NetBSD Problem Report #57630
From simonb@thistledown.com.au Tue Sep 26 07:19:05 2023
Return-Path: <simonb@thistledown.com.au>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id C5BB41A9238
for <gnats-bugs@gnats.NetBSD.org>; Tue, 26 Sep 2023 07:19:05 +0000 (UTC)
Message-Id: <20230926042219.3D65544B0@thoreau.thistledown.com.au>
Date: Tue, 26 Sep 2023 14:22:19 +1000 (AEST)
From: Simon Burge <simonb@NetBSD.org>
Reply-To: Simon Burge <simonb@NetBSD.org>
To: gnats-bugs@NetBSD.org
Subject: vi coredump
X-Send-Pr-Version: 3.95
>Number: 57630
>Category: bin
>Synopsis: vi coredump
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Sep 26 07:20:01 +0000 2023
>Last-Modified: Wed Sep 27 16:05:02 +0000 2023
>Originator: Simon Burge
>Release: NetBSD 9.99.101
>Organization:
Disorganised
>Environment:
System: NetBSD thoreau.thistledown.com.au 9.99.101 NetBSD 9.99.101 (THOREAU.git) #58: Sun Oct 23 22:10:19 AEDT 2022 simonb@thoreau.thistledown.com.au:/NetBSD/netbsd-zfsboot-git/sys/arch/amd64/compile/THOREAU amd64
Architecture: x86_64
Machine: amd64
>Description:
vi segfaults, apparently trying to do a null pointer deref.
>How-To-Repeat:
1. Start vi.
2. Type a <esc>
3. Type :%s/^ <enter>
4. See vi segfault.
>Fix:
None given.
pkgsrc/editors/nvi 1.81.6 doesn't appear to have this problem.
>Audit-Trail:
From: RVP <rvp@SDF.ORG>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/57630: vi coredump
Date: Wed, 27 Sep 2023 09:37:14 +0000 (UTC)
On Tue, 26 Sep 2023, Simon Burge wrote:
>> How-To-Repeat:
> 1. Start vi.
> 2. Type a <esc>
> 3. Type :%s/^ <enter>
> 4. See vi segfault.
Can't reproduce this with the system vi in 9.3 which is:
Version (1.81.6-2013-11-20nb4) The CSRG, University of California, Berkeley.
:%s/^<space><space><enter>
:%s/^<space><enter>
:%s/^<enter>
all say: No match found--which is correct since it's an empty buffer. With
the appropriate file contents, it correctly deletes the pattern (the last one
being a no-op).
What does your ~/.exrc look like?
-RVP
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/57630: vi coredump
Date: Wed, 27 Sep 2023 11:48:23 +0200
On Wed, Sep 27, 2023 at 09:40:01AM +0000, RVP wrote:
> Can't reproduce this with the system vi in 9.3 which is:
I can reproduce it in -current (no vi related config files).
Martin
From: Simon Burge <simonb@NetBSD.org>
To: gnats-bugs@netbsd.org
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: bin/57630: vi coredump
Date: Wed, 27 Sep 2023 21:05:24 +1000
RVP wrote:
> The following reply was made to PR bin/57630; it has been noted by GNATS=
.
>
> From: RVP <rvp@SDF.ORG>
> To: gnats-bugs@netbsd.org
> Cc: =
> Subject: Re: bin/57630: vi coredump
> Date: Wed, 27 Sep 2023 09:37:14 +0000 (UTC)
>
> On Tue, 26 Sep 2023, Simon Burge wrote:
> =
> >> How-To-Repeat:
> > 1. Start vi.
> > 2. Type a <esc>
> > 3. Type :%s/^ <enter>
> > 4. See vi segfault.
> =
> Can't reproduce this with the system vi in 9.3 which is:
> =
> Version (1.81.6-2013-11-20nb4) The CSRG, University of California, Berk=
eley.
> =
> :%s/^<space><space><enter>
> :%s/^<space><enter>
> :%s/^<enter>
> =
> all say: No match found--which is correct since it's an empty buffer. W=
ith
> the appropriate file contents, it correctly deletes the pattern (the la=
st one
> being a no-op).
Did you do step 2? It seems to be important to "modify" an empty line.
If I do any of the :%s/ commands without doing that, vi works like you
describe.
> What does your ~/.exrc look like?
I can repro on nbftp with no ~/.exrc, which is:
NetBSD morden.netbsd.org 9.0_STABLE NetBSD 9.0_STABLE (NBFTP) #0: Sat Jul =
4 06:52:32 UTC 2020 spz@franklin.NetBSD.org:/home/netbsd/9/amd64/obj/sys=
/arch/amd64/compile/NBFTP amd64
Cheers,
Simon.
From: Havard Eidnes <he@NetBSD.org>
To: gnats-bugs@netbsd.org, simonb@NetBSD.org
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: bin/57630: vi coredump
Date: Wed, 27 Sep 2023 14:55:35 +0200 (CEST)
>>How-To-Repeat:
> 1. Start vi.
> 2. Type a <esc>
> 3. Type :%s/^ <enter>
> 4. See vi segfault.
I'm also unable to reproduce this with
NetBSD/amd64 10.0_BETA
/etc/release says
Build information:
Build date Fri Aug 18 12:52:31 UTC 2023
Built by builder@localhost.NetBSD.org
Build ID 202308201920Z
$ env | grep EXI
$ vi
a<space><esc> (or just a<esc>, same result)
:%s/^<space><space><enter>
No segfault, just "No match found." in inverse video on the
bottom line of the display.
