*BSD News Article 6019


Return to BSD News archive

Newsgroups: comp.unix.bsd
Path: sserve!manuel!munnari.oz.au!uunet!spool.mu.edu!agate!dog.ee.lbl.gov!hellgate.utah.edu!fcom.cc.utah.edu!cs.weber.edu!terry
From: terry@cs.weber.edu (A Wizard of Earth C)
Subject: 386BSD PATCH KIT BETA INDEX.1of2
Message-ID: <1992Oct4.111827.9255@fcom.cc.utah.edu>
Sender: news@fcom.cc.utah.edu
Reply-To: terry@icarus.weber.edu
Organization: Weber State University  (Ogden, UT)
Date: Sun, 4 Oct 92 11:18:27 GMT
Lines: 429

Here is the part one of the file "INDEX.Beta-1" from the patch kit:
------------------------ cut here --------------------------
TITLE:		INDEX
AUTHOR:		Terry Lambert (terry@icarus.weber.edu)
VERSION:	Beta-1
DATE:		03 Oct 92


There are a total of 58 patches.
This is a list of all patches and their effects.

patch00001

PATCH:		PATCH NEEDED FOR KERNEL REBUILD TO SUCCEED
AUTHOR:		Chris G. Demetriou (cgd@fuzzface.chaos.org)
DESCRIPTION:
Many people who have made their own kernel configurations have discovered
that their kernel won't build until they change their Makefile to include
a reference to vers.o (missing symbol _version).

Also, the version number was not updated each time the kernel was rebuilt.


patch00002

PATCH:		BIG MEMORY HANG
AUTHOR:		William Jolitz (withheld)
DESCRIPTION:

	Because of the number of kernel map entries being to small
and an inappropriate calculation for the number of buffer pages, it was
possible for the kernel to hang if you had more than 8 Meg of memory
installed in your system.


patch00003

PATCH:          INCORRECT CMOS RAM SIZE CAUSES CRASH
AUTHOR:		Terry Lambert (terry@icarus.weber.edu)
DESCRIPTION:

        This patch fixes the problem encountered on HP Vectra, AT&T
6386E/33 WGS, AT&T StarServer E, and AT&T 6386/25 WGS systems where
the CMOS RAM size is not what was expected.  It also has fixes to
allow running small kernels in 640K, and warns the user of conditions
which may cause the kernel to fail to boot correctly.


patch00004
PATCH:		FIRST SECTOR IN MULTISECTOR READ IN BAD144 TABLE
AUTHOR:		Frank Maclachlan (fpm@crash.cts.com)
DESCRIPTION:

	The bad144 table search code at finds the sector in the bad144
table and replaces the block number, cylinder, head, and sector addresses
with values corresponding to the replacement sector.  The sector count
register is loaded with the number of sectors in the entire transfer.
This is wrong; it *MUST* be set to *one* sector.  A read would return
the wrong data in sectors after the first; a write would *overwrite*
other replacement sectors or even the bad144 table on the last track.


patch00005

PATCH:		WHATIS COREDUMP
AUTHOR:		Andrew Moore (alm@netcom.com)
DESCRIPTION:

	The whatis program had two unitinitialized pointers which would
cause it to core dump sporadically depending on the initial stack contents.


patch00006

PATCH:		CRASH FOR PARENT (.) REFERENCE AFTER CHROOT
AUTHOR:		Christoph Robitschko (chmr@fstgs01.tu-graz.ac.at)
DESCRIPTION:

	When chroot() was used to change the apparent root directory
for a process, a reference to "./", the parent directory of the new
"root" directory, the system "panic"ed.



patch00007

PATCH:		GREENMAN BUGFIX KIT
AUTHOR:		David Greenman (davidg@agora.uucp)
DESCRIPTION:

1.	Buffers were being immediately aged after read, greatly reducing
	file system performance.
2.	The file system buffer cache hash calculation resulted in hash
	collision occuring 100% of the time.
3.	File system buffers were allocated twice.  They were also deallocated
	twice, so there was not a memory leak, but freebufspace was incorrect
	and too much memory was being used.
4.	Unnecessary call to swapout_threads in the vm system.


patch00008

PATCH:		MAN PATHBUF OVER 1K
AUTHOR:		James W. Dolter
DESCRIPTION:

