From unknown Sat Aug 16 14:31:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28859: Segmentation fault with NULL pointer dereference in 'stty' Resent-From: Jaeseung Choi Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Mon, 16 Oct 2017 07:14:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 28859 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: 28859@debbugs.gnu.org X-Debbugs-Original-To: bug-coreutils@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.150813798527361 (code B ref -1); Mon, 16 Oct 2017 07:14:02 +0000 Received: (at submit) by debbugs.gnu.org; 16 Oct 2017 07:13:05 +0000 Received: from localhost ([127.0.0.1]:42347 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e3zaC-00077A-V7 for submit@debbugs.gnu.org; Mon, 16 Oct 2017 03:13:05 -0400 Received: from eggs.gnu.org ([208.118.235.92]:60123) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e3tsy-0002kJ-P8 for submit@debbugs.gnu.org; Sun, 15 Oct 2017 21:08:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e3tss-0000WU-Ms for submit@debbugs.gnu.org; Sun, 15 Oct 2017 21:07:59 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_05, FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:49192) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1e3tss-0000WK-Ix for submit@debbugs.gnu.org; Sun, 15 Oct 2017 21:07:58 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:51014) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e3tsq-00013o-NO for bug-coreutils@gnu.org; Sun, 15 Oct 2017 21:07:58 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e3tsp-0000TB-CP for bug-coreutils@gnu.org; Sun, 15 Oct 2017 21:07:56 -0400 Received: from mail-oi0-x230.google.com ([2607:f8b0:4003:c06::230]:52273) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1e3tsp-0000R6-63 for bug-coreutils@gnu.org; Sun, 15 Oct 2017 21:07:55 -0400 Received: by mail-oi0-x230.google.com with SMTP id c202so22577826oih.9 for ; Sun, 15 Oct 2017 18:07:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=+xSzLqFJ0uWYAengMTOn0R1MY0rOT+jliwM9ydWIzUE=; b=Nt2GjEwypQRxEfJQS08gCqRGJE2t8YHJZSYCuLXVux91c0vVHXTW0/bibp3JojBWHf WcCagyF1+5d5reybD9+eAdeFYY/yhoa26koEObwHnRCoypgxIUvZ9zZlzI4ht2tvnKeX wyEenChZIEjWOzBWK1kPRLVPZkDHPjq38VZnx+celtL4mujZoGGxQrfTly1/aPj0XPKy Xb0wTkuj+VTYuCL07RiQQUzsSjk51ltqLPD+y2uCXkO+ENBlhMFHXsNr4saFtqQ0CVYu HsaQTDt85o8pvKUkULWfwsDc3v+DpA8gwDUB4EMtMpHWwwpSfrpjYdXZY0eqMZOB6ct8 xW1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=+xSzLqFJ0uWYAengMTOn0R1MY0rOT+jliwM9ydWIzUE=; b=KrinMNQ0neW7X1G5ZF7dIlfVgkHHXPHzh/OG3pWJ/Yaw1vGTu977+/14eokAWtl2I1 zg+HlBQ5xiYUDxpBsZBaGHuJPAOGCtXFAkbwHgK+zubJKCstgZzuxItiC2vo0qEJb6gO +796ieDf4NW3byOrs1J+WDwbp+MxW+HnhMBEalGyti8XZb6gOe7aIkEFQvhZVVOnVnfF Z0rQSKiEULyyTXymXrGMhhNeQM1ktuFPyac2YOIpgG/5vzKGY5TK8xa56LKn7rm+v4TW UerxRlOeHoV2TkUaMpCSNvwB/O2WmH1b1pdw1hY7YyGfoY3gg/snxvaSw6gHZnN0zsPZ ZQxA== X-Gm-Message-State: AMCzsaXP6i31R3kslPsZBoxqsiZKUUBe2CU73W/mVPJBhwqN8y+Er5uv wfusBa3iNxIUCVTx/yPSFbPDYAnZCT6K5UuWsjPPOw== X-Google-Smtp-Source: ABhQp+TX75KcuDJ0g1W9ksU/ls2tdVOazeHyDADJ4xFguMNsbIaVLnYbrZ07ixAYfDmBk8pJ1pAo4SHCJzMA0J8UvkY= X-Received: by 10.202.199.65 with SMTP id x62mr4904942oif.86.1508116073018; Sun, 15 Oct 2017 18:07:53 -0700 (PDT) MIME-Version: 1.0 Received: by 10.74.128.200 with HTTP; Sun, 15 Oct 2017 18:07:52 -0700 (PDT) From: Jaeseung Choi Date: Mon, 16 Oct 2017 10:07:52 +0900 Message-ID: Content-Type: text/plain; charset="UTF-8" X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -3.8 (---) X-Mailman-Approved-At: Mon, 16 Oct 2017 03:13:04 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.8 (---) Dear GNU team, While testing coreutils for a research purpose, we found the following crash in 'stty'. Running stty with the command-line "stty eol -F AA" raises a crash as below. We did not change any terminal setting, and believe the bug is irrelevant from any specific terminal configuration. jason@ubuntu:~$ tar -xf coreutils-8.28.tar.xz jason@ubuntu:~$ cd coreutils-8.28/ jason@ubuntu:~/coreutils-8.28$ mkdir obj jason@ubuntu:~/coreutils-8.28$ cd obj jason@ubuntu:~/coreutils-8.28/obj$ ../configure --disable-nls && make ... jason@ubuntu:~/coreutils-8.28/obj$ gdb ./src/stty -q Reading symbols from ./src/stty...done. (gdb) run eol -F AA Starting program: /home/jason/coreutils-8.28/obj/src/stty eol -F AA Program received signal SIGSEGV, Segmentation fault. set_control_char (info=0x40a6f8 , info=0x40a6f8 , mode=0x6103c0 , arg=0x0) at ../src/stty.c:1695 1695 else if (arg[0] == '\0' || arg[1] == '\0') (gdb) x/i $rip => 0x40387a : movzbl (%rbx),%r14d (gdb) info reg rbx rbx 0x0 0 (gdb) We could reproduce the bug in coreutils from version 8.27 to 8.28. Also, the bug was reproducible in both Ubuntu 16.04 and Debian 9.1. But the stty program pre-built in Debian 9.1 did not crash because currently 8.26 version is installed in Debian. Please let us know if you have a problem in reproducing the bug. Thank