GNU bug report logs -
#28859
Segmentation fault with NULL pointer dereference in 'stty'
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 28859 in the body.
You can then email your comments to 28859 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-coreutils <at> gnu.org:
bug#28859; Package
coreutils.
(Mon, 16 Oct 2017 07:14:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Jaeseung Choi <jschoi.2022 <at> gmail.com>:
New bug report received and forwarded. Copy sent to
bug-coreutils <at> gnu.org.
(Mon, 16 Oct 2017 07:14:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Dear GNU team,
While testing coreutils for a research purpose, we found the following
crash in 'stty'. Running stty with the command-line "stty eol -F AA"
raises a crash as below. We did not change any terminal setting, and
believe the bug is irrelevant from any specific terminal
configuration.
jason <at> ubuntu:~$ tar -xf coreutils-8.28.tar.xz
jason <at> ubuntu:~$ cd coreutils-8.28/
jason <at> ubuntu:~/coreutils-8.28$ mkdir obj
jason <at> ubuntu:~/coreutils-8.28$ cd obj
jason <at> ubuntu:~/coreutils-8.28/obj$ ../configure --disable-nls && make
...
jason <at> ubuntu:~/coreutils-8.28/obj$ gdb ./src/stty -q
Reading symbols from ./src/stty...done.
(gdb) run eol -F AA
Starting program: /home/jason/coreutils-8.28/obj/src/stty eol -F AA
Program received signal SIGSEGV, Segmentation fault.
set_control_char (info=0x40a6f8 <control_info+120>, info=0x40a6f8
<control_info+120>, mode=0x6103c0 <check_mode>, arg=0x0) at
../src/stty.c:1695
1695 else if (arg[0] == '\0' || arg[1] == '\0')
(gdb) x/i $rip
=> 0x40387a <apply_settings+746>: movzbl (%rbx),%r14d
(gdb) info reg rbx
rbx 0x0 0
(gdb)
We could reproduce the bug in coreutils from version 8.27 to 8.28.
Also, the bug was reproducible in both Ubuntu 16.04 and Debian 9.1.
But the stty program pre-built in Debian 9.1 did not crash because
currently 8.26 version is installed in Debian.
Please let us know if you have a problem in reproducing the bug.
Thank you.
Sincerely,
Jaeseung
Reply sent
to
Pádraig Brady <P <at> draigBrady.com>:
You have taken responsibility.
(Mon, 16 Oct 2017 09:32:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Jaeseung Choi <jschoi.2022 <at> gmail.com>:
bug acknowledged by developer.
(Mon, 16 Oct 2017 09:32:02 GMT)
Full text and
rfc822 format available.
Message #10 received at 28859-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 15/10/17 18:07, Jaeseung Choi wrote:
> Dear GNU team,
>
> While testing coreutils for a research purpose, we found the following
> crash in 'stty'. Running stty with the command-line "stty eol -F AA"
> raises a crash as below. We did not change any terminal setting, and
> believe the bug is irrelevant from any specific terminal
> configuration.
>
> jason <at> ubuntu:~$ tar -xf coreutils-8.28.tar.xz
> jason <at> ubuntu:~$ cd coreutils-8.28/
> jason <at> ubuntu:~/coreutils-8.28$ mkdir obj
> jason <at> ubuntu:~/coreutils-8.28$ cd obj
> jason <at> ubuntu:~/coreutils-8.28/obj$ ../configure --disable-nls && make
> ...
> jason <at> ubuntu:~/coreutils-8.28/obj$ gdb ./src/stty -q
> Reading symbols from ./src/stty...done.
> (gdb) run eol -F AA
> Starting program: /home/jason/coreutils-8.28/obj/src/stty eol -F AA
>
> Program received signal SIGSEGV, Segmentation fault.
> set_control_char (info=0x40a6f8 <control_info+120>, info=0x40a6f8
> <control_info+120>, mode=0x6103c0 <check_mode>, arg=0x0) at
> ../src/stty.c:1695
> 1695 else if (arg[0] == '\0' || arg[1] == '\0')
> (gdb) x/i $rip
> => 0x40387a <apply_settings+746>: movzbl (%rbx),%r14d
> (gdb) info reg rbx
> rbx 0x0 0
> (gdb)
>
> We could reproduce the bug in coreutils from version 8.27 to 8.28.
> Also, the bug was reproducible in both Ubuntu 16.04 and Debian 9.1.
> But the stty program pre-built in Debian 9.1 did not crash because
> currently 8.26 version is installed in Debian.
This is actually an old bug which you can reproduce with -F /dev/tty.
The attached should fix it up.
thanks!
Pádraig
[stty-crash.patch (text/x-patch, attachment)]
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#28859; Package
coreutils.
(Mon, 16 Oct 2017 17:51:01 GMT)
Full text and
rfc822 format available.
