NetBSD's funopen (libc) seemingly the cause of "pkg audit -F" segfault

[John Marino <netbsd%marino.st@localhost>]

On my NetBSD 7.0.1/amd64 on virtualbox, when I try the command "pkg -d 
audit -F", pkg segfaults.  It's trying to fetch the vulnerabilities 
file.  This is unique to NetBSD.

By using both the base gdb and the pkgsrc gdb, it indicates that the 
result of funopen call points to inaccessible memory:

https://github.com/freebsd/pkg/blob/release-1.8/external/libfetch/http.c#L340

On DragonFly, gdb shows the value of the FILE structure after this line 
is executed, but on NetBSD the gdb print command fails.

Here's the log:
> #0  0x00007f7ff4cf3c41 in fread () from /usr/lib/libc.so.12
> No symbol table info available.
> #1  0x00007f7ff762b4a3 in pkg_fetch_file_to_fd (repo=0x0,
>     url=0x7f7ff7b03580 "http://muscles.dragonflybsd.org/pkgsrc-vuxml/vuln.xml.bz2";, dest=4, t=0x7f7fffffcfb0, offset=0, size=-1) at fetch.c:654
>         remote = 0xfffffffff4f65e20
>         u = 0x7f7ff7b1c400
>         st = {size = 294125, atime = 1479067247, mtime = 1479067247}
>         done = 0
>         r = 531
>         max_retry = 3
>         retry = 3
>         fetch_timeout = 30
>         buf = <error reading variable buf (Cannot access memory at address 0x7f7fffffa710)>
>         doc = 0x7f7ff7b260c0 "/pkgsrc-vuxml/vuln.xml.bz2"
>         docpath = <error reading variable docpath (Cannot access memory at address 0x7f7fffffa310)>
>         retcode = 0
>         zone = <error reading variable zone (Cannot access memory at address 0x7f7fffffa200)>
>         srv_current = 0x0
>         http_current = 0x0
>         sz = 294125
>         buflen = 10240
>         left = 294125
>         pkg_url_scheme = false
>         fetchOpts = 0x7f7ff7b04280
> #2  0x00007f7ff7629d42 in pkg_fetch_file_tmp (repo=0x0,
>     url=0x7f7ff7b03580 "http://muscles.dragonflybsd.org/pkgsrc-vuxml/vuln.xml.bz2";, dest=0x7f7fffffd0e0 "/tmp/vuln.xml.bz2.AKCLnH8l", t=1479067247)
>     at fetch.c:100
>         fd = 4
>         retcode = 3
> #3  0x00007f7ff762fb16 in pkg_audit_fetch (
>     src=0x7f7ff7b03580 "http://muscles.dragonflybsd.org/pkgsrc-vuxml/vuln.xml.bz2";, dest=0x7f7fffffd5e0 "/var/db/pkgng/vuln.xml") at pkg_audit.c:268
>         fd = -1
>         outfd = -1
>         tmp = "/tmp/vuln.xml.bz2.AKCLnH8l", '\000' <repeats 78 times>, "C\243\317\364\\+\341\330\000\000\000\000\000\000\000\000\377\003\000\000\000\000\000\000`\302\366\364\177\177\000\000\061/B\000\000\000\000\000\000\250\365\364\177\177\000\000\070\324\377\377\177\177\000\000\340\325\377\377\177\177\000\000k\354\312\364\177\177", '\000' <repeats 18 times>, "\366\325\377\377\177\177\000\000\000\000\000\000"...
>         tmpdir = 0x7f7ff77edf48 "/tmp"
>         retcode = 3
>         t = 0
>         st = {st_dev = 0, st_mode = 1479141903, st_ino = 4, st_nlink = 0,
>           st_uid = 0, st_gid = 0, st_rdev = 0, st_atim = {tv_sec = 0,
>             tv_nsec = 0}, st_mtim = {tv_sec = 0, tv_nsec = 0}, st_ctim = {
>             tv_sec = 0, tv_nsec = 0}, st_birthtim = {tv_sec = 0, tv_nsec = 0},
>           st_size = 0, st_blocks = 0, st_blksize = 0, st_flags = 0,
>           st_gen = 0, st_spare = {0, 0}}
>         cbdata = {out = 0,
>           fname = 0x9ea02ecccc187bdf <error: Cannot access memory at address 0x9ea02ecccc187bdf>,
>           dest = 0x7f7ff4cc0e2d <__swrite> "AUATUSH\203\354\bH\211\373H\211\365I\211\324H\205\377\017\204\241"}
> #4  0x00000000004083cd in exec_audit (argc=0, argv=0x7f7fffffdcf0)
>     at audit.c:169
>         audit = 0x7f7ff7b070e0