you. Sincerely, Jaeseung From unknown Sat Aug 16 14:31:36 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Jaeseung Choi Subject: bug#28859: closed (Re: bug#28859: Segmentation fault with NULL pointer dereference in 'stty') Message-ID: References: X-Gnu-PR-Message: they-closed 28859 X-Gnu-PR-Package: coreutils Reply-To: 28859@debbugs.gnu.org Date: Mon, 16 Oct 2017 09:32:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1508146322-8078-1" This is a multi-part message in MIME format... ------------=_1508146322-8078-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #28859: Segmentation fault with NULL pointer dereference in 'stty' which was filed against the coreutils package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 28859@debbugs.gnu.org. --=20 28859: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D28859 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1508146322-8078-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 28859-done) by debbugs.gnu.org; 16 Oct 2017 09:31:04 +0000 Received: from localhost ([127.0.0.1]:42511 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e41jj-00024z-OL for submit@debbugs.gnu.org; Mon, 16 Oct 2017 05:31:04 -0400 Received: from mail.magicbluesmoke.com ([82.195.144.49]:50574) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e41jh-00024Z-Uo for 28859-done@debbugs.gnu.org; Mon, 16 Oct 2017 05:31:02 -0400 Received: from localhost.localdomain (c-73-158-116-184.hsd1.ca.comcast.net [73.158.116.184]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.magicbluesmoke.com (Postfix) with ESMTPSA id 61781984B; Mon, 16 Oct 2017 10:30:58 +0100 (IST) Subject: Re: bug#28859: Segmentation fault with NULL pointer dereference in 'stty' To: Jaeseung Choi , 28859-done@debbugs.gnu.org References: From: =?UTF-8?Q?P=c3=a1draig_Brady?= Message-ID: Date: Mon, 16 Oct 2017 02:30:56 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/mixed; boundary="------------2FB823AD9C69075ACA8BD7AC" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 28859-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) This is a multi-part message in MIME format. --------------2FB823AD9C69075ACA8BD7AC Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit On 15/10/17 18:07, Jaeseung Choi wrote: > Dear GNU team, > > While testing coreutils for a research purpose, we found the following > crash in 'stty'. Running stty with the command-line "stty eol -F AA" > raises a crash as below. We did not change any terminal setting, and > believe the bug is irrelevant from any specific terminal > configuration. > > jason@ubuntu:~$ tar -xf coreutils-8.28.tar.xz > jason@ubuntu:~$ cd coreutils-8.28/ > jason@ubuntu:~/coreutils-8.28$ mkdir obj > jason@ubuntu:~/coreutils-8.28$ cd obj > jason@ubuntu:~/coreutils-8.28/obj$ ../configure --disable-nls && make > ... > jason@ubuntu:~/coreutils-8.28/obj$ gdb ./src/stty -q > Reading symbols from ./src/stty...done. > (gdb) run eol -F AA > Starting program: /home/jason/coreutils-8.28/obj/src/stty eol -F AA > > Program received signal SIGSEGV, Segmentation fault. > set_control_char (info=0x40a6f8 , info=0x40a6f8 > , mode=0x6103c0 , arg=0x0) at > ../src/stty.c:1695 > 1695 else if (arg[0] == '\0' || arg[1] == '\0') > (gdb) x/i $rip > => 0x40387a : movzbl (%rbx),%r14d > (gdb) info reg rbx > rbx 0x0 0 > (gdb) > > We could reproduce the bug in coreutils from version 8.27 to 8.28. > Also, the bug was reproducible in both Ubuntu 16.04 and Debian 9.1. > But the stty program pre-built in Debian 9.1 did not crash because > currently 8.26 version is installed in Debian. This is actually an old bug which you can reproduce with -F /dev/tty. The attached should fix it up. thanks! Pádraig --------------2FB823AD9C69075ACA8BD7AC Content-Type: text/x-patch; name="stty-crash.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="stty-crash.patch" >From 5e74a57e1b1491ab3a66dc6b6cf6b6d3ae36a138 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A1draig=20Brady?= Date: Mon, 16 Oct 2017 02:17:34 -0700 Subject: [PATCH] stty: fix processing of options when -F is specified * src/stty.c (main): Pass argi+1 so that already processed options are not considered in the argument count. This is significant when -F is specified. * NEWS: Mention the fix. * tests/misc/stty-invalid.sh: Add a test case. Fixes https://bugs.gnu.org/28859 --- NEWS | 3 +++ src/stty.c | 4 ++-- tests/misc/stty-invalid.sh | 6 ++++++ 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 2878b70..13a3ee0 100644 --- a/NEWS +++ b/NEWS @@ -11,6 +11,9 @@ GNU coreutils NEWS -*- outline -*- to attempt to hide the original length of the file name. [bug introduced in coreutils-8.28] + stty no longer crashes when processing settings with -F also specified. + [bug instroduced in coreutils-5.3.0] + ** Build-related Default man pages are now distributed which are used if perl is diff --git a/src/stty.c b/src/stty.c