Message #13 received at 28859 <at> debbugs.gnu.org (full text, mbox):
On Mon, Oct 16, 2017 at 2:30 AM, Pádraig Brady <P <at> draigbrady.com> wrote:
> On 15/10/17 18:07, Jaeseung Choi wrote:
>> Dear GNU team,
>>
>> While testing coreutils for a research purpose, we found the following
>> crash in 'stty'. Running stty with the command-line "stty eol -F AA"
>> raises a crash as below. We did not change any terminal setting, and
>> believe the bug is irrelevant from any specific terminal
>> configuration.
>>
>> jason <at> ubuntu:~$ tar -xf coreutils-8.28.tar.xz
>> jason <at> ubuntu:~$ cd coreutils-8.28/
>> jason <at> ubuntu:~/coreutils-8.28$ mkdir obj
>> jason <at> ubuntu:~/coreutils-8.28$ cd obj
>> jason <at> ubuntu:~/coreutils-8.28/obj$ ../configure --disable-nls && make
>> ...
>> jason <at> ubuntu:~/coreutils-8.28/obj$ gdb ./src/stty -q
>> Reading symbols from ./src/stty...done.
>> (gdb) run eol -F AA
>> Starting program: /home/jason/coreutils-8.28/obj/src/stty eol -F AA
>>
>> Program received signal SIGSEGV, Segmentation fault.
>> set_control_char (info=0x40a6f8 <control_info+120>, info=0x40a6f8
>> <control_info+120>, mode=0x6103c0 <check_mode>, arg=0x0) at
>> ../src/stty.c:1695
>> 1695 else if (arg[0] == '\0' || arg[1] == '\0')
>> (gdb) x/i $rip
>> => 0x40387a <apply_settings+746>: movzbl (%rbx),%r14d
>> (gdb) info reg rbx
>> rbx 0x0 0
>> (gdb)
>>
>> We could reproduce the bug in coreutils from version 8.27 to 8.28.
>> Also, the bug was reproducible in both Ubuntu 16.04 and Debian 9.1.
>> But the stty program pre-built in Debian 9.1 did not crash because
>> currently 8.26 version is installed in Debian.
>
> This is actually an old bug which you can reproduce with -F /dev/tty.
> The attached should fix it up.
Thank you!
If it's not too hard to determine, would you please mention in the log
the commit that introduced the bug?
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#28859; Package
coreutils.
(Mon, 16 Oct 2017 17:51:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#28859; Package
coreutils.
(Tue, 17 Oct 2017 07:38:01 GMT)
Full text and
rfc822 format available.
Message #19 received at 28859 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 16/10/17 10:49, Jim Meyering wrote:
> On Mon, Oct 16, 2017 at 2:30 AM, Pádraig Brady <P <at> draigbrady.com> wrote:
>> On 15/10/17 18:07, Jaeseung Choi wrote:
>>> Dear GNU team,
>>>
>>> While testing coreutils for a research purpose, we found the following
>>> crash in 'stty'. Running stty with the command-line "stty eol -F AA"
>>> raises a crash as below. We did not change any terminal setting, and
>>> believe the bug is irrelevant from any specific terminal
>>> configuration.
>>>
>>> jason <at> ubuntu:~$ tar -xf coreutils-8.28.tar.xz
>>> jason <at> ubuntu:~$ cd coreutils-8.28/
>>> jason <at> ubuntu:~/coreutils-8.28$ mkdir obj
>>> jason <at> ubuntu:~/coreutils-8.28$ cd obj
>>> jason <at> ubuntu:~/coreutils-8.28/obj$ ../configure --disable-nls && make
>>> ...
>>> jason <at> ubuntu:~/coreutils-8.28/obj$ gdb ./src/stty -q
>>> Reading symbols from ./src/stty...done.
>>> (gdb) run eol -F AA
>>> Starting program: /home/jason/coreutils-8.28/obj/src/stty eol -F AA
>>>
>>> Program received signal SIGSEGV, Segmentation fault.
>>> set_control_char (info=0x40a6f8 <control_info+120>, info=0x40a6f8
>>> <control_info+120>, mode=0x6103c0 <check_mode>, arg=0x0) at
>>> ../src/stty.c:1695
>>> 1695 else if (arg[0] == '\0' || arg[1] == '\0')
>>> (gdb) x/i $rip
>>> => 0x40387a <apply_settings+746>: movzbl (%rbx),%r14d
>>> (gdb) info reg rbx
>>> rbx 0x0 0
>>> (gdb)
>>>
>>> We could reproduce the bug in coreutils from version 8.27 to 8.28.
>>> Also, the bug was reproducible in both Ubuntu 16.04 and Debian 9.1.
>>> But the stty program pre-built in Debian 9.1 did not crash because
>>> currently 8.26 version is installed in Debian.
>>
>> This is actually an old bug which you can reproduce with -F /dev/tty.
>> The attached should fix it up.
>
> Thank you!
> If it's not too hard to determine, would you please mention in the log
> the commit that introduced the bug?
