GNU bug report logs - #28859
Segmentation fault with NULL pointer dereference in 'stty'

Previous Next

Package: coreutils;

Reported by: Jaeseung Choi <jschoi.2022 <at> gmail.com>

Date: Mon, 16 Oct 2017 07:14:02 UTC

Severity: normal

Done: Pádraig Brady <P <at> draigBrady.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Pádraig Brady <P <at> draigBrady.com>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#28859: closed (Segmentation fault with NULL pointer
 dereference in 'stty')
Date: Mon, 16 Oct 2017 09:32:01 +0000

[Message part 1 (text/plain, inline)]
Your message dated Mon, 16 Oct 2017 02:30:56 -0700
with message-id <d7492642-0e36-5b94-71f6-1bcf089e81da <at> draigBrady.com>
and subject line Re: bug#28859: Segmentation fault with NULL pointer dereference in 'stty'
has caused the debbugs.gnu.org bug report #28859,
regarding Segmentation fault with NULL pointer dereference in 'stty'
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
28859: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=28859
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Jaeseung Choi <jschoi.2022 <at> gmail.com>
To: bug-coreutils <at> gnu.org
Subject: Segmentation fault with NULL pointer dereference in 'stty'
Date: Mon, 16 Oct 2017 10:07:52 +0900

Dear GNU team,

While testing coreutils for a research purpose, we found the following
crash in 'stty'. Running stty with the command-line "stty eol -F AA"
raises a crash as below. We did not change any terminal setting, and
believe the bug is irrelevant from any specific terminal
configuration.

jason <at> ubuntu:~$ tar -xf coreutils-8.28.tar.xz
jason <at> ubuntu:~$ cd coreutils-8.28/
jason <at> ubuntu:~/coreutils-8.28$ mkdir obj
jason <at> ubuntu:~/coreutils-8.28$ cd obj
jason <at> ubuntu:~/coreutils-8.28/obj$ ../configure --disable-nls && make
...
jason <at> ubuntu:~/coreutils-8.28/obj$ gdb ./src/stty -q
Reading symbols from ./src/stty...done.
(gdb) run eol -F AA
Starting program: /home/jason/coreutils-8.28/obj/src/stty eol -F AA

Program received signal SIGSEGV, Segmentation fault.
set_control_char (info=0x40a6f8 <control_info+120>, info=0x40a6f8
<control_info+120>, mode=0x6103c0 <check_mode>, arg=0x0) at
../src/stty.c:1695
1695      else if (arg[0] == '\0' || arg[1] == '\0')
(gdb) x/i $rip
=> 0x40387a <apply_settings+746>:       movzbl (%rbx),%r14d
(gdb) info reg rbx
rbx            0x0      0
(gdb)

We could reproduce the bug in coreutils from version 8.27 to 8.28.
Also, the bug was reproducible in both Ubuntu 16.04 and Debian 9.1.
But the stty program pre-built in Debian 9.1 did not crash because
currently 8.26 version is installed in Debian.

Please let us know if you have a problem in reproducing the bug.

Thank you.

Sincerely,
Jaeseung



[Message part 3 (message/rfc822, inline)]
From: Pádraig Brady <P <at> draigBrady.com>
To: Jaeseung Choi <jschoi.2022 <at> gmail.com>, 28859-done <at> debbugs.gnu.org
Subject: Re: bug#28859: Segmentation fault with NULL pointer dereference in
 'stty'
Date: Mon, 16 Oct 2017 02:30:56 -0700

[Message part 4 (text/plain, inline)]
On 15/10/17 18:07, Jaeseung Choi wrote:
> Dear GNU team,
> 
> While testing coreutils for a research purpose, we found the following
> crash in 'stty'. Running stty with the command-line "stty eol -F AA"
> raises a crash as below. We did not change any terminal setting, and
> believe the bug is irrelevant from any specific terminal
> configuration.
> 
> jason <at> ubuntu:~$ tar -xf coreutils-8.28.tar.xz
> jason <at> ubuntu:~$ cd coreutils-8.28/
> jason <at> ubuntu:~/coreutils-8.28$ mkdir obj
> jason <at> ubuntu:~/coreutils-8.28$ cd obj
> jason <at> ubuntu:~/coreutils-8.28/obj$ ../configure --disable-nls && make
> ...
> jason <at> ubuntu:~/coreutils-8.28/obj$ gdb ./src/stty -q
> Reading symbols from ./src/stty...done.
> (gdb) run eol -F AA
> Starting program: /home/jason/coreutils-8.28/obj/src/stty eol -F AA
> 
> Program received signal SIGSEGV, Segmentation fault.
> set_control_char (info=0x40a6f8 <control_info+120>, info=0x40a6f8
> <control_info+120>, mode=0x6103c0 <check_mode>, arg=0x0) at
> ../src/stty.c:1695
> 1695      else if (arg[0] == '\0' || arg[1] == '\0')
> (gdb) x/i $rip
> => 0x40387a <apply_settings+746>:       movzbl (%rbx),%r14d
> (gdb) info reg rbx
> rbx            0x0      0
> (gdb)
> 
> We could reproduce the bug in coreutils from version 8.27 to 8.28.
> Also, the bug was reproducible in both Ubuntu 16.04 and Debian 9.1.
> But the stty program pre-built in Debian 9.1 did not crash because
> currently 8.26 version is installed in Debian.

This is actually an old bug which you can reproduce with -F /dev/tty.
The attached should fix it up.

thanks!
Pádraig


[stty-crash.patch (text/x-patch, attachment)]
This bug report was last modified 7 years and 275 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.