index 48aac59..8957595 100644 --- a/src/stty.c +++ b/src/stty.c @@ -1383,7 +1383,7 @@ main (int argc, char **argv) if (!noargs && !verbose_output && !recoverable_output) { static struct termios check_mode; - apply_settings (/* checking= */ true, device_name, argv, argc, + apply_settings (/* checking= */ true, device_name, argv, argi + 1, &check_mode, &speed_was_set, &require_set_attr); } @@ -1411,7 +1411,7 @@ main (int argc, char **argv) speed_was_set = false; require_set_attr = false; - apply_settings (/* checking= */ false, device_name, argv, argc, + apply_settings (/* checking= */ false, device_name, argv, argi + 1, &mode, &speed_was_set, &require_set_attr); if (require_set_attr) diff --git a/tests/misc/stty-invalid.sh b/tests/misc/stty-invalid.sh index 06186e9..7402c93 100755 --- a/tests/misc/stty-invalid.sh +++ b/tests/misc/stty-invalid.sh @@ -41,6 +41,12 @@ returns_ 1 stty $(echo $saved_state |sed 's/^[^:]*:/'$hex_2_64:/) \ returns_ 1 stty $(echo $saved_state |sed 's/:[0-9a-f]*$/:'$hex_2_64/) \ 2>/dev/null || fail=1 +# From coreutils 5.3.0 to 8.28, the following would crash +# due to incorrect argument handling. +if tty -s ) id 1e3zaC-00077A-V7 for submit@debbugs.gnu.org; Mon, 16 Oct 2017 03:13:05 -0400 Received: from eggs.gnu.org ([208.118.235.92]:60123) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e3tsy-0002kJ-P8 for submit@debbugs.gnu.org; Sun, 15 Oct 2017 21:08:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e3tss-0000WU-Ms for submit@debbugs.gnu.org; Sun, 15 Oct 2017 21:07:59 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_05, FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:49192) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1e3tss-0000WK-Ix for submit@debbugs.gnu.org; Sun, 15 Oct 2017 21:07:58 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:51014) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e3tsq-00013o-NO for bug-coreutils@gnu.org; Sun, 15 Oct 2017 21:07:58 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e3tsp-0000TB-CP for bug-coreutils@gnu.org; Sun, 15 Oct 2017 21:07:56 -0400 Received: from mail-oi0-x230.google.com ([2607:f8b0:4003:c06::230]:52273) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1e3tsp-0000R6-63 for bug-coreutils@gnu.org; Sun, 15 Oct 2017 21:07:55 -0400 Received: by mail-oi0-x230.google.com with SMTP id c202so22577826oih.9 for ; Sun, 15 Oct 2017 18:07:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=+xSzLqFJ0uWYAengMTOn0R1MY0rOT+jliwM9ydWIzUE=; b=Nt2GjEwypQRxEfJQS08gCqRGJE2t8YHJZSYCuLXVux91c0vVHXTW0/bibp3JojBWHf WcCagyF1+5d5reybD9+eAdeFYY/yhoa26koEObwHnRCoypgxIUvZ9zZlzI4ht2tvnKeX wyEenChZIEjWOzBWK1kPRLVPZkDHPjq38VZnx+celtL4mujZoGGxQrfTly1/aPj0XPKy Xb0wTkuj+VTYuCL07RiQQUzsSjk51ltqLPD+y2uCXkO+ENBlhMFHXsNr4saFtqQ0CVYu HsaQTDt85o8pvKUkULWfwsDc3v+DpA8gwDUB4EMtMpHWwwpSfrpjYdXZY0eqMZOB6ct8 xW1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=+xSzLqFJ0uWYAengMTOn0R1MY0rOT+jliwM9ydWIzUE=; b=KrinMNQ0neW7X1G5ZF7dIlfVgkHHXPHzh/OG3pWJ/Yaw1vGTu977+/14eokAWtl2I1 zg+HlBQ5xiYUDxpBsZBaGHuJPAOGCtXFAkbwHgK+zubJKCstgZzuxItiC2vo0qEJb6gO +796ieDf4NW3byOrs1J+WDwbp+MxW+HnhMBEalGyti8XZb6gOe7aIkEFQvhZVVOnVnfF Z0rQSKiEULyyTXymXrGMhhNeQM1ktuFPyac2YOIpgG/5vzKGY5TK8xa56LKn7rm+v4TW UerxRlOeHoV2TkUaMpCSNvwB/O2WmH1b1pdw1hY7YyGfoY3gg/snxvaSw6gHZnN0zsPZ ZQxA== X-Gm-Message-State: AMCzsaXP6i31R3kslPsZBoxqsiZKUUBe2CU73W/mVPJBhwqN8y+Er5uv wfusBa3iNxIUCVTx/yPSFbPDYAnZCT6K5UuWsjPPOw== X-Google-Smtp-Source: ABhQp+TX75KcuDJ0g1W9ksU/ls2tdVOazeHyDADJ4xFguMNsbIaVLnYbrZ07ixAYfDmBk8pJ1pAo4SHCJzMA0J8UvkY= X-Received: by 10.202.199.65 with SMTP id x62mr4904942oif.86.1508116073018; Sun, 15 Oct 2017 18:07:53 -0700 (PDT) MIME-Version: 1.0 Received: by 10.74.128.200 with HTTP; Sun, 15 Oct 2017 18:07:52 -0700 (PDT) From: Jaeseung Choi Date: Mon, 16 Oct 2017 10:07:52 +0900 Message-ID: Subject: Segmentation fault with NULL pointer dereference in 'stty' To: bug-coreutils@gnu.org Content-Type: text/plain; charset="UTF-8" X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -3.8 (---) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Mon, 16 Oct 2017 03:13:04 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.8 (---) Dear GNU team, While testing coreutils for a research purpose, we found the following crash in 'stty'. Running stty with the command-line "stty eol -F AA" raises a crash as below. We did not change any terminal setting, and believe the bug is irrelevant from any specific terminal configuration. jason@ubuntu:~$ tar -xf coreutils-8.28.tar.xz jason@ubuntu:~$ cd coreutils-8.28/ jason@ubuntu:~/coreutils-8.28$ mkdir obj jason@ubuntu:~/coreutils-8.28$ cd obj jason@ubuntu:~/coreutils-8.28/obj$ ../configure --disable-nls && make ... jason@ubuntu:~/coreutils-8.28/obj$ gdb ./src/stty -q Reading symbols from ./src/stty...done. (gdb) run eol -F AA Starting program: /home/jason/coreutils-8.28/obj/src/stty eol -F AA Program received signal