Return to BSD News archive
Newsgroups: comp.unix.bsd Path: sserve!manuel!munnari.oz.au!uunet!spool.mu.edu!agate!dog.ee.lbl.gov!hellgate.utah.edu!fcom.cc.utah.edu!cs.weber.edu!terry From: terry@cs.weber.edu (A Wizard of Earth C) Subject: 386BSD PATCH KIT BETA INDEX.1of2 Message-ID: <1992Oct4.111827.9255@fcom.cc.utah.edu> Sender: news@fcom.cc.utah.edu Reply-To: terry@icarus.weber.edu Organization: Weber State University (Ogden, UT) Date: Sun, 4 Oct 92 11:18:27 GMT Lines: 429 Here is the part one of the file "INDEX.Beta-1" from the patch kit: ------------------------ cut here -------------------------- TITLE: INDEX AUTHOR: Terry Lambert (terry@icarus.weber.edu) VERSION: Beta-1 DATE: 03 Oct 92 There are a total of 58 patches. This is a list of all patches and their effects. patch00001 PATCH: PATCH NEEDED FOR KERNEL REBUILD TO SUCCEED AUTHOR: Chris G. Demetriou (cgd@fuzzface.chaos.org) DESCRIPTION: Many people who have made their own kernel configurations have discovered that their kernel won't build until they change their Makefile to include a reference to vers.o (missing symbol _version). Also, the version number was not updated each time the kernel was rebuilt. patch00002 PATCH: BIG MEMORY HANG AUTHOR: William Jolitz (withheld) DESCRIPTION: Because of the number of kernel map entries being to small and an inappropriate calculation for the number of buffer pages, it was possible for the kernel to hang if you had more than 8 Meg of memory installed in your system. patch00003 PATCH: INCORRECT CMOS RAM SIZE CAUSES CRASH AUTHOR: Terry Lambert (terry@icarus.weber.edu) DESCRIPTION: This patch fixes the problem encountered on HP Vectra, AT&T 6386E/33 WGS, AT&T StarServer E, and AT&T 6386/25 WGS systems where the CMOS RAM size is not what was expected. It also has fixes to allow running small kernels in 640K, and warns the user of conditions which may cause the kernel to fail to boot correctly. patch00004 PATCH: FIRST SECTOR IN MULTISECTOR READ IN BAD144 TABLE AUTHOR: Frank Maclachlan (fpm@crash.cts.com) DESCRIPTION: The bad144 table search code at finds the sector in the bad144 table and replaces the block number, cylinder, head, and sector addresses with values corresponding to the replacement sector. The sector count register is loaded with the number of sectors in the entire transfer. This is wrong; it *MUST* be set to *one* sector. A read would return the wrong data in sectors after the first; a write would *overwrite* other replacement sectors or even the bad144 table on the last track. patch00005 PATCH: WHATIS COREDUMP AUTHOR: Andrew Moore (alm@netcom.com) DESCRIPTION: The whatis program had two unitinitialized pointers which would cause it to core dump sporadically depending on the initial stack contents. patch00006 PATCH: CRASH FOR PARENT (.) REFERENCE AFTER CHROOT AUTHOR: Christoph Robitschko (chmr@fstgs01.tu-graz.ac.at) DESCRIPTION: When chroot() was used to change the apparent root directory for a process, a reference to "./", the parent directory of the new "root" directory, the system "panic"ed. patch00007 PATCH: GREENMAN BUGFIX KIT AUTHOR: David Greenman (davidg@agora.uucp) DESCRIPTION: 1. Buffers were being immediately aged after read, greatly reducing file system performance. 2. The file system buffer cache hash calculation resulted in hash collision occuring 100% of the time. 3. File system buffers were allocated twice. They were also deallocated twice, so there was not a memory leak, but freebufspace was incorrect and too much memory was being used. 4. Unnecessary call to swapout_threads in the vm system. patch00008 PATCH: MAN PATHBUF OVER 1K AUTHOR: James W. Dolter DESCRIPTION: In the function config.c:cadd() the pointer bp isn't recalculated when the pathbuf needs to be realloced. If realloc moves the storage 'bp' is left hanging. The bug manifests itself when you modify man.conf such that the