[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ANN: ncurses-6.0-20170701
|
From: |
Sven Joachim |
|
Subject: |
Re: ANN: ncurses-6.0-20170701 |
|
Date: |
Sat, 08 Jul 2017 07:06:57 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux) |
On 2017-07-02 01:07 +0000, Thomas Dickey wrote:
> + the fixes for Redhat #1464685 obscured a problem subsequently
> reported in Redhat #1464687; the given test-case was no longer
> reproducible. Testing without the fixes for the earlier reports
> showed a problem with buffer overflow in dump_entry.c, which is
> addressed by reducing the use of a fixed-size buffer.
I can still reproduce the stack overflow in Redhat #1464687 with the
latest Debian package on i386 (but not on amd64):
,----
| $ infotocap POC4
| "POC4", line 1, col 4, terminal 'l': unknown capability 'l'
| "POC4", line 1, col 609, terminal 'l': Very long string found. Missing
separator?
| "POC4", line 1, col 1147, terminal 'l': Missing separator
| "POC4", line 1, col 1147, terminal 'l': unknown % code x (0x78) in xll
| "POC4", line 1, col 1147, terminal 'l': unknown % code M-~ (0xfe) in xll
| "POC4", line 1, col 1147, terminal 'l': unknown % code M-~ (0xfe) in xll
| infotocap: value for xl is too long
| *** stack smashing detected ***: infotocap terminated
| ======= Backtrace: =========
| /lib/i386-linux-gnu/libc.so.6(+0x6737a)[0xf75d837a]
| /lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x37)[0xf7668eb7]
| /lib/i386-linux-gnu/libc.so.6(+0xf7e78)[0xf7668e78]
| infotocap(+0xb544)[0x5665b544]
| infotocap(+0xa119)[0x5665a119]
| infotocap(+0xa1c7)[0x5665a1c7]
| infotocap(main+0xa05)[0x56652355]
| /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xf7589276]
| infotocap(+0x2d27)[0x56652d27]
| ======= Memory map: ========
| 56650000-56663000 r-xp 00000000 08:16 394908
/usr/bin/tic
| 56663000-56664000 r--p 00012000 08:16 394908
/usr/bin/tic
| 56664000-56665000 rw-p 00013000 08:16 394908
/usr/bin/tic
| 568e5000-56906000 rw-p 00000000 00:00 0
[heap]
| f756f000-f7571000 rw-p 00000000 00:00 0
| f7571000-f7722000 r-xp 00000000 08:16 791435
/lib/i386-linux-gnu/libc-2.24.so
| f7722000-f7724000 r--p 001b0000 08:16 791435
/lib/i386-linux-gnu/libc-2.24.so
| f7724000-f7725000 rw-p 001b2000 08:16 791435
/lib/i386-linux-gnu/libc-2.24.so
| f7725000-f7728000 rw-p 00000000 00:00 0
| f7728000-f7748000 r-xp 00000000 08:16 811983
/lib/i386-linux-gnu/libtinfo.so.5.9
| f7748000-f7749000 ---p 00020000 08:16 811983
/lib/i386-linux-gnu/libtinfo.so.5.9
| f7749000-f774b000 r--p 00020000 08:16 811983
/lib/i386-linux-gnu/libtinfo.so.5.9
| f774b000-f774c000 rw-p 00022000 08:16 811983
/lib/i386-linux-gnu/libtinfo.so.5.9
| f774c000-f775b000 r-xp 00000000 08:16 527473
/usr/lib/i386-linux-gnu/libtic.so.5.9
| f775b000-f775c000 r--p 0000e000 08:16 527473
/usr/lib/i386-linux-gnu/libtic.so.5.9
| f775c000-f775d000 rw-p 0000f000 08:16 527473
/usr/lib/i386-linux-gnu/libtic.so.5.9
| f7763000-f777e000 r-xp 00000000 08:16 787642
/lib/i386-linux-gnu/libgcc_s.so.1
| f777e000-f777f000 r--p 0001a000 08:16 787642
/lib/i386-linux-gnu/libgcc_s.so.1
| f777f000-f7780000 rw-p 0001b000 08:16 787642
/lib/i386-linux-gnu/libgcc_s.so.1
| f7780000-f7784000 rw-p 00000000 00:00 0
| f7784000-f7787000 r--p 00000000 00:00 0
[vvar]
| f7787000-f7788000 r-xp 00000000 00:00 0
[vdso]
| f7788000-f77ab000 r-xp 00000000 08:16 786604
/lib/i386-linux-gnu/ld-2.24.so
| f77ab000-f77ac000 r--p 00022000 08:16 786604
/lib/i386-linux-gnu/ld-2.24.so
| f77ac000-f77ad000 rw-p 00023000 08:16 786604
/lib/i386-linux-gnu/ld-2.24.so
| ffb09000-ffb2a000 rw-p 00000000 00:00 0
[stack]
| [1] 12063 abort infotocap POC4
`----
Attached is a backtrace after recompiling tic with -O0.