Updated patch attached. I mistakenly thought getopt would
permute the argv so NULLs were at the end. The attached
caters for NULLs interspersed in the argv[].
cheers,
Pádraig.
[stty-crash.patch (text/x-patch, attachment)]
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#28859; Package
coreutils.
(Tue, 17 Oct 2017 18:14:02 GMT)
Full text and
rfc822 format available.
Message #22 received at 28859 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Tue, Oct 17, 2017 at 12:37 AM, Pádraig Brady <P <at> draigbrady.com> wrote:
> On 16/10/17 10:49, Jim Meyering wrote:
>> On Mon, Oct 16, 2017 at 2:30 AM, Pádraig Brady <P <at> draigbrady.com> wrote:
>>> On 15/10/17 18:07, Jaeseung Choi wrote:
>>>> Dear GNU team,
>>>>
>>>> While testing coreutils for a research purpose, we found the following
>>>> crash in 'stty'. Running stty with the command-line "stty eol -F AA"
>>>> raises a crash as below. We did not change any terminal setting, and
>>>> believe the bug is irrelevant from any specific terminal
>>>> configuration.
>>>>
>>>> jason <at> ubuntu:~$ tar -xf coreutils-8.28.tar.xz
>>>> jason <at> ubuntu:~$ cd coreutils-8.28/
>>>> jason <at> ubuntu:~/coreutils-8.28$ mkdir obj
>>>> jason <at> ubuntu:~/coreutils-8.28$ cd obj
>>>> jason <at> ubuntu:~/coreutils-8.28/obj$ ../configure --disable-nls && make
>>>> ...
>>>> jason <at> ubuntu:~/coreutils-8.28/obj$ gdb ./src/stty -q
>>>> Reading symbols from ./src/stty...done.
>>>> (gdb) run eol -F AA
>>>> Starting program: /home/jason/coreutils-8.28/obj/src/stty eol -F AA
>>>>
>>>> Program received signal SIGSEGV, Segmentation fault.
>>>> set_control_char (info=0x40a6f8 <control_info+120>, info=0x40a6f8
>>>> <control_info+120>, mode=0x6103c0 <check_mode>, arg=0x0) at
>>>> ../src/stty.c:1695
>>>> 1695 else if (arg[0] == '\0' || arg[1] == '\0')
>>>> (gdb) x/i $rip
>>>> => 0x40387a <apply_settings+746>: movzbl (%rbx),%r14d
>>>> (gdb) info reg rbx
>>>> rbx 0x0 0
>>>> (gdb)
>>>>
>>>> We could reproduce the bug in coreutils from version 8.27 to 8.28.
>>>> Also, the bug was reproducible in both Ubuntu 16.04 and Debian 9.1.
>>>> But the stty program pre-built in Debian 9.1 did not crash because
>>>> currently 8.26 version is installed in Debian.
>>>
>>> This is actually an old bug which you can reproduce with -F /dev/tty.
>>> The attached should fix it up.
>>
>> Thank you!
>> If it's not too hard to determine, would you please mention in the log
>> the commit that introduced the bug?
>
> Updated patch attached. I mistakenly thought getopt would
> permute the argv so NULLs were at the end. The attached
> caters for NULLs interspersed in the argv[].
Good catch!
One suggestion: indent the backslashes to column 72, e.g., with this patch:
[stty-nit.diff (text/plain, attachment)]
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#28859; Package
coreutils.
(Tue, 17 Oct 2017 18:29:01 GMT)
Full text and
rfc822 format available.
Message #25 received at 28859 <at> debbugs.gnu.org (full text, mbox):
On 10/17/2017 12:37 AM, Pádraig Brady wrote:
> +#define check_argument(arg) \
> + if (k == n_settings - 1 || ! settings[k+1]) \
> + { \
> + error (0, 0, _("missing argument to %s"), quote (arg)); \
> + usage (EXIT_FAILURE); \
> + }
How about making this a static function instead of a macro? I am leery
of macros for all the usual reasons. Admittedly the static function will
also need k, n_settings, and settings as arguments; still, it seems
cleaner to me overall.
If you do keep it a macro, please put it inside a do...while so that it
doesn't cause problems as a then-part with a following else.
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#28859; Package
coreutils.
(Tue, 17 Oct 2017 19:57:02 GMT)
Full text and
rfc822 format available.
Message #28 received at 28859 <at> debbugs.gnu.org (full text, mbox):
On Okt 17 2017, Pádraig Brady <P <at> draigBrady.com> wrote:
> Updated patch attached. I mistakenly thought getopt would
> permute the argv so NULLs were at the end. The attached
> caters for NULLs interspersed in the argv[].
This has nothing to do with getopt, the first pass explicitly overwrites
the arguments that were already parsed.
Andreas.
--
Andreas Schwab, schwab <at> linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5
"And now for something completely different."
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 15 Nov 2017 12:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 6 years and 156 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.