	In the function config.c:cadd() the pointer bp isn't recalculated
when the pathbuf needs to be realloced.  If realloc moves the storage
'bp' is left hanging.  The bug manifests itself when you modify man.conf
such that the pathbuf expands beyond 1k.


patch00009

PATCH:		MBUF ALLOCATION FLAGS
AUTHOR:		Wolfgang Solfrank (ws@tools.de)
DESCRIPTION:

	While the flags in sys/mbuf.h define M_DONTWAIT and M_WAIT in terms
of M_NOWAIT and M_WAITOK, these flags are only used for the kernel malloc.
But the actual code in kern/uipc_mbuf.h uses kmem_malloc, which has
only a parameter canwait.  This parameter has just the opposite meaning
from the flag values above.  This may result in occasional hangs of the
system (if mbuf allocation with M_DONTWAIT is called which may result in
a wait) or panics or other nasty things (if called with M_WAIT which may
return a NULL pointer that is not expected and as such not tested by the
calling code).


patch00010

PATCH:		SCROLLING BACKWORDS ON CONSOLE CAUSES CRASH
AUTHOR:		Frank Maclachlan (fpm@crash.cts.com)
DESCRIPTION:
	I was horrified whilst scrolling backwards in a file with the less
pager at my console when my 386BSD system suddenly rebooted.  Subsequent
tests revealed that the system would crash whenever I scrolled rapidly
backwards through this file using less.

Most files won't cause the system to crash.  To demonstrate the failure,
do the the following (if you don't mind watching your system crash):

        hd /usr/mdec/bootwd >junk       # create a file
        less junk                       # invoke less
        G                               # go to the end of the file
        ^B^B^B...                       # rapid repeated control B's to
                                        #  scroll backwards


patch00011

PATCH:		COPY ON WRITE FOR TEXT PAGES
AUTHOR:		Paul Kranenburg (pk@cs.few.eur.nl)
DESCRIPTION:

	The 386 does not generate a page protection fault while it is
executing in supervisor mode :-(, so copy on write handling never takes
place when the kernel stuffs data into a process's text- or any other
non-anonymous segment.  So these cases must be explicitly checked for.

NOTE:		This is a security hole where it is possible for any
		normal user with access to the debugger and read access
		to any suid root program to become root!  You should
		apply this patch immediately!


patch00012

PATCH:		RING BUFFER LENGTH INCORRECTLY REPORTED
AUTHOR:		Stephen McKay (robert@psych.psy.uq.oz.au [forwarder])
DESCRIPTION:

	The RB_LEN() macro in /usr/include/sys/tty.h is sometimes out by 1.
In particular, in the case of a buffer containing a single character at the
very end, RB_LEN() would return 0.  This caused ttread() to block until a
2nd character was read before delivering them both.  The user would find
RAW mode programs such as vi would occasionally (1 in 1024 keypresses) get
"stuck" requiring a second keypress to bring it to life.


patch00013

PATCH:		FIX CSH SEGEMENTATION VIOLATION
AUTHOR:		Kevin Lahey (kml@mosquito.cis.ufl.edu)
DESCRIPTION:
I have run into the csh segmentation violation bug, and I was too lazy to
install the simple "alloc + 4" bugfix, so I tracked it down.  It seems to come
about whenever you are in a directory in your account which has a pathname
length which is divisable by 4, for instance,  /users/kml/g.  To test,
create such a directory, enter it, and sorta execute alot of commands.
Sooner or later, csh will die.

The fix is to add one to the space allocated for a string in the
dcanon() routine where it normalizes directory names which include
the string defined for the environment variable 'HOME'.


patch00014

PATCH:          CAN'T kill -1 OR kill -15 DAEMONS STARTED IN /etc/rc
AUTHOR:         Paul Kranenburg (pk@cs.few.eur.nl)
DESCRIPTION:

        The init program doesn't set up the proper signal disposition for
the process (sh) it creates to run /etc/rc.  While all signal handlers are
reset to SIG_DFL, the signal mask is left unchanged causing SIGHUP and
SIGTERM to be masked in all daemons started from /etc/rc.


patch00015

PATCH:		MAKE HUNG ON SINGLE "-" ARGUMENT
AUTHOR:		John Woods (jfw@eddie.mit.edu)
DESCRIPTION:

[ This is a patch rolled in from work done on 4.3Reno/NET2 ]

There is a bug in the new make from 4.3Reno and also present in the Net2
release (as found on uunet).  A command line argument consisting of a lone
dash (-) causes an infinite loop ("make - make" was an excellent test case).


patch00016

PATCH:		NFS SERVER CREATE TRUNCATES FILE
AUTHOR:		Arne Henrik Juul (arnej@Lise.Unit.NO)
DESCRIPTION:

The file was always truncated if it existed. The reason why it only
happens when used from certain NFS clients, is that some clients does
not do a NFS create request at all if the file already exists.


patch00017

PATCH:		DMA SPECIAL HANDLING/DMA CHANNEL 4-7 TRANSFER COUNT
AUTHOR:		Frank Maclachlan (fpm@crash.cts.com)
DESCRIPTION:

At line 389 in isa_dmarangecheck(), the automatic variable priorpage
is used without being initially set to 0.  This causes the function
to flag special handling for virtually all DMA transfer requests.
Also, no check is made for DMA requests crossing DMA page boundaries
(64k for DMA chans 0..3, 128k for DMA chans 4..7).  This problem is
masked by priorpage not being initialized - almost all DMA is done
to/from safe 'bounce' buffers which don't cross DMA page boundaries
and the data are block moved from/to the user's buffer.

In line 359, nbytes is doubled by shifting it left 1 bit; it
should instead be divided by 2 by shifting right 1 bit position.
This occurs when any of the word mode DMA channels (4..7) is used.


patch00018

PATCH:		CORRECT MINOR NUMBER FOR COM PORT (SELECT FAILS)
AUTHOR:		Christoph Robitschko (chmr@fstgds01.tu-graz.ac.at)
DESCRIPTION:

I had the problem with select() not working on com ports. I got no
response from a post regarding this one, so I started to look into it
myself. I found out that the com driver calculates unit = minor(dev) -1;
This has the following implications:
        /dev/com1 corresponds to COM0, /dev/com2 to COM1 (very confusing
                in kernel messages)
        It is incompatible with the config file entries com1 at..., com2 at...
        Unpredictible results will occur if someone puts a com0 at.. in
                his config file.
        It is incompatible with the DOS usage of COM1, COM2 (But who cares 8-)
        ttselect() calculates unit = minor(dev), and uses this as an index in
                com_tty. Because this index is different from that used
                in the com driver, select() on /dev/com1 looks at
                /dev/com2 and select() on /dev/com2 looks at an undefined
                entry in com_tty and returns always true.

WARNING: RE-mknod /dev/com1, /dev/com2, and modify your kernel config!


patch00019

PATCH:		CLEAN UP SLIP INTERFACE TO KEEP FROM HANGING
AUTHOR:		Poul-Henning Kamp (phk@data.fls.dk)
DESCRIPTION:

Here is a patch to clean up the interface between the tty-drivers, in
particular the com driver, and the sl# interfaces, this is not a work-around
but a genuine bug-fix.

Symptoms: after a number of "com#: silo overflow" SLIP ceases to work.

Overview of the problem:  the slip interface will disregard any notice
from the tty-driver on problems (parity errors, framing errors or overruns),
which basicly means the one might as well throw the packet away right away.
Also overrun in the packetizing will go relatively unnotized.


patch00020

PATCH:		CLONES OF WESTERN DIGITAL ETHERNET CARDS FAIL CHECKSUM
AUTHOR:		Mike Durkin (mdurkin@tsoft.sf-bay.org)
DESCRIPTION:
Danpex EW-2016 is an inexpensive (US$85.) allegedly WD8013-compatible
ethernet card.

I have one of these cards also and after fiddling a bit with the source
found that the checksum in the probe fails.  I commented it out and am
using the card successfully, NFS mounting to and from my Sun3s with no
problems.

This patch reports the failure, but doesn't fail the probe because of it.


patch00021

PATCH:		SECOND WD STYLE DISK, BZERO MALLOCED FOR WARM BOOT
AUTHOR:		Christoph Robitschko (chmr@edvz.tu-graz.ac.at)
DESCRIPTION:
	System would not recognize second hard drive and would crash when
you try to acces a second drive which is configured but not connected.
I include a patch which should correct these problems.  It will try to
open all configured disks at boot time and print the identification strings.

	This patch also includes the laptop/warmboot patch the bzero's
malloc'ed memory, since this memory may contain the same data between
boots and cause the driver to believe the disk has already been connected.


patch00022

PATCH:		CHANGE RUN LEVEL (SINGLE USER/MULTIUSER/HALT)
AUTHOR:		Christoph Robitschko (chmr@edvz.tu-graz.ac.at)
DESCRIPTION:
	/sbin/init did not set some internal flags correctly (Reboot, drain)
This caused it to not execute /etc/rc again if the system was brought down
to singleuser and the back up again.  It also tried to start multiuser mode
when you tried halt or reboot in singleuser (when the singleuser shell was
terminated by halt/reboot).


patch00023

PATCH:		CLEAN UP UTMP ENTRIES, LOG TO WTMP
AUTHOR:		Nate Williams (osynw@terra.oscs.montana.edu)
DESCRIPTION:
	This allows init to remove entries from the utmp file when users log
out, and also adds logout information for the wtmp file.


patch00024

PATCH:		ENFORCE EXECUTE PERMISSIONS, MNT_NOEXEC
AUTHOR:		Mark Tinguely (tinguely@plains.nodak.edu)
DESCRIPTION:
>problem 3: I noticed that anyone could run shutdown. the permissions were
>
>-rwsr-x--- owner root group operator. I changed the permissions to
>-r-x------ and anyone can still run it. (you get the shutdown: NOT super-user)

This is a big security hole. In 0.0, a VOP_ACCESS was used, but root always
succeeds (and tries to execute anything).  But the check for a single execute
bit is wrong too.  I put the VOP_ACCESS back but also checked to make sure
at least one execute bit is on before root can execute the file.  I also
checked if the filesystem was mounted for execution:


patch00025

PATCH:		ADD ABILITY TO EXECUTE FILES WITH "#!" MAGIC NUMBER
AUTHOR:		Paul Kranenburg (pk@cs.few.eur.nl)
DESCRIPTION:
	If the first two characters of a file are "#!", this constitutes
a "magic number" which indicates that the file is a shell script and that
the character string following the "#!" should be executed, and that the
shell script itself should be used as stdin for the program executed.


patch00026

PATCH:		FIX "make makedb" FOR CORRECTED "whatis.db" FILE FORMAT
AUTHOR:		James Jegers (jimj@miller.cs.uwm.edu)
DESCRIPTION:
	The "whatis.db" file was in the wrong format, causing the "whatis"
and "apropos" commands to fail.


patch00027

PATCH:		PERFORM CORRECT RANGE CHECHING ON "toupper()/tolower()"
AUTHOR:		Wiljo Heinen (wiljo@freeside.ki.open.de)
DESCRIPTION:
	The toupper() and tolower() functions did not do appropriate
range checking, and would shift the value of any ASCII character passed
+/- 32, respectively, without regard to whether the characters so shifted
were letters or not.  This corrects the problem, although, like the rest
of the C library, does not take internationalized character sets into account.


patch00028

PATCH:		ALLOW CONSOLE REDIRECTION TO WORK
AUTHOR:		? (please claim me) -- part of the X patch set
DESCRIPTION:
	This allows writes to /dev/console to be redirected to a virtual
console for things like "xterm -C" and so on.


patch00029

PATCH:		SIGTERM + 10 SECONDS BEFORE SIGKILL TO ALLOW NORMAL EXIT
AUTHOR:		? (please claim me) -- X patch set
DESCRIPTION:
	When changing to single user run state, send a SIGTERM to processes
and give them 10 seconds to exit before sending a SIGKILL.  This was added
to allow normal shutdown of processes.  In particular, it allows the X
server to reset the screen and keyboards to normal states.
------------------------ cut here --------------------------


					Terry Lambert
					terry@icarus.weber.edu
					terry_lambert@novell.com
---
Any opinions in this posting are my own and not those of my present
or previous employers.
-- 
-------------------------------------------------------------------------------
                                        "I have an 8 user poetic license" - me
 Get the 386bsd FAQ from agate.berkeley.edu:/pub/386BSD/386bsd-0.1/unofficial
-------------------------------------------------------------------------------