SIGSEGV, Segmentation fault. set_control_char (info=0x40a6f8 , info=0x40a6f8 , mode=0x6103c0 , arg=0x0) at ../src/stty.c:1695 1695 else if (arg[0] == '\0' || arg[1] == '\0') (gdb) x/i $rip => 0x40387a : movzbl (%rbx),%r14d (gdb) info reg rbx rbx 0x0 0 (gdb) We could reproduce the bug in coreutils from version 8.27 to 8.28. Also, the bug was reproducible in both Ubuntu 16.04 and Debian 9.1. But the stty program pre-built in Debian 9.1 did not crash because currently 8.26 version is installed in Debian. Please let us know if you have a problem in reproducing the bug. Thank you. Sincerely, Jaeseung ------------=_1508146322-8078-1-- From unknown Sat Aug 16 14:31:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28859: Segmentation fault with NULL pointer dereference in 'stty' Resent-From: Jim Meyering Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Mon, 16 Oct 2017 17:51:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28859 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: 28859@debbugs.gnu.org, =?UTF-8?Q?P=C3=A1draig?= Brady , jschoi.2022@gmail.com Cc: 28859-done@debbugs.gnu.org Received: via spool by 28859-submit@debbugs.gnu.org id=B28859.150817620228359 (code B ref 28859); Mon, 16 Oct 2017 17:51:01 +0000 Received: (at 28859) by debbugs.gnu.org; 16 Oct 2017 17:50:02 +0000 Received: from localhost ([127.0.0.1]:44183 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e49Wb-0007ND-Ol for submit@debbugs.gnu.org; Mon, 16 Oct 2017 13:50:02 -0400 Received: from mail-qt0-f173.google.com ([209.85.216.173]:49964) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e49WZ-0007Mm-VB; Mon, 16 Oct 2017 13:50:00 -0400 Received: by mail-qt0-f173.google.com with SMTP id k31so33405495qta.6; Mon, 16 Oct 2017 10:49:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=Cc2ShPjflJ1MVAKjvUBep+LcccCKZdB+pCqtV+UrtBE=; b=QdCKMqO+Urz35vw8NBkX/STPlUP9axnsu/k3TtXhUYX3XxIZmfLmP7NQkJY+okSVGu SAntTbF9OR5R7oZrVNPYWl0x5ohOBU1TBDhTkv16tai5N+zc+KqTwG58eVhmGN0JGW9L nVtXDPOnKgCKNgbJREqiKD2iW/WZcsAIdwHT/Gys9ZKIIFrLQ3zwEScG1xEyxaEoh4WA bEQHWs5yllRLt6YtfKJrCdXanXQPkhRwcvPiA6arRfvWwOdmEzwpbpOrTnZDYIfWzith tiWva46IrAJcIftEYQxaVJjg2ItbWEByXCJR9HzqjUOW9UjXu10deTNS9arf9rQwA/qh heMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=Cc2ShPjflJ1MVAKjvUBep+LcccCKZdB+pCqtV+UrtBE=; b=cVhlRh4jgzGkOhCTPu1zMT4rDwMAOaPEw1liWHJTJ5pLthWd4T6+NBv8YCaD2+JJNX lmTazq55ODgBvczRG89fa3D266ijj4DlXFQcjUF8EbrOxDsTpbw1umNkj9l++GcrUTC4 79ec9lF1fw3Ivi9BkJ83/0pXhGUh093VBRl3AsunjpjFldGMvq1xcmC6181BV5zFaA8c 3mqJrxf0ZkVGmrQKKburCR5QEj1Di1u+HPRNFruLan5cPIW0bNneWZCAfBcDCHC27vQ0 Ke4lXyuys3EF+yW7dnELxDBdiTaM1BabzSQPjwHSAjeibt9dNAdYikgj58S90X/S8s6b QfWA== X-Gm-Message-State: AMCzsaVwGbG1gcYPcbiiQsz+fxCqUoMMFpKH/orbWIHP9dAJ5nz/S3qk 7CkWB6ozSSK67b/J97NsMDWAeNP0HHSe5VncwZs= X-Google-Smtp-Source: ABhQp+RQ1LVsvqyqoy8RTziQoozMSDQGfUgXPdkUG/MZjCTHCn8QnSPtdFpMr3+75IDIxmCDGwctWHhuBEuy7ALDzvo= X-Received: by 10.129.40.14 with SMTP id o14mr924774ywo.276.1508176193376; Mon, 16 Oct 2017 10:49:53 -0700 (PDT) MIME-Version: 1.0 Received: by 10.129.78.71 with HTTP; Mon, 16 Oct 2017 10:49:32 -0700 (PDT) In-Reply-To: References: From: Jim Meyering Date: Mon, 16 Oct 2017 10:49:32 -0700 X-Google-Sender-Auth: woxTWT27aQ2EUKhpXKgEIIxC06Y Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.7 (/) On Mon, Oct 16, 2017 at 2:30 AM, P=C3=A1draig Brady wrot= e: > On 15/10/17 18:07, Jaeseung Choi wrote: >> Dear GNU team, >> >> While testing coreutils for a research purpose, we found the following >> crash in 'stty'. Running stty with the command-line "stty eol -F AA" >> raises a crash as below. We did not change any terminal setting, and >> believe the bug is irrelevant from any specific terminal >> configuration. >> >> jason@ubuntu:~$ tar -xf coreutils-8.28.tar.xz >> jason@ubuntu:~$ cd coreutils-8.28/ >> jason@ubuntu:~/coreutils-8.28$ mkdir obj >> jason@ubuntu:~/coreutils-8.28$ cd obj >> jason@ubuntu:~/coreutils-8.28/obj$ ../configure --disable-nls && make >> ... >> jason@ubuntu:~/coreutils-8.28/obj$ gdb ./src/stty -q >> Reading symbols from ./src/stty...done. >> (gdb) run eol -F AA >> Starting program: /home/jason/coreutils-8.28/obj/src/stty eol -F AA >> >> Program received signal SIGSEGV, Segmentation fault. >> set_control_char (info=3D0x40a6f8 , info=3D0x40a6f8 >> , mode=3D0x6103c0 , arg=3D0x0) at >> ../src/stty.c:1695 >> 1695 else if (arg[0] =3D=3D '\0' || arg[1] =3D=3D '\0') >> (gdb) x/i $rip >> =3D> 0x40387a : movzbl (%rbx),%r14d >> (gdb) info reg rbx >> rbx 0x0 0 >> (gdb) >> >> We could reproduce the bug in coreutils from version 8.27 to 8.28. >> Also, the bug was reproducible in both Ubuntu 16.04 and Debian 9.1. >> But the stty program pre-built in Debian 9.1 did not crash because >> currently 8.26 version is installed in Debian. > > This is actually an old bug which you can reproduce with -F /dev/tty. > The attached should fix it up. Thank you! If it's not too hard to determine, would you please mention in the log the commit that introduced the bug? From unknown Sat Aug 16 14:31:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28859: Segmentation fault with NULL pointer dereference in 'stty' Resent-From: =?UTF-8?Q?P=C3=A1draig?