>         db = 0x0
>         it = 0x0
>         pkg = 0x0
>         db_dir = 0x7f7ff7b050a0 "/var/db/pkgng"
>         name = 0x7f7fffffda30 ""
>         version = 0x40fbf6 <set_globals+110> "\017\266\300\211\005\355-\""
>         audit_file_buf = "/var/db/pkgng/vuln.xml\000\000CBi\367\177\177", '\000' <repeats 19 times>, "\354\377\367\177\177\000\000P'c\000\000\000\000\000\030UB\000\000\000\000\000\005\000\000\000\000\000\000\000}-\300\367\177\177\000\000C\243\317\364\\+\341\330\000\000\000\000\000\000\000\000P'c\000\000\000\000\000\030UB\000\000\000\000\000\250\326\377\377\177\177\000\000\001\000\000\000\000\000\000\000X\222\266\367\177\177\000\000\001\000\000\000\000\000\000\000\306\316\313\364\177\177\000\000P'c\000\000\000\000\000\030UB\000\000\000\000\000\005\000\000\000\000\000\000\000z\021\314\364\177\177\000\000\000\354\377\367\177\177\000\000"...
>         audit_file = 0x7f7fffffd5e0 "/var/db/pkgng/vuln.xml"
>         vuln = 0
>         fetch = true
>         recursive = false
>         ch = -1
>         i = 0
>         ret = 0
>         portaudit_site = 0x7f7ff7b03580 "http://muscles.dragonflybsd.org/pkgsrc-vuxml/vuln.xml.bz2";
>         sb = 0x7f7ff7b0a100
>         check = 0x0
>         longopts = {{name = 0x4230df "fetch", has_arg = 0, flag = 0x0,
>             val = 70}, {name = 0x4230e5 "file", has_arg = 1, flag = 0x0,
>             val = 102}, {name = 0x4230ea "recursive", has_arg = 0, flag = 0x0,
>             val = 114}, {name = 0x4230f4 "quiet", has_arg = 0, flag = 0x0,
>             val = 113}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}}
> #5  0x0000000000412e30 in main (argc=2, argv=0x7f7fffffdce0) at main.c:855
>         i = 3
>         command = 0x631c60 <cmd+96>
>         ambiguous = 0
>         chroot_path = 0x0
>         rootdir = 0x0
>         jail_str = 0x0
>         len = 5
>         ch = -1 '\377'
>         debug = 1
>         version = 0
>         ret = 0
>         plugins_enabled = true
>         plugin_found = false
>         show_commands = false
>         activation_test = false
>         init_flags = (unknown: 0)
>         c = 0x7f7ff4f6c260 <__stack_chk_guard>
>         conffile = 0x0
>         reposdir = 0x0
>         save_argv = 0x7f7fffffdce0
>         j = 0
>         longopts = {{name = 0x4281fd "debug", has_arg = 0, flag = 0x0,
>             val = 100}, {name = 0x428203 "chroot", has_arg = 1, flag = 0x0,
>             val = 99}, {name = 0x4272d3 "config", has_arg = 1, flag = 0x0,
>             val = 67}, {name = 0x42820a "repo-conf-dir", has_arg = 1,
>             flag = 0x0, val = 82}, {name = 0x428218 "rootdir", has_arg = 1,
>             flag = 0x0, val = 114}, {name = 0x428220 "list", has_arg = 0,
>             flag = 0x0, val = 108}, {name = 0x4277e5 "version", has_arg = 0,
>             flag = 0x0, val = 118}, {name = 0x428225 "option", has_arg = 1,
>             flag = 0x0, val = 111}, {name = 0x42822c "only-ipv4", has_arg = 0,
>             flag = 0x0, val = 52}, {name = 0x428236 "only-ipv6", has_arg = 0,
>             flag = 0x0, val = 54}, {name = 0x0, has_arg = 0, flag = 0x0,
>             val = 0}}
>         __func__ = "main"


I don't understand how funopen could return this memory location(value 
of "remote" variable in log).  It seems that the result should only be 
NULL or a valid pointer to a FILE.

Does anyone have an idea how NetBSD's funopen could do this?  I don't 
really know how to progress in troubleshooting the segfault on NetBSD.

John


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus