illumos gate

We are seeing the svccfg cores on a bit older systems after initial installation:

> ::status
debugging core file of svccfg (32-bit) from b3u27-0
file: /usr/sbin/svccfg
initial argv: svccfg cleanup
threading model: native threads
status: process terminated by SIGABRT (Abort), pid=2118 uid=0 code=-1

> ::stack
libc.so.1`_lwp_kill+0x15(1, 6, 0, 1, feb72000, feb50591)
libc.so.1`raise+0x2b(6, fef60018, fee378d0, feb72000)
libumem.so.1`umem_do_abort+0x2b(feb72000, 0, 8047868, feb466fa, feb50591, feb50813)
libumem.so.1`umem_err_recoverable+0x5a(feb50591, feb50813, 80478c8, feb507d1, 82763c8, 82763d8)
libumem.so.1`process_free+0xbf(80478c8, 1, 0, 8276f48)
libumem.so.1`umem_malloc_free+0x1a(80478c8, 82763c8, 80478c8, 8060969)
create_instance_list+0x2ae(8132e68, 1, 1000, feacd2bb, fecf0940, fef70548)
lscf_service_cleanup+0x6a1(1, 80479f4, 275, fead3936)
libscf.so.1`scf_walk_fmri+0x976(8138ac8, 0, 0, 14, 80770fa, 1)
engine_cleanup+0x40(0, 2f, 8047ab8, 8085b85)
yyparse+0x5c8(814b648, 3a10b7f8, 0, 8047b80)
engine_exec+0x34(814b648, 8093ad8, 800, 0)
main+0x144(8047b1c, fef52448, 8047b58, 805bd38, 2, 8047b7c)
_start_crt+0x97(2, 8047b7c, fefd1c00, 0, 0, 0)
_start+0x1a(2, 8047c90, 8047c97, 0, 8047c9f, 8047cb8)

> create_instance_list+0x2ae::dis
create_instance_list+0x28a:     call   -0x5e4b  <PLT=libscf.so.1`scf_snapshot_destroy>
create_instance_list+0x28f:     addl   $0x10,%esp
create_instance_list+0x292:     subl   $0xc,%esp
create_instance_list+0x295:     pushl  %ebx
create_instance_list+0x296:     call   -0x6047  <PLT=libscf.so.1`scf_instance_destroy>
create_instance_list+0x29b:     movl   %esi,(%esp)
create_instance_list+0x29e:     call   -0x62ef  <PLT=libscf.so.1`scf_iter_destroy>
create_instance_list+0x2a3:     addl   $0x4,%esp
create_instance_list+0x2a6:     pushl  -0x20(%ebp)
create_instance_list+0x2a9:     call   -0x651a  <PLT=libumem.so.1`free>
create_instance_list+0x2ae:     addl   $0x10,%esp
create_instance_list+0x2b1:     movl   %edi,%eax
create_instance_list+0x2b3:     leal   -0xc(%ebp),%esp
create_instance_list+0x2b6:     popl   %ebx
create_instance_list+0x2b7:     popl   %esi
create_instance_list+0x2b8:     popl   %edi
create_instance_list+0x2b9:     leave
create_instance_list+0x2ba:     ret
remove_string:                  pushl  %ebp
remove_string+1:                movl   %esp,%ebp
remove_string+3:                pushl  %edi

Apparently we try to free with incorrect pointer. Looking at the code, this seems to be a corner case:

static uu_list_t *
create_instance_list(scf_service_t *svc, int wohandcrafted)
{
...
        char            *instname;
...
        if (scf_iter_service_instances(inst_iter, svc) != 0) {
                switch (scf_error()) {
                case SCF_ERROR_CONNECTION_BROKEN:
                case SCF_ERROR_DELETED:
                        uu_list_destroy(instances);
                        instances = NULL;
                        goto out;
...
       }
...
out:
...
        free(instname);
...
}

So here we go "out" before allocating the instname, hence trying to free it gets us an error from libumem. The fix is to initialize instname with a NULL pointer.

Note that this gets caught if we don't silence the "maybe uninitialized" warnings:

svccfg_libscf.c: In function 'create_instance_list':
svccfg_libscf.c:16363:2: error: 'instname' may be used uninitialized in this function [-Werror=maybe-uninitialized]
16363 |  free(instname);
      |  ^~~~~~~~~~~~~~

To test the fix, I have used the resulting binary in the installation process (same as when core was observed), and while the issue is pretty intermittent, now I don't see any cores from svccfg.