= Brady Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Tue, 17 Oct 2017 07:38:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28859 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: Jim Meyering , 28859@debbugs.gnu.org, jschoi.2022@gmail.com Received: via spool by 28859-submit@debbugs.gnu.org id=B28859.150822583930963 (code B ref 28859); Tue, 17 Oct 2017 07:38:01 +0000 Received: (at 28859) by debbugs.gnu.org; 17 Oct 2017 07:37:19 +0000 Received: from localhost ([127.0.0.1]:44776 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e4MRC-00083I-PL for submit@debbugs.gnu.org; Tue, 17 Oct 2017 03:37:19 -0400 Received: from mail.magicbluesmoke.com ([82.195.144.49]:41768) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e4MRB-000839-4S for 28859@debbugs.gnu.org; Tue, 17 Oct 2017 03:37:17 -0400 Received: from localhost.localdomain (c-73-158-116-184.hsd1.ca.comcast.net [73.158.116.184]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.magicbluesmoke.com (Postfix) with ESMTPSA id 44D9598A4; Tue, 17 Oct 2017 08:37:13 +0100 (IST) References: From: =?UTF-8?Q?P=C3=A1draig?= Brady Message-ID: <2ac80acf-66ba-ba63-b984-012e3d88022e@draigBrady.com> Date: Tue, 17 Oct 2017 00:37:10 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/mixed; boundary="------------3EDB10C67CAA52E7B741780C" X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) This is a multi-part message in MIME format. --------------3EDB10C67CAA52E7B741780C Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit On 16/10/17 10:49, Jim Meyering wrote: > On Mon, Oct 16, 2017 at 2:30 AM, Pádraig Brady wrote: >> On 15/10/17 18:07, Jaeseung Choi wrote: >>> Dear GNU team, >>> >>> While testing coreutils for a research purpose, we found the following >>> crash in 'stty'. Running stty with the command-line "stty eol -F AA" >>> raises a crash as below. We did not change any terminal setting, and >>> believe the bug is irrelevant from any specific terminal >>> configuration. >>> >>> jason@ubuntu:~$ tar -xf coreutils-8.28.tar.xz >>> jason@ubuntu:~$ cd coreutils-8.28/ >>> jason@ubuntu:~/coreutils-8.28$ mkdir obj >>> jason@ubuntu:~/coreutils-8.28$ cd obj >>> jason@ubuntu:~/coreutils-8.28/obj$ ../configure --disable-nls && make >>> ... >>> jason@ubuntu:~/coreutils-8.28/obj$ gdb ./src/stty -q >>> Reading symbols from ./src/stty...done. >>> (gdb) run eol -F AA >>> Starting program: /home/jason/coreutils-8.28/obj/src/stty eol -F AA >>> >>> Program received signal SIGSEGV, Segmentation fault. >>> set_control_char (info=0x40a6f8 , info=0x40a6f8 >>> , mode=0x6103c0 , arg=0x0) at >>> ../src/stty.c:1695 >>> 1695 else if (arg[0] == '\0' || arg[1] == '\0') >>> (gdb) x/i $rip >>> => 0x40387a : movzbl (%rbx),%r14d >>> (gdb) info reg rbx >>> rbx 0x0 0 >>> (gdb) >>> >>> We could reproduce the bug in coreutils from version 8.27 to 8.28. >>> Also, the bug was reproducible in both Ubuntu 16.04 and Debian 9.1. >>> But the stty program pre-built in Debian 9.1 did not crash because >>> currently 8.26 version is installed in Debian. >> >> This is actually an old bug which you can reproduce with -F /dev/tty. >> The attached should fix it up. > > Thank you! > If it's not too hard to determine, would you please mention in the log > the commit that introduced the bug? Updated patch attached. I mistakenly thought getopt would permute the argv so NULLs were at the end. The attached caters for NULLs interspersed in the argv[]. cheers, Pádraig. --------------3EDB10C67CAA52E7B741780C Content-Type: text/x-patch; name="stty-crash.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="stty-crash.patch" >From 9402e1a21fa4e6939fb978e41efabf532d344c66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A1draig=20Brady?= Date: Mon, 16 Oct 2017 02:17:34 -0700 Subject: [PATCH] stty: fix processing of options when -F is specified This was a latent issue that became significant with the addition of the -F option in FILEUTILS-3_16n-56-ge46a424 * src/stty.c (apply_settings): Refactor argument checking to a function macro. Augment the argument check to ignore NULLed out arguments (already processed -F). * NEWS: Mention the fix. * tests/misc/stty-invalid.sh: Add a test case. Fixes https://bugs.gnu.org/28859 --- NEWS | 3 +++ src/stty.c | 43 +++++++++++++------------------------------ tests/misc/stty-invalid.sh | 9 +++++++++ 3 files changed, 25 insertions(+), 30 deletions(-) diff --git a/NEWS b/NEWS index 2878b70..9b0dc6c 100644 --- a/NEWS +++ b/NEWS @@ -11,6 +11,9 @@ GNU coreutils NEWS -*- outline -*- to attempt to hide the original length of the file name. [bug introduced in coreutils-8.28] + stty no longer crashes