Cheers,
Sven
(gdb) bt full
#0 0xf7f7faf9 in __kernel_vsyscall ()
No symbol table info available.
#1 0xf7d94dc0 in __libc_signal_restore_set (set=0xfffe9ca0) at
../sysdeps/unix/sysv/linux/nptl-signals.h:79
No locals.
#2 __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:48
set = {__val = {0, 0, 538976288, 538976288, 538976288, 538976288,
538976288, 538976288, 538976288, 1935351840, 1801675124, 895879773, 808464436,
1714906669, 808465717, 2003968048, 807432237, 1714434096, 540028976, 825899056,
842342454, 859255863, 538976288, 538976288, 538976288, 538976288, 538976288,
538976288, 538976288, 1937059616, 1768697714, 862531426}}
pid = <optimized out>
tid = <optimized out>
ret = 0
#3 0xf7d96287 in __GI_abort () at abort.c:89
save_stage = 2
act = {__sigaction_handler = {sa_handler = 0x756e696c, sa_sigaction =
0x756e696c}, sa_mask = {__val = {1852255608, 1768697717, 1667458914,
1932424031, 170995311, 929445734, 808464440, 1714906669, 808477495, 2003968048,
807432237, 808464432, 540028976, 809119792, 540024880, 1714906634, 808477495,
929443120, 812005222, 1914712112, 544222509, 808464432, 808464432, 976236576,
807415856, 538976288, 538976288, 538976288, 538976288, 538976288, 0, 4096}},
sa_flags = -136836986, sa_restorer = 0xfffe9f00}
sigs = {__val = {32, 0 <repeats 31 times>}}
#4 0xf7dd037f in __libc_message (do_abort=<optimized out>, fmt=<optimized
out>) at ../sysdeps/posix/libc_fatal.c:175
ap = <optimized out>
fd = 4
on_2 = <optimized out>
list = <optimized out>
nlist = <optimized out>
cp = <optimized out>
written = <optimized out>
#5 0xf7e60eb7 in __GI___fortify_fail (msg=0xf7ec863b "stack smashing
detected") at fortify_fail.c:30
No locals.
#6 0xf7e60e78 in __stack_chk_fail () at stack_chk_fail.c:28
No locals.
#7 0x56562614 in __stack_chk_fail_local ()
No symbol table info available.
#8 0x56560907 in fmt_entry (tterm=0x565723d0, pred=0x5655e42d
<dump_predicate>, content_only=0, suppress_untranslatable=0, infodump=0,
numbers=0) at ../../progs/dump_entry.c:1224
i = 361
j = 4214
buffer =
"%p1%{10}%/%{16}%*%p1%{10}%m%+\\266xli\\377%xn79llN%p0%{10}%/%{16}%*%p0%{10}%m%+ll=%p0%{10}%/%{16}%*%p0%{10}%m%+\\251W=%p/%{10}%/%{16}%*%p/%{10}%m%+\\276\\276\\276\\276\\276\\276\\276\\276\\276\\276\\276\\276\\276\\276"...
capability = 0x56571dba
"%p1%{10}%/%{16}%*%p1%{10}%m%+\266xli\377%xn79llN%p0%{10}%/%{16}%*%p0%{10}%m%+ll=%p0%{10}%/%{16}%*%p0%{10}%m%+\251W=%p/%{10}%/%{16}%*%p/%{10}%m%+",
'\276' <repeats 65 times>...
name = 0xf7f3adac "xl"
predval = 1
len = 2287
num_bools = 0
num_values = 0
num_strings = 362
outcount = true
#9 0x565610f5 in dump_entry (tterm=0x565723d0, suppress_untranslatable=0,
limited=1, numbers=0, pred=0x0) at ../../progs/dump_entry.c:1460
save_tterm = {term_names = 0x0, str_table = 0x0, Booleans = 0x0,
Numbers = 0x0, Strings = 0x0, ext_str_table = 0x0, ext_Names = 0x0,
num_Booleans = 0, num_Numbers = 0, num_Strings = 0, ext_Booleans = 0,
ext_Numbers = 0, ext_Strings = 0}
len = 0
critlen = 1023
legend = 0x56566fa6 "older termcap"
infodump = false
#10 0x56558a68 in main (argc=2, argv=0xffffd384) at ../../progs/tic.c:1031
j = -1
len = 0
my_tmpname = '\000' <repeats 2097 times>...
my_altfile = '\000' <repeats 3617 times>...
v_opt = -1
debug_level = 0
smart_defaults = 1
termcap = 0x0
qp = 0x565723d0
this_opt = -1
last_opt = 63
outform = 2
sortmode = 4
width = 60
height = 65535
formatted = false
literal = false
numbers = 0
forceresolve = false
limited = true
tversion = 0x0
source_file = 0xffffd558 "POC4"
outdir = 0x0
check_only = false
suppress_untranslatable = false
quickdump = 0
quiet = false
wrap_strings = false
(gdb)