NetBSD Problem Report #54399

From  Tue Jul 23 09:02:53 2019
Return-Path: <>
Received: from ( [])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "", Issuer " CA" (not verified))
	by (Postfix) with ESMTPS id CE8807A158
	for <>; Tue, 23 Jul 2019 09:02:53 +0000 (UTC)
Message-Id: <>
Date: Tue, 23 Jul 2019 09:02:52 +0000 (UTC)
Subject: [PATCH] Uninitialized memory access in libedit
X-Send-Pr-Version: www-1.0

>Number:         54399
>Category:       lib
>Synopsis:       [PATCH] Uninitialized memory access in libedit
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    christos
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Tue Jul 23 09:05:01 +0000 2019
>Last-Modified:  Mon Aug 05 19:05:01 +0000 2019
>Originator:     Sören Tempel
>Release:        libedit from 2019-03-24
Unfortunately, I use the portable version of netbsd libedit that Jess Thrysĝe distributes on Linux. However, I verified that the problem wasn't fix in NetBSD CVS yet.
I believe I found an uninitialized memory access in libedit's hist_get
function. The uninitialized memory access is due to the fact that the
history initialization function (hist_init) doesn't initialize the
memory for el->el_history.buf. However hist_get makes the assumption
that el->el_history.buf is always null-terminated.

If hist_get is called directly after hist_init it accesses
el->el_history.buf, even though it is not initialized, when invoking
wcsncpy(el->el_history.buf, el->el_line.buffer, EL_BUFSIZ). This is,
for instance, the case when hist_get is called through ed_next_history
using ^N directly after starting a history-enabled libedit program.
Use a history-enabled program linked against libedit, start it in valgrind and immediately press Ctrl+N. Example with sftp from OpenSSH:

$ valgrind sftp <host>
==32040== Conditional jump or move depends on uninitialised value(s)
==32040==    at 0x404ED2B: wcsncpy (wcsncpy.c:6)
==32040==    by 0x4F35376: wcsncpy (wchar.h:169)
==32040==    by 0x4F35376: hist_get (hist.c:108)
==32040==    by 0x4F32E69: ed_next_history (common.c:610)
==32040==    by 0x4F37DB3: el_wgets (read.c:538)
==32040==    by 0x4F34287: el_gets (eln.c:75)
==32040==    by 0x1118F5: ??? (in /usr/bin/sftp)
==32040==    by 0x10D070: ??? (in /usr/bin/sftp)
==32040==    by 0x401C230: libc_start_main_stage2 (__libc_start_main.c:94)
==32040==    by 0x10D115: ??? (in /usr/bin/sftp)
==32040==    by 0x1: ???
==32040==    by 0x1FFF000B9E: ???
==32040==    by 0x1FFF000BA3: ???
The following patch uses calloc(3) instead of malloc(3) in hist_init to fix the problem. Using memset after invoking malloc would also be possible. Not sure what you prefer.

diff -upr libedit-20190324-3.1.orig/src/hist.c libedit-20190324-3.1/src/hist.c
--- libedit-20190324-3.1.orig/src/hist.c        2019-07-20 21:19:08.374826681 +0200
+++ libedit-20190324-3.1/src/hist.c     2019-07-20 21:28:43.394825734 +0200
@@ -59,7 +59,7 @@ hist_init(EditLine *el)

        el-> = NULL;
        el->el_history.ref = NULL;
-       el->el_history.buf = el_malloc(EL_BUFSIZ * sizeof(*el->el_history.buf));
+       el->el_history.buf = calloc(EL_BUFSIZ, sizeof(*el->el_history.buf));
        el->  = EL_BUFSIZ;
        if (el->el_history.buf == NULL)
                return -1;


From: "Christos Zoulas" <>
Subject: PR/54399 CVS commit: src/lib/libedit
Date: Tue, 23 Jul 2019 06:18:53 -0400

 Module Name:	src
 Committed By:	christos
 Date:		Tue Jul 23 10:18:52 UTC 2019

 Modified Files:
 	src/lib/libedit: chared.c chartype.c el.c el.h filecomplete.c hist.c
 	    keymacro.c literal.c map.c parse.c read.c readline.c search.c
 	    terminal.c vi.c

 Log Message:
 PR/54399: Sören Tempel: Uninitialized memory access in libedit history.
 Initialize the buffer using calloc. While here change all malloc(a * sizeof(b))
 to calloc(a, sizeof(b)). XXX: should fix realloc similarly.

 To generate a diff of this commit:
 cvs rdiff -u -r1.58 -r1.59 src/lib/libedit/chared.c
 cvs rdiff -u -r1.34 -r1.35 src/lib/libedit/chartype.c
 cvs rdiff -u -r1.98 -r1.99 src/lib/libedit/el.c
 cvs rdiff -u -r1.44 -r1.45 src/lib/libedit/el.h
 cvs rdiff -u -r1.55 -r1.56 src/lib/libedit/filecomplete.c
 cvs rdiff -u -r1.32 -r1.33 src/lib/libedit/hist.c
 cvs rdiff -u -r1.23 -r1.24 src/lib/libedit/keymacro.c
 cvs rdiff -u -r1.3 -r1.4 src/lib/libedit/literal.c
 cvs rdiff -u -r1.51 -r1.52 src/lib/libedit/map.c
 cvs rdiff -u -r1.41 -r1.42 src/lib/libedit/parse.c
 cvs rdiff -u -r1.105 -r1.106 src/lib/libedit/read.c
 cvs rdiff -u -r1.155 -r1.156 src/lib/libedit/readline.c
 cvs rdiff -u -r1.48 -r1.49 src/lib/libedit/search.c
 cvs rdiff -u -r1.38 -r1.39 src/lib/libedit/terminal.c
 cvs rdiff -u -r1.62 -r1.63 src/lib/libedit/vi.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

Responsible-Changed-From-To: lib-bug-people->christos
Responsible-Changed-When: Mon, 05 Aug 2019 19:00:01 +0000

Subject: Re: lib/54399 ([PATCH] Uninitialized memory access in libedit)
Date: Mon, 5 Aug 2019 19:01:08 +0000

 Error in editing, sorry!
 Would you like to keep the bug open for
 "XXX: should fix realloc similarly"?


NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD:,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.