when processing settings with -F also specified. + [bug introduced in fileutils-4.0] + ** Build-related Default man pages are now distributed which are used if perl is diff --git a/src/stty.c b/src/stty.c index 48aac59..1a5c1e9 100644 --- a/src/stty.c +++ b/src/stty.c @@ -1089,6 +1089,13 @@ apply_settings (bool checking, const char *device_name, struct termios *mode, bool *speed_was_set, bool *require_set_attr) { +#define check_argument(arg) \ + if (k == n_settings - 1 || ! settings[k+1]) \ + { \ + error (0, 0, _("missing argument to %s"), quote (arg)); \ + usage (EXIT_FAILURE); \ + } + for (int k = 1; k < n_settings; k++) { char const *arg = settings[k]; @@ -1135,11 +1142,7 @@ apply_settings (bool checking, const char *device_name, { if (STREQ (arg, control_info[i].name)) { - if (k == n_settings - 1) - { - error (0, 0, _("missing argument to %s"), quote (arg)); - usage (EXIT_FAILURE); - } + check_argument (arg); match_found = true; ++k; set_control_char (&control_info[i], settings[k], mode); @@ -1152,11 +1155,7 @@ apply_settings (bool checking, const char *device_name, { if (STREQ (arg, "ispeed")) { - if (k == n_settings - 1) - { - error (0, 0, _("missing argument to %s"), quote (arg)); - usage (EXIT_FAILURE); - } + check_argument (arg); ++k; if (checking) continue; @@ -1166,11 +1165,7 @@ apply_settings (bool checking, const char *device_name, } else if (STREQ (arg, "ospeed")) { - if (k == n_settings - 1) - { - error (0, 0, _("missing argument to %s"), quote (arg)); - usage (EXIT_FAILURE); - } + check_argument (arg); ++k; if (checking) continue; @@ -1198,11 +1193,7 @@ apply_settings (bool checking, const char *device_name, #ifdef TIOCGWINSZ else if (STREQ (arg, "rows")) { - if (k == n_settings - 1) - { - error (0, 0, _("missing argument to %s"), quote (arg)); - usage (EXIT_FAILURE); - } + check_argument (arg); ++k; if (checking) continue; @@ -1212,11 +1203,7 @@ apply_settings (bool checking, const char *device_name, else if (STREQ (arg, "cols") || STREQ (arg, "columns")) { - if (k == n_settings - 1) - { - error (0, 0, _("missing argument to %s"), quote (arg)); - usage (EXIT_FAILURE); - } + check_argument (arg); ++k; if (checking) continue; @@ -1236,11 +1223,7 @@ apply_settings (bool checking, const char *device_name, else if (STREQ (arg, "line")) { unsigned long int value; - if (k == n_settings - 1) - { - error (0, 0, _("missing argument to %s"), quote (arg)); - usage (EXIT_FAILURE); - } + check_argument (arg); ++k; mode->c_line = value = integer_arg (settings[k], ULONG_MAX); if (mode->c_line != value) diff --git a/tests/misc/stty-invalid.sh b/tests/misc/stty-invalid.sh index 06186e9..5509b65 100755 --- a/tests/misc/stty-invalid.sh +++ b/tests/misc/stty-invalid.sh @@ -41,6 +41,15 @@ returns_ 1 stty $(echo $saved_state |sed 's/^[^:]*:/'$hex_2_64:/) \ returns_ 1 stty $(echo $saved_state |sed 's/:[0-9a-f]*$/:'$hex_2_64/) \ 2>/dev/null || fail=1 +# From coreutils 5.3.0 to 8.28, the following would crash +# due to incorrect argument handling. +if tty -s Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Tue, 17 Oct 2017 18:14:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28859 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: =?UTF-8?Q?P=C3=A1draig?= Brady Cc: jschoi.2022@gmail.com, 28859@debbugs.gnu.org Received: via spool by 28859-submit@debbugs.gnu.org id=B28859.150826399717799 (code B ref 28859); Tue, 17 Oct 2017 18:14:02 +0000 Received: (at 28859) by debbugs.gnu.org; 17 Oct 2017 18:13:17 +0000 Received: from localhost ([127.0.0.1]:46571 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e4WMf-0004d1-Ea for submit@debbugs.gnu.org; Tue, 17 Oct 2017 14:13:17 -0400 Received: from mail-qk0-f169.google.com ([209.85.220.169]:55692) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e4WMd-0004cn-Cm for 28859@debbugs.gnu.org; Tue, 17 Oct 2017 14:13:15 -0400 Received: by mail-qk0-f169.google.com with SMTP id x82so3182984qkb.12 for <28859@debbugs.gnu.org>; Tue, 17 Oct 2017 11:13:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=SK/rF/3Yb8Utcd3cbc1ZkX6o3InNmAlUc4gagI9pBBo=; b=WsohMzTyZSbs39DrUTUUKAz4cQ6tg3817vWfr2tLux3UQRYHa6z5ywbT0xGdJ+UNSd Fr8OA4onj7GzZg3cKNfB0mwFp6upXb/h92Kupzd47MyEf+iJjJoaCWU1T0ipsZ6GgloE 4vKGqMUM3xIURGHOcyGSMVt8D2qjIGN9vgpqqgjSXXYozI8cZq9EmnvIt/8DaYGl1n7/ 16/ASOdZQLMsPYReh33cJ+qZ2Yqi3XkTAd9oQEdzX8mDAUv4koWqcAm3UoUEQsijaoU9 CSpdF6YyUNFiF5HGX9oiy+dnwW4m9McmurfyQ/RCikS3g13MB5i+DD6OwRUCql3zUDT8 VelA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=SK/rF/3Yb8Utcd3cbc1ZkX6o3InNmAlUc4gagI9pBBo=; b=N6JVVgp2LMuR3flkTtUvr7bvJbVrq3jxBfRA+RwuMv/7BOEwgjbqi3zyE3WVztpI83 c0xJQkN4TwYNlNBaoFwNP6cxi+W3aAtG9iXLQdHEpeNscrTvOHoOopmxdvh7Sd+HJbJW rvFLqVwB2ktb4Sdf+nmGl/amhgIrNuKNlgt3RUOWayRbxGUe2GMTOsvouRvEzWfIyrSq lOdm8K2a/I4Tlbx5ncQryeBxve1a5RDsfBhUO+SdkC3hLw0kIncJJPWD8pVBitsC690g vjzefu4k9IODFzX1gWCKBccnbXaAx8n5to9WkAGcO0ngTNxV9V9ZsO4eyQ28KXKrDMoa w7nQ== X-Gm-Message-State: AMCzsaXhLDeTK4L600oTc5ovA9/lfYM5828A+dPf5u7/5yr49J2DWTND oX5eeVz6hNCeAn69MKYOoWbiX8nfyi3DDsTDokE= X-Google-Smtp-Source: ABhQp+T/9qACIADV4oQwAjIsylY9sqpj4BSvebrZFSesR/kOUefdV0UZj8LZzwQvwwIEPEwv8Qw0BX/jptyiHQ1T0nE= X-Received: by 10.55.197.152 with SMTP id k24mr8188354qkl.178.1508263989811; Tue, 17 Oct 2017 11:13:09 -0700 (PDT) MIME-Version: 1.0 Received: by 10.55.198.145 with HTTP; Tue, 17 Oct 2017 11:12:48 -0700 (PDT) In-Reply-To: <2ac80acf-66ba-ba63-b984-012e3d88022e@draigBrady.com> References: <2ac80acf-66ba-ba63-b984-012e3d88022e@draigBrady.com> From: Jim Meyering Date: Tue, 17 Oct 2017 11:12:48 -0700 X-Google-Sender-Auth: QCBDD53X-fWMw_SLdjIhcLKfB_w Message-ID: Content-Type: multipart/mixed; boundary="001a1149ad0a5740d1055bc21328" X-Spam-Score: 0.2 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.2 (/) --001a1149ad0a5740d1055bc21328 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Oct 17, 2017 at 12:37 AM, P=C3=A1draig Brady wro= te: > On 16/10/17 10:49, Jim Meyering wrote: >> On Mon, Oct 16, 2017 at 2:30 AM, P=C3=A1draig Brady w= rote: >>> On 15/10/17 18:07, Jaeseung Choi wrote: >>>> Dear GNU team, >>>> >>>> While testing coreutils for a research purpose, we found the following >>>> crash in 'stty'. Running stty with the command-line "stty eol -F AA" >>>> raises a crash as below. We did not change any terminal setting, and >>>> believe the bug is irrelevant from any specific terminal >>>> configuration. >>>> >>>> jason@ubuntu:~$ tar -xf coreutils-8.28.tar.xz >>>> jason@ubuntu:~$ cd coreutils-8.28/ >>>> jason@ubuntu:~/coreutils-8.28$ mkdir obj >>>> jason@ubuntu:~/coreutils-8.28$ cd obj >>>> jason@ubuntu:~/coreutils-8.28/obj$ ../configure --disable-nls && make >>>> ... >>>> jason@ubuntu:~/coreutils-8.28/obj$ gdb ./src/stty -q >>>> Reading symbols from ./src/stty...done. >>>> (gdb) run eol -F AA >>>> Starting program: /home/jason/coreutils-8.28/obj/src/stty eol -F AA >>>> >>>> Program received signal SIGSEGV, Segmentation fault. >>>> set_control_char (info=3D0x40a6f8 , info=3D0x40a6f8 >>>> , mode=3D0x6103c0 , arg=3D0x0) at >>>> ../src/stty.c:1695 >>>> 1695 else if (arg[0] =3D=3D '\0' || arg[1] =3D=3D '\0') >>>> (gdb) x/i $rip >>>> =3D> 0x40387a : movzbl (%rbx),%r14d >>>> (gdb) info reg rbx >>>> rbx 0x0 0 >>>> (gdb) >>>> >>>> We could reproduce the bug in coreutils from version 8.27 to 8.28. >>>> Also, the bug was reproducible in both Ubuntu 16.04 and Debian 9.1. >>>> But the stty program pre-built in Debian 9.1 did not crash because >>>> currently 8.26 version is installed in Debian. >>> >>> This is actually an old bug which you can reproduce with -F /dev/tty. >>> The attached should fix it up. >> >> Thank you! >> If it's not too hard to determine, would you please mention in the log >> the commit that introduced the bug? > > Updated patch attached. I mistakenly thought getopt would > permute the argv so NULLs were at the end. The attached > caters for NULLs interspersed in the argv[]. Good catch! One suggestion: indent the backslashes to column 72, e.g., with this patch: --001a1149ad0a5740d1055bc21328 Content-Type: text/plain; charset="US-ASCII"; name="stty-nit.diff" Content-Disposition: attachment; filename="stty-nit.diff" Content-Transfer-Encoding: base64 X-Attachment-Id: f_j8vxeed51 ZGlmZiAtLWdpdCBhL3NyYy9zdHR5LmMgYi9zcmMvc3R0eS5jCmluZGV4IDFhNWMxZTk2Mi4uMjlm NzgzNzVhIDEwMDY0NAotLS0gYS9zcmMvc3R0eS5jCisrKyBiL3NyYy9zdHR5LmMKQEAgLTEwODks MTEgKzEwODksMTEgQEAgYXBwbHlfc2V0dGluZ3MgKGJvb2wgY2hlY2tpbmcsIGNvbnN0IGNoYXIg KmRldmljZV9uYW1lLAogICAgICAgICAgICAgICAgIHN0cnVjdCB0ZXJtaW9zICptb2RlLCBib29s ICpzcGVlZF93YXNfc2V0LAogICAgICAgICAgICAgICAgIGJvb2wgKnJlcXVpcmVfc2V0X2F0dHIp CiB7Ci0jZGVmaW5lIGNoZWNrX2FyZ3VtZW50KGFyZykgXAotICBpZiAoayA9PSBuX3NldHRpbmdz IC0gMSB8fCAhIHNldHRpbmdzW2srMV0pIFwKLSAgICB7IFwKLSAgICAgIGVycm9yICgwLCAwLCBf KCJtaXNzaW5nIGFyZ3VtZW50IHRvICVzIiksIHF1b3RlIChhcmcpKTsgXAotICAgICAgdXNhZ2Ug KEVYSVRfRkFJTFVSRSk7IFwKKyNkZWZpbmUgY2hlY2tfYXJndW1lbnQoYXJnKQkJCQkJCVwKKyAg aWYgKGsgPT0gbl9zZXR0aW5ncyAtIDEgfHwgISBzZXR0aW5nc1trKzFdKQkJCQlcCisgICAgewkJ CQkJCQkJCVwKKyAgICAgIGVycm9yICgwLCAwLCBfKCJtaXNzaW5nIGFyZ3VtZW50IHRvICVzIiks IHF1b3RlIChhcmcpKTsJCVwKKyAgICAgIHVzYWdlIChFWElUX0ZBSUxVUkUpOwkJCQkJCVwKICAg ICB9CgogICBmb3IgKGludCBrID0gMTsgayA8IG5fc2V0dGluZ3M7IGsrKykK --001a1149ad0a5740d1055bc21328-- From unknown Sat Aug 16 14:31:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28859: Segmentation fault with NULL pointer dereference in 'stty' Resent-From: Paul Eggert Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Tue, 17 Oct 2017 18:29:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28859 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: =?UTF-8?Q?P=C3=A1draig?