pathbuf expands beyond 1k. patch00009 PATCH: MBUF ALLOCATION FLAGS AUTHOR: Wolfgang Solfrank (ws@tools.de) DESCRIPTION: While the flags in sys/mbuf.h define M_DONTWAIT and M_WAIT in terms of M_NOWAIT and M_WAITOK, these flags are only used for the kernel malloc. But the actual code in kern/uipc_mbuf.h uses kmem_malloc, which has only a parameter canwait. This parameter has just the opposite meaning from the flag values above. This may result in occasional hangs of the system (if mbuf allocation with M_DONTWAIT is called which may result in a wait) or panics or other nasty things (if called with M_WAIT which may return a NULL pointer that is not expected and as such not tested by the calling code). patch00010 PATCH: SCROLLING BACKWORDS ON CONSOLE CAUSES CRASH AUTHOR: Frank Maclachlan (fpm@crash.cts.com) DESCRIPTION: I was horrified whilst scrolling backwards in a file with the less pager at my console when my 386BSD system suddenly rebooted. Subsequent tests revealed that the system would crash whenever I scrolled rapidly backwards through this file using less. Most files won't cause the system to crash. To demonstrate the failure, do the the following (if you don't mind watching your system crash): hd /usr/mdec/bootwd >junk # create a file less junk # invoke less G # go to the end of the file ^B^B^B... # rapid repeated control B's to # scroll backwards patch00011 PATCH: COPY ON WRITE FOR TEXT PAGES AUTHOR: Paul Kranenburg (pk@cs.few.eur.nl) DESCRIPTION: The 386 does not generate a page protection fault while it is executing in supervisor mode :-(, so copy on write handling never takes place when the kernel stuffs data into a process's text- or any other non-anonymous segment. So these cases must be explicitly checked for. NOTE: This is a security hole where it is possible for any normal user with access to the debugger and read access to any suid root program to become root! You should apply this patch immediately! patch00012 PATCH: RING BUFFER LENGTH INCORRECTLY REPORTED AUTHOR: Stephen McKay (robert@psych.psy.uq.oz.au [forwarder]) DESCRIPTION: The RB_LEN() macro in /usr/include/sys/tty.h is sometimes out by 1. In particular, in the case of a buffer containing a single character at the very end, RB_LEN() would return 0. This caused ttread() to block until a 2nd character was read before delivering them both. The user would find RAW mode programs such as vi would occasionally (1 in 1024 keypresses) get "stuck" requiring a second keypress to bring it to life. patch00013 PATCH: FIX CSH SEGEMENTATION VIOLATION AUTHOR: Kevin Lahey (kml@mosquito.cis.ufl.edu) DESCRIPTION: I have run into the csh segmentation violation bug, and I was too lazy to install the simple "alloc + 4" bugfix, so I tracked it down. It seems to come about whenever you are in a directory in your account which has a pathname length which is divisable by 4, for instance, /users/kml/g. To test, create such a directory, enter it, and sorta execute alot of commands. Sooner or later, csh will die. The fix is to add one to the space allocated for a string in the dcanon() routine where it normalizes directory names which include the string defined for the environment variable 'HOME'. patch00014 PATCH: CAN'T kill -1 OR kill -15 DAEMONS STARTED IN /etc/rc AUTHOR: Paul Kranenburg (pk@cs.few.eur.nl) DESCRIPTION: The init program doesn't set up the proper signal disposition for the process (sh) it creates to run /etc/rc. While all signal handlers are reset to SIG_DFL, the signal mask is left unchanged causing SIGHUP and SIGTERM to be masked in all daemons started from /etc/rc. patch00015 PATCH: MAKE HUNG ON SINGLE "-" ARGUMENT AUTHOR: John Woods (jfw@eddie.mit.edu) DESCRIPTION: [ This is a patch rolled in from work done on 4.3Reno/NET2 ] There is a bug in the new make from 4.3Reno and also present in the Net2 release (as found on uunet). A command line