NetBSD Problem Report #42637
From www@NetBSD.org Mon Jan 18 19:02:49 2010
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id B793463C2B7
for <gnats-bugs@gnats.NetBSD.org>; Mon, 18 Jan 2010 19:02:49 +0000 (UTC)
Message-Id: <20100118190249.5241163C2B4@www.NetBSD.org>
Date: Mon, 18 Jan 2010 19:02:49 +0000 (UTC)
From: joachim.kuebart@gmail.com
Reply-To: joachim.kuebart@gmail.com
To: gnats-bugs@NetBSD.org
Subject: Shell tab completion crashes due to libedit stack smashing
X-Send-Pr-Version: www-1.0
>Number: 42637
>Category: lib
>Synopsis: Shell tab completion crashes due to libedit stack smashing
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: lib-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Jan 18 19:05:00 +0000 2010
>Closed-Date: Wed Jan 20 22:49:46 +0000 2010
>Last-Modified: Wed Jan 20 22:49:46 +0000 2010
>Originator: Joachim Kuebart
>Release: NetBSD-current
>Organization:
>Environment:
NetBSD yacht 5.99.23 NetBSD 5.99.23 (YACHT) #1: Mon Jan 18 07:35:40 GMT 2010 joki@yacht:/usr/obj/amd64.new/usr/src/sys/arch/amd64/compile/YACHT amd64
>Description:
When using tab completion in the shell, the shell can spontaneously dump core. This is due to stack destruction in libedit's fn_complete().
>How-To-Repeat:
On amd64, the problem happens when typing "ls /var/log/Xorg." into the shell and hitting tab (with tabcompletion and vi-mode turned on). Due to the nature of the problem, the trigger may be different on each machine.
>Fix:
Apply the following patch to lib/libedit/filecomplete.c. This fix corrects the size given to malloc()/alloca() to be in bytes, rather than characters, which will allocate too little space iff sizeof(Char) > 1.
Index: filecomplete.c
===================================================================
RCS file: /pub/NetBSD-CVS/src/lib/libedit/filecomplete.c,v
retrieving revision 1.17
diff -p -U8 -r1.17 filecomplete.c
--- filecomplete.c 30 Dec 2009 22:37:40 -0000 1.17
+++ filecomplete.c 18 Jan 2010 19:00:13 -0000
@@ -414,19 +414,19 @@ fn_complete(EditLine *el,
ctemp = li->cursor;
while (ctemp > li->buffer
&& !Strchr(word_break, ctemp[-1])
&& (!special_prefixes || !Strchr(special_prefixes, ctemp[-1]) ) )
ctemp--;
len = li->cursor - ctemp;
#if defined(__SSP__) || defined(__SSP_ALL__)
- temp = malloc(len + 1);
+ temp = malloc(sizeof(Char) * (len + 1));
#else
- temp = alloca(len + 1);
+ temp = alloca(sizeof(Char) * (len + 1));
#endif
(void)Strncpy(temp, ctemp, len);
temp[len] = '\0';
/* these can be used by function called in completion_matches() */
/* or (*attempted_completion_function)() */
if (point != 0)
*point = (int)(li->cursor - li->buffer);
>Release-Note:
>Audit-Trail:
From: Christos Zoulas <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/42637 CVS commit: src/lib/libedit
Date: Mon, 18 Jan 2010 14:17:42 -0500
Module Name: src
Committed By: christos
Date: Mon Jan 18 19:17:42 UTC 2010
Modified Files:
src/lib/libedit: filecomplete.c
Log Message:
PR/42637: Joachim Kuebart: Shell tab completion crashes due to libedit stack
smashing
To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 src/lib/libedit/filecomplete.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Joachim Kuebart <joachim.kuebart@gmail.com>
To: gnats-bugs@NetBSD.org
Cc: Christos Zoulas <christos@netbsd.org>, lib-bug-people@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: PR/42637 CVS commit: src/lib/libedit
Date: Wed, 20 Jan 2010 21:55:41 +0000
Am 18.01.2010 19:20, schrieb Christos Zoulas:
> The following reply was made to PR lib/42637; it has been noted by GNATS.
>
> From: Christos Zoulas <christos@netbsd.org>
> To: gnats-bugs@gnats.NetBSD.org
> Cc:
> Subject: PR/42637 CVS commit: src/lib/libedit
> Date: Mon, 18 Jan 2010 14:17:42 -0500
>
> Module Name: src
> Committed By: christos
> Date: Mon Jan 18 19:17:42 UTC 2010
>
> Modified Files:
> src/lib/libedit: filecomplete.c
>
> Log Message:
> PR/42637: Joachim Kuebart: Shell tab completion crashes due to libedit stack
> smashing
Thanks, this problem is now fixed.
Joachim
State-Changed-From-To: open->closed
State-Changed-By: christos@NetBSD.org
State-Changed-When: Wed, 20 Jan 2010 17:49:46 -0500
State-Changed-Why:
submitter confirms this is fixed
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home