:version
gives
Version (1.81.6-2013-11-20nb4) The CSRG, University of California, Berk=
eley.
in my case.
- H=E5vard
From: Martin Husemann <martin@duskware.de>
To: Havard Eidnes <he@NetBSD.org>
Cc: gnats-bugs@netbsd.org, simonb@NetBSD.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: Re: bin/57630: vi coredump
Date: Wed, 27 Sep 2023 15:00:15 +0200
On Wed, Sep 27, 2023 at 02:55:35PM +0200, Havard Eidnes wrote:
> a<space><esc> (or just a<esc>, same result)
> :%s/^<space><space><enter>
no <space>es here, just <enter>
Martin
From: Paul Goyette <paul@whooppee.com>
To: Havard Eidnes <he@NetBSD.org>
Cc: gnats-bugs@netbsd.org, simonb@NetBSD.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: Re: bin/57630: vi coredump
Date: Wed, 27 Sep 2023 06:09:38 -0700 (PDT)
On Wed, 27 Sep 2023, Havard Eidnes wrote:
> I'm also unable to reproduce this with
>
> NetBSD/amd64 10.0_BETA
>
> /etc/release says
>
> Build information:
> Build date Fri Aug 18 12:52:31 UTC 2023
> Built by builder@localhost.NetBSD.org
> Build ID 202308201920Z
I am also unable to repro on amd64/10.99.8
Build information:
Build date Sat Sep 9 02:52:00 UTC 2023
Built by paul@speedy.whooppee.com
+--------------------+--------------------------+----------------------+
| Paul Goyette | PGP Key fingerprint: | E-mail addresses: |
| (Retired) | FA29 0E3B 35AF E8AE 6651 | paul@whooppee.com |
| Software Developer | 0786 F758 55DE 53BA 7731 | pgoyette@netbsd.org |
| & Network Engineer | | pgoyette99@gmail.com |
+--------------------+--------------------------+----------------------+
From: Havard Eidnes <he@NetBSD.org>
To: martin@duskware.de
Cc: gnats-bugs@netbsd.org, simonb@NetBSD.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: Re: bin/57630: vi coredump
Date: Wed, 27 Sep 2023 15:15:15 +0200 (CEST)
> On Wed, Sep 27, 2023 at 02:55:35PM +0200, Havard Eidnes wrote:
>> a<space><esc> (or just a<esc>, same result)
>> :%s/^<space><space><enter>
> =
> no <space>es here, just <enter>
Ah, yes, then I get
~
~
[2] Segmentation fault (core dumped) vi
$ =
- H=E5vard
From: Paul Goyette <paul@whooppee.com>
To: gnats-bugs@netbsd.org
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
Simon Burge <simonb@NetBSD.org>
Subject: Re: bin/57630: vi coredump
Date: Wed, 27 Sep 2023 06:26:41 -0700 (PDT)
On Wed, 27 Sep 2023, Havard Eidnes wrote:
> >> a<space><esc> (or just a<esc>, same result)
> >> :%s/^<space><space><enter>
> > =
>
> > no <space>es here, just <enter>
>
> Ah, yes, then I get
>
> ~
> ~
> [2] Segmentation fault (core dumped) vi
> $ =
Yup, me too
+--------------------+--------------------------+----------------------+
| Paul Goyette | PGP Key fingerprint: | E-mail addresses: |
| (Retired) | FA29 0E3B 35AF E8AE 6651 | paul@whooppee.com |
| Software Developer | 0786 F758 55DE 53BA 7731 | pgoyette@netbsd.org |
| & Network Engineer | | pgoyette99@gmail.com |
+--------------------+--------------------------+----------------------+
From: mlelstv@serpens.de (Michael van Elst)
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/57630: vi coredump
Date: Wed, 27 Sep 2023 16:00:55 -0000 (UTC)
he@NetBSD.org (Havard Eidnes) writes:
>> On Wed, Sep 27, 2023 at 02:55:35PM +0200, Havard Eidnes wrote:
>>> a<space><esc> (or just a<esc>, same result)
>>> :%s/^<space><space><enter>
>> =
>> no <space>es here, just <enter>
>Ah, yes, then I get
>~
>~
>[2] Segmentation fault (core dumped) vi
> $ =
The db routines (vi_db.c/vi_db1.c) can return a NULL pointer
for an empty line or when a buffer allocation fails which also
happens if the line is empty as we don't allocate a buffer is
the previous with length == 0 is sufficiently large.
The result is fed into regexec() which crashes.
Fixing the db code and possibly also the allocation code
throughout the source probably ends in rewriting nvi. So
I suggest to prevent regexec() from crashing, like:
Index: dist/regex/engine.c
===================================================================
RCS file: /cvsroot/src/external/bsd/nvi/dist/regex/engine.c,v
retrieving revision 1.3
diff -p -u -r1.3 engine.c
--- dist/regex/engine.c 7 Jan 2014 21:48:12 -0000 1.3
+++ dist/regex/engine.c 27 Sep 2023 16:00:10 -0000
@@ -150,6 +150,11 @@ int eflags;
const sopno gl = g->laststate;
RCHAR_T *start;
RCHAR_T *stop;
+ RCHAR_T empty[] = { REOF };
+
+ /* Input can be a NULL pointer, treat like an empty line. */
+ if (string == NULL)
+ string = empty;
/* simplify the situation where possible */
if (g->cflags®_NOSUB)
>Unformatted:
Confirmed on multiple NetBSD releases with multiple architectures.
Also occurs on FreeBSD's nvi
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2023
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.