argument consisting of a lone dash (-) causes an infinite loop ("make - make" was an excellent test case). patch00016 PATCH: NFS SERVER CREATE TRUNCATES FILE AUTHOR: Arne Henrik Juul (arnej@Lise.Unit.NO) DESCRIPTION: The file was always truncated if it existed. The reason why it only happens when used from certain NFS clients, is that some clients does not do a NFS create request at all if the file already exists. patch00017 PATCH: DMA SPECIAL HANDLING/DMA CHANNEL 4-7 TRANSFER COUNT AUTHOR: Frank Maclachlan (fpm@crash.cts.com) DESCRIPTION: At line 389 in isa_dmarangecheck(), the automatic variable priorpage is used without being initially set to 0. This causes the function to flag special handling for virtually all DMA transfer requests. Also, no check is made for DMA requests crossing DMA page boundaries (64k for DMA chans 0..3, 128k for DMA chans 4..7). This problem is masked by priorpage not being initialized - almost all DMA is done to/from safe 'bounce' buffers which don't cross DMA page boundaries and the data are block moved from/to the user's buffer. In line 359, nbytes is doubled by shifting it left 1 bit; it should instead be divided by 2 by shifting right 1 bit position. This occurs when any of the word mode DMA channels (4..7) is used. patch00018 PATCH: CORRECT MINOR NUMBER FOR COM PORT (SELECT FAILS) AUTHOR: Christoph Robitschko (chmr@fstgds01.tu-graz.ac.at) DESCRIPTION: I had the problem with select() not working on com ports. I got no response from a post regarding this one, so I started to look into it myself. I found out that the com driver calculates unit = minor(dev) -1; This has the following implications: /dev/com1 corresponds to COM0, /dev/com2 to COM1 (very confusing in kernel messages) It is incompatible with the config file entries com1 at..., com2 at... Unpredictible results will occur if someone puts a com0 at.. in his config file. It is incompatible with the DOS usage of COM1, COM2 (But who cares 8-) ttselect() calculates unit = minor(dev), and uses this as an index in com_tty. Because this index is different from that used in the com driver, select() on /dev/com1 looks at /dev/com2 and select() on /dev/com2 looks at an undefined entry in com_tty and returns always true. WARNING: RE-mknod /dev/com1, /dev/com2, and modify your kernel config! patch00019 PATCH: CLEAN UP SLIP INTERFACE TO KEEP FROM HANGING AUTHOR: Poul-Henning Kamp (phk@data.fls.dk) DESCRIPTION: Here is a patch to clean up the interface between the tty-drivers, in particular the com driver, and the sl# interfaces, this is not a work-around but a genuine bug-fix. Symptoms: after a number of "com#: silo overflow" SLIP ceases to work. Overview of the problem: the slip interface will disregard any notice from the tty-driver on problems (parity errors, framing errors or overruns), which basicly means the one might as well throw the packet away right away. Also overrun in the packetizing will go relatively unnotized. patch00020 PATCH: CLONES OF WESTERN DIGITAL ETHERNET CARDS FAIL CHECKSUM AUTHOR: Mike Durkin (mdurkin@tsoft.sf-bay.org) DESCRIPTION: Danpex EW-2016 is an inexpensive (US$85.) allegedly WD8013-compatible ethernet card. I have one of these cards also and after fiddling a bit with the source found that the checksum in the probe fails. I commented it out and am using the card successfully, NFS mounting to and from my Sun3s with no problems. This patch reports the failure, but doesn't fail the probe because of it. patch00021 PATCH: SECOND WD STYLE DISK, BZERO MALLOCED FOR WARM BOOT AUTHOR: Christoph Robitschko (chmr@edvz.tu-graz.ac.at) DESCRIPTION: System would not recognize second hard drive and would crash when you try to acces a second drive which is configured but not connected. I include a patch which should correct these problems. It will try to open all configured disks at boot time and print the identification