b/contrib/mtree/spec.c
index 175ad4f..a503321 100644
--- a/contrib/mtree/spec.c
+++ b/contrib/mtree/spec.c
@@ -249,7 +249,6 @@ noparent:		mtree_err("no parent node");
 				 */
 			centry->parent = last;
 			addchild(last, centry);
-			last = centry;
 		} else {
 				/*
 				 * new relative child in parent dir
-- 
2.6.3


From 308545d9a2565d18ac5e72a4659356e5bcf28ed3 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Wed, 24 Jun 2015 18:25:29 +0200
Subject: [PATCH 10/11] nmtree: Try to fix segfaults and use-after-frees in
 case of merged entries

---
 contrib/mtree/spec.c | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/contrib/mtree/spec.c b/contrib/mtree/spec.c
index a503321..7f53c9d 100644
--- a/contrib/mtree/spec.c
+++ b/contrib/mtree/spec.c
@@ -100,7 +100,7 @@ static	dev_t	parsedev(char *);
 static	void	replacenode(NODE *, NODE *);
 static	void	set(char *, NODE *);
 static	void	unset(char *, NODE *);
-static	void	addchild(NODE *, NODE *);
+static	NODE *  addchild(NODE *, NODE *);
 static	int	nodecmp(const NODE *, const NODE *);
 static	int	appendfield(FILE *, int, const char *, ...) __printflike(3, 4);
 
@@ -235,8 +235,7 @@ noparent:		mtree_err("no parent node");
 				 * full path entry; add or replace
 				 */
 			centry->parent = pathparent;
-			addchild(pathparent, centry);
-			last = centry;
+			last = addchild(pathparent, centry);
 		} else if (strcmp(centry->name, ".") == 0) {
 				/*
 				 * duplicate "." entry; always replace
@@ -248,7 +247,7 @@ noparent:		mtree_err("no parent node");
 				 * add or replace
 				 */
 			centry->parent = last;
-			addchild(last, centry);
+			last = addchild(centry->parent, centry);
 		} else {
 				/*
 				 * new relative child in parent dir
@@ -258,8 +257,7 @@ noparent:		mtree_err("no parent node");
 			if (last->parent == NULL)
 				mtree_err("new relative child without parent");
 			centry->parent = last->parent;
-			addchild(last->parent, centry);
-			last = centry;
+			last = addchild(last->parent, centry);
 		}
 	}
 	return (root);
@@ -715,8 +713,9 @@ unset(char *t, NODE *ip)
  *	centry is a duplicate, call replacenode().  If centry is not
  *	a duplicate, insert it into the linked list referenced by
  *	pathparent->child.  Keep the list sorted if Sflag is set.
+ *	Return the added or merged node.
  */
-static void
+static NODE *
 addchild(NODE *pathparent, NODE *centry)
 {
 	NODE *samename;      /* node with the same name as centry */
@@ -735,7 +734,7 @@ addchild(NODE *pathparent, NODE *centry)
 	if (cur == NULL) {
 		/* centry is pathparent's first and only child node so far */
 		pathparent->child = centry;
-		return;
+		return centry;
 	}
 
 	/*
@@ -780,7 +779,7 @@ addchild(NODE *pathparent, NODE *centry)
 		replacenode(samename, centry);
 		if (samename == replacepos) {
 			/* The just-replaced node was in the correct position */
-			return;
+			return samename;
 		}
 		if (samename == insertpos || samename->prev == insertpos) {
 			/*
@@ -788,7 +787,7 @@ addchild(NODE *pathparent, NODE *centry)
 			 * or just after the replaced node, but that would
 			 * be equivalent to just retaining the replaced node.
 			 */
-			return;
+			return samename;
 		}
 
 		/*
@@ -828,7 +827,7 @@ addchild(NODE *pathparent, NODE *centry)
 		if (centry->next)
 			centry->next->prev = centry;
 	}
-	return;
+	return centry;
 }
 
 /*
-- 
2.6.3


From ba2808abd4c1e2b3e3c3151f438601021619efbe Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Wed, 24 Jun 2015 21:03:44 +0200
Subject: [PATCH 11/11] mtree: Zero our new in replacenode(). Incomplete and
 may not be necessary.

---
 contrib/mtree/spec.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/contrib/mtree/spec.c b/contrib/mtree/spec.c
index 7f53c9d..b5b4b0b 100644
--- a/contrib/mtree/spec.c
+++ b/contrib/mtree/spec.c
@@ -531,6 +531,7 @@ replacenode(NODE *cur, NODE *new)
 	REPLACESTR(tags);
 	REPLACE(lineno);
 	REPLACE(flags);
+	memset(new, 0, sizeof(*new));
 	free(new);
 }
 
-- 
2.6.3