lib/54654: libedit: segfault in re_fastputc

To: lib-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: lib/54654: libedit: segfault in re_fastputc
From: soeren%soeren-tempel.net@localhost
Date: Tue, 29 Oct 2019 10:15:01 +0000 (UTC)

>Number:         54654
>Category:       lib
>Synopsis:       libedit: segfault in re_fastputc
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Oct 29 10:15:01 +0000 2019
>Originator:     Sören Tempel
>Release:        libedit from 2019-10-25
>Organization:
>Environment:
Unfortunately, I use the portable version of netbsd libedit that Jess Thrysøe distributes on Linux. However, I verified that the problem wasn't fix in NetBSD CVS yet.
>Description:
When using libedit-enabled programs in a one-line terminal window (e.g. created using `tmux split-window -l 1`) horizontal scrolling does not work correctly if the text exceeds this one line. For example, scrolling left after exceeding this line will cause no text to be displayed. A combination of the Left Arrow, C-a, C-e and C-r key binding will then cause a segmentation fault.

The code causing the segfault seems to be refresh.c:1101:

    el->el_display[el->el_cursor.v][el->el_cursor.h++] = c;

Presumably the horizontal cursor position causes the issue.

A valgrind output for this issue and libedit compiled with `-DDEBUG_REFRESH` can be found here: https://gist.github.com/nmeum/d76e42cf9cae84cba9bfd5d71bd83a8a

If you don't have webbrowsing capabilities, the valgrind output without `-DDEBUG_REFRESH` is way shorter and looks as follows:

    ==29962== Memcheck, a memory error detector
    ==29962== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
    ==29962== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
    ==29962== Command: input 
    ==29962== 
    ==29962== Invalid write of size 4
    ==29962==    at 0x4CC2C25: re_fastputc (refresh.c:1101)
    ==29962==    by 0x4CC2F2F: re_fastaddc (refresh.c:1170)
    ==29962==    by 0x4CB65D3: ed_insert (common.c:96)
    ==29962==    by 0x4CC0BA3: el_wgets (read.c:537)
    ==29962==    by 0x4CB979A: el_gets (eln.c:75)
    ==29962==    by 0x10AA61: iloop (input.c:156)
    ==29962==    by 0x10AFC0: main (input.c:286)
    ==29962==  Address 0x38 is not stack'd, malloc'd or (recently) free'd
    ==29962== 
    ==29962== 
    ==29962== Process terminating with default action of signal 11 (SIGSEGV)
    ==29962==  Access not within mapped region at address 0x38
    ==29962==    at 0x4CC2C25: re_fastputc (refresh.c:1101)
    ==29962==    by 0x4CC2F2F: re_fastaddc (refresh.c:1170)
    ==29962==    by 0x4CB65D3: ed_insert (common.c:96)
    ==29962==    by 0x4CC0BA3: el_wgets (read.c:537)
    ==29962==    by 0x4CB979A: el_gets (eln.c:75)
    ==29962==    by 0x10AA61: iloop (input.c:156)
    ==29962==    by 0x10AFC0: main (input.c:286)
    ==29962==  If you believe this happened as a result of a stack
    ==29962==  overflow in your program's main thread (unlikely but
    ==29962==  possible), you can try to increase the size of the
    ==29962==  main thread stack using the --main-stacksize= flag.
    ==29962==  The main thread stack size used in this run was 8388608.
    ==29962== 
    ==29962== HEAP SUMMARY:
    ==29962==     in use at exit: 71,355 bytes in 127 blocks
    ==29962==   total heap usage: 196 allocs, 69 frees, 87,509 bytes allocated
    ==29962== 
    ==29962== LEAK SUMMARY:
    ==29962==    definitely lost: 0 bytes in 0 blocks
    ==29962==    indirectly lost: 0 bytes in 0 blocks
    ==29962==      possibly lost: 0 bytes in 0 blocks
    ==29962==    still reachable: 70,839 bytes in 121 blocks
    ==29962==         suppressed: 516 bytes in 6 blocks
    ==29962== Rerun with --leak-check=full to see details of leaked memory
    ==29962== 
    ==29962== For lists of detected and suppressed errors, rerun with: -s
    ==29962== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Output is from a custom libedit-enabled program, but I was able to reproduce this with other programs, e.g. sftp as well.
>How-To-Repeat:
1. Start tmux
2. Create a one-line tmux pane using tmux split-window -l 1 (requires at least tmux 2.9 with the following patch https://cvsweb.openbsd.org/src/usr.bin/tmux/tty.c?rev=1.307&content-type=text/x-cvsweb-markup)
3. Start a libedit-enabled program in this newly created tmux split (e.g. sftp)
4. Fill the line with bogus characters until horizontal scrolling is forced
5. Scroll left horizontally to see the previous input (should be empty)
6. Try a combination of the Left Arrow, C-a, C-e and C-r key binding until it crashes, maybe types some additional characters in between
>Fix:
None.

Prev by Date: kern/54652: core files truncated
Next by Date: Re: port-amd64/54489 (panic: assertion "rcr4() & CR4_SMAP" failed on HP DL380 Gen10)
Previous by Thread: kern/54652: core files truncated
Next by Thread: Re: port-amd64/54489 (panic: assertion "rcr4() & CR4_SMAP" failed on HP DL380 Gen10)
Indexes:

Home | Main Index | Thread Index | Old Index