strings. This patch also includes the laptop/warmboot patch the bzero's malloc'ed memory, since this memory may contain the same data between boots and cause the driver to believe the disk has already been connected. patch00022 PATCH: CHANGE RUN LEVEL (SINGLE USER/MULTIUSER/HALT) AUTHOR: Christoph Robitschko (chmr@edvz.tu-graz.ac.at) DESCRIPTION: /sbin/init did not set some internal flags correctly (Reboot, drain) This caused it to not execute /etc/rc again if the system was brought down to singleuser and the back up again. It also tried to start multiuser mode when you tried halt or reboot in singleuser (when the singleuser shell was terminated by halt/reboot). patch00023 PATCH: CLEAN UP UTMP ENTRIES, LOG TO WTMP AUTHOR: Nate Williams (osynw@terra.oscs.montana.edu) DESCRIPTION: This allows init to remove entries from the utmp file when users log out, and also adds logout information for the wtmp file. patch00024 PATCH: ENFORCE EXECUTE PERMISSIONS, MNT_NOEXEC AUTHOR: Mark Tinguely (tinguely@plains.nodak.edu) DESCRIPTION: >problem 3: I noticed that anyone could run shutdown. the permissions were > >-rwsr-x--- owner root group operator. I changed the permissions to >-r-x------ and anyone can still run it. (you get the shutdown: NOT super-user) This is a big security hole. In 0.0, a VOP_ACCESS was used, but root always succeeds (and tries to execute anything). But the check for a single execute bit is wrong too. I put the VOP_ACCESS back but also checked to make sure at least one execute bit is on before root can execute the file. I also checked if the filesystem was mounted for execution: patch00025 PATCH: ADD ABILITY TO EXECUTE FILES WITH "#!" MAGIC NUMBER AUTHOR: Paul Kranenburg (pk@cs.few.eur.nl) DESCRIPTION: If the first two characters of a file are "#!", this constitutes a "magic number" which indicates that the file is a shell script and that the character string following the "#!" should be executed, and that the shell script itself should be used as stdin for the program executed. patch00026 PATCH: FIX "make makedb" FOR CORRECTED "whatis.db" FILE FORMAT AUTHOR: James Jegers (jimj@miller.cs.uwm.edu) DESCRIPTION: The "whatis.db" file was in the wrong format, causing the "whatis" and "apropos" commands to fail. patch00027 PATCH: PERFORM CORRECT RANGE CHECHING ON "toupper()/tolower()" AUTHOR: Wiljo Heinen (wiljo@freeside.ki.open.de) DESCRIPTION: The toupper() and tolower() functions did not do appropriate range checking, and would shift the value of any ASCII character passed +/- 32, respectively, without regard to whether the characters so shifted were letters or not. This corrects the problem, although, like the rest of the C library, does not take internationalized character sets into account. patch00028 PATCH: ALLOW CONSOLE REDIRECTION TO WORK AUTHOR: ? (please claim me) -- part of the X patch set DESCRIPTION: This allows writes to /dev/console to be redirected to a virtual console for things like "xterm -C" and so on. patch00029 PATCH: SIGTERM + 10 SECONDS BEFORE SIGKILL TO ALLOW NORMAL EXIT AUTHOR: ? (please claim me) -- X patch set DESCRIPTION: When changing to single user run state, send a SIGTERM to processes and give them 10 seconds to exit before sending a SIGKILL. This was added to allow normal shutdown of processes. In particular, it allows the X server to reset the screen and keyboards to normal states. ------------------------ cut here -------------------------- Terry Lambert terry@icarus.weber.edu terry_lambert@novell.com --- Any opinions in this posting are my own and not those of my present or previous employers. -- ------------------------------------------------------------------------------- "I have an 8 user poetic license" - me Get the 386bsd FAQ from agate.berkeley.edu:/pub/386BSD/386bsd-0.1/unofficial -------------------------------------------------------------------------------