= Brady , Jim Meyering , 28859@debbugs.gnu.org, jschoi.2022@gmail.com Received: via spool by 28859-submit@debbugs.gnu.org id=B28859.150826493919448 (code B ref 28859); Tue, 17 Oct 2017 18:29:01 +0000 Received: (at 28859) by debbugs.gnu.org; 17 Oct 2017 18:28:59 +0000 Received: from localhost ([127.0.0.1]:46604 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e4Wbr-00053c-ET for submit@debbugs.gnu.org; Tue, 17 Oct 2017 14:28:59 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:57720) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e4Wbp-00053P-J1 for 28859@debbugs.gnu.org; Tue, 17 Oct 2017 14:28:57 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 1D6F5160E3A; Tue, 17 Oct 2017 11:28:52 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id iP7VdXIH8_zQ; Tue, 17 Oct 2017 11:28:51 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 6CB41160E3B; Tue, 17 Oct 2017 11:28:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id lffTSWVK3nDW; Tue, 17 Oct 2017 11:28:51 -0700 (PDT) Received: from Penguin.CS.UCLA.EDU (Penguin.CS.UCLA.EDU [131.179.64.200]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 52F74160E3A; Tue, 17 Oct 2017 11:28:51 -0700 (PDT) References: <2ac80acf-66ba-ba63-b984-012e3d88022e@draigBrady.com> From: Paul Eggert Organization: UCLA Computer Science Department Message-ID: <7939e03b-ae78-3bea-3979-da08ef84b8a0@cs.ucla.edu> Date: Tue, 17 Oct 2017 11:28:51 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <2ac80acf-66ba-ba63-b984-012e3d88022e@draigBrady.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) On 10/17/2017 12:37 AM, P=C3=A1draig Brady wrote: > +#define check_argument(arg) \ > + if (k =3D=3D n_settings - 1 || ! settings[k+1]) \ > + { \ > + error (0, 0, _("missing argument to %s"), quote (arg)); \ > + usage (EXIT_FAILURE); \ > + } How about making this a static function instead of a macro? I am leery=20 of macros for all the usual reasons. Admittedly the static function will=20 also need k, n_settings, and settings as arguments; still, it seems=20 cleaner to me overall. If you do keep it a macro, please put it inside a do...while so that it=20 doesn't cause problems as a then-part with a following else. From unknown Sat Aug 16 14:31:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28859: Segmentation fault with NULL pointer dereference in 'stty' Resent-From: Andreas Schwab Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Tue, 17 Oct 2017 19:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28859 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: =?UTF-8?Q?P=C3=A1draig?= Brady Cc: Jim Meyering , jschoi.2022@gmail.com, 28859@debbugs.gnu.org Received: via spool by 28859-submit@debbugs.gnu.org id=B28859.15082701642464 (code B ref 28859); Tue, 17 Oct 2017 19:57:02 +0000 Received: (at 28859) by debbugs.gnu.org; 17 Oct 2017 19:56:04 +0000 Received: from localhost ([127.0.0.1]:46666 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e4Xy8-0000df-2g for submit@debbugs.gnu.org; Tue, 17 Oct 2017 15:56:04 -0400 Received: from mail-out.m-online.net ([212.18.0.9]:49020) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e4Xy7-0000dW-7t for 28859@debbugs.gnu.org; Tue, 17 Oct 2017 15:56:03 -0400 Received: from frontend01.mail.m-online.net (unknown [192.168.8.182]) by mail-out.m-online.net (Postfix) with ESMTP id 3yGmCP4GTnz1qqyc; Tue, 17 Oct 2017 21:56:01 +0200 (CEST) Received: from localhost (dynscan1.mnet-online.de [192.168.6.70]) by mail.m-online.net (Postfix) with ESMTP id 3yGmCP2N29z1qqkS; Tue, 17 Oct 2017 21:56:01 +0200 (CEST) X-Virus-Scanned: amavisd-new at mnet-online.de Received: from mail.mnet-online.de ([192.168.8.182]) by localhost (dynscan1.mail.m-online.net [192.168.6.70]) (amavisd-new, port 10024) with ESMTP id YL8WTtljNV1P; Tue, 17 Oct 2017 21:56:00 +0200 (CEST) X-Auth-Info: /5CmvXSakl68blqOqRDzZdLGMTq23Xm2N+3cNcyGkBGIVzQpKrMncCGCc+GgRCdV Received: from igel.home (ppp-188-174-154-116.dynamic.mnet-online.de [188.174.154.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.mnet-online.de (Postfix) with ESMTPSA; Tue, 17 Oct 2017 21:56:00 +0200 (CEST) Received: by igel.home (Postfix, from userid 1000) id 333E82C3C87; Tue, 17 Oct 2017 21:55:59 +0200 (CEST) From: Andreas Schwab References: <2ac80acf-66ba-ba63-b984-012e3d88022e@draigBrady.com> X-Yow: I own seven-eighths of all the artists in downtown Burbank! Date: Tue, 17 Oct 2017 21:55:59 +0200 In-Reply-To: <2ac80acf-66ba-ba63-b984-012e3d88022e@draigBrady.com> ("=?UTF-8?Q?P=C3=A1draig?= Brady"'s message of "Tue, 17 Oct 2017 00:37:10 -0700") Message-ID: <87vajdsg4w.fsf@linux-m68k.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Okt 17 2017, Pádraig Brady wrote: > Updated patch attached. I mistakenly thought getopt would > permute the argv so NULLs were at the end. The attached > caters for NULLs interspersed in the argv[]. This has nothing to do with getopt, the first pass explicitly overwrites the arguments that were already parsed. Andreas. -- Andreas Schwab, schwab@linux-m68k.org GPG Key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5 "And now for something completely different."