hi,
I'm doing some tests about ncurses, and find some problems.
1. Promblem 1
smt_buff is NULL,then strlen(smt_buff) causes coredump.
bt1:
Core was generated by `/usr/bin/slabtop -d 5'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:78
78 VPCMP $0, (%rdi), %YMMZERO, %k0
(gdb) bt
#0 __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:78
#1 0x00007f54758aa660 in tparam_internal (data="" string=<optimized out>, tps=0x55e6f6c33170) at ../../ncurses/tinfo/lib_
#2 _nc_tiparm (expected=expected@entry=2, string=<optimized out>) at ../../ncurses/tinfo/lib_tparm.c:1207
#3 0x00007f54758e25ac in EmitRange (sp=sp@entry=0x55e6f6c32a10, ntext=0x55e6f6c402ac, num=19) at ../../ncurses/tty/tty_update.c:651
#4 0x00007f54758e2ee9 in PutRange (last=<optimized out>, first=<optimized out>, row=<optimized out>, ntext=<optimized out>, otext=<opt
at ../../ncurses/tty/tty_update.c:716
#5 PutRange (sp=0x55e6f6c32a10, otext=<optimized out>, ntext=0x55e6f6c401c0, row=6, first=<optimized out>, last=<optimized out>) at ..
#6 0x00007f54758e3baa in TransformLine (sp=sp@entry=0x55e6f6c32a10, lineno=lineno@entry=6) at ../../ncurses/tty/tty_update.c:1584
#7 0x00007f54758e4c1d in ClrUpdate (sp=0x55e6f6c32a10) at ../../ncurses/tty/tty_update.c:1142
#8 doupdate_sp (sp=sp@entry=0x55e6f6c32a10) at ../../ncurses/tty/tty_update.c:992
#9 0x00007f54758d9624 in wrefresh (win=0x55e6f6c43af0) at ../../ncurses/base/lib_refresh.c:66
#10 0x000055e6f576759f in main (argc=<optimized out>, argv=<optimized out>) at slabtop.c:362
(gdb) f 1
#1 0x00007f54758aa660 in tparam_internal (data="" string=<optimized out>, tps=0x55e6f6c33170) at ../../ncurses/tinfo/lib_
819 save_number(tps, TPS(fmt_buff), x, len);
(gdb) p tps->fmt_buff
$1 = 0x0
(gdb)
bt2:
Core was generated by `/usr/bin/slabtop -d 5'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:78
78 VPCMP $0, (%rdi), %YMMZERO, %k0
(gdb) bt
#0 __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:78
#1 0x00007f9f25f1e660 in tparam_internal (data="" string=<optimized out>, tps=0x55b7081ac170)
at ../../ncurses/tinfo/lib_tparm.c:819
#2 _nc_tiparm (expected=expected@entry=2, string=<optimized out>) at ../../ncurses/tinfo/lib_tparm.c:1207
#3 0x00007f9f25f4b60b in _nc_mvcur_init_sp (sp=0x55b7081aba10) at ../../ncurses/tty/lib_mvcur.c:430
#4 0x00007f9f25f4b81f in _nc_mvcur_init () at ../../ncurses/tty/lib_mvcur.c:465
#5 0x00007f9f25f4bcb5 in newterm_sp (sp=<optimized out>, name=name@entry=0x55b7081ab3b0 "xterm",
ofp=ofp@entry=0x7f9f25ef65a0 <_IO_2_1_stdout_>, ifp=ifp@entry=0x7f9f25ef58c0 <_IO_2_1_stdin_>)
at ../../ncurses/base/lib_newterm.c:343
#6 0x00007f9f25f4bfa9 in newterm (name=name@entry=0x55b7081ab3b0 "xterm", ofp=0x7f9f25ef65a0 <_IO_2_1_stdout_>,
ifp=0x7f9f25ef58c0 <_IO_2_1_stdin_>) at ../../ncurses/base/lib_newterm.c:367
#7 0x00007f9f25f47fd0 in initscr () at ../../ncurses/base/lib_initscr.c:93
#8 0x000055b7079c96dc in main (argc=3, argv=<optimized out>) at slabtop.c:317
(gdb) f 1
#1 0x00007f9f25f1e660 in tparam_internal (data="" string=<optimized out>, tps=0x55b7081ac170)
at ../../ncurses/tinfo/lib_tparm.c:819
819 save_number(tps, TPS(fmt_buff), x, len);
(gdb) p tps->fmt_buff
$1 = 0x0
(gdb)
bt3:
Core was generated by `/usr/bin/slabtop -d 5'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:78
78 VPCMP $0, (%rdi), %YMMZERO, %k0
(gdb) bt
#0 __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:78
#1 0x00007fb515d4e660 in tparam_internal (data="" string=<optimized out>, tps=0x5564fbb35170) at ../../ncurses/tinfo/lib_tparm.c:819
#2 _nc_tiparm (expected=expected@entry=2, string=<optimized out>) at ../../ncurses/tinfo/lib_tparm.c:1207
#3 0x00007fb515d7a5f8 in onscreen_mvcur (sp=sp@entry=0x5564fbb34a10, yold=yold@entry=-1, xold=xold@entry=56, ynew=ynew@entry=7, xnew=xnew@entry=0, ovw=ovw@entry=1, myOutCh=0x7fb515d4fb20 <_nc_outch_sp>)
at ../../ncurses/tty/lib_mvcur.c:795
#4 0x00007fb515d7ace4 in _nc_real_mvcur (sp=sp@entry=0x5564fbb34a10, yold=-1, xold=<optimized out>, ynew=7, xnew=0, myOutCh=0x7fb515d4fb20 <_nc_outch_sp>, ovw=1) at ../../ncurses/tty/lib_mvcur.c:1031
#5 0x00007fb515d7b865 in _nc_real_mvcur (ovw=1, myOutCh=<optimized out>, xnew=xnew@entry=0, ynew=ynew@entry=-72080960, xold=<optimized out>, yold=<optimized out>, sp=sp@entry=0x5564fbb34a10)
at ../../ncurses/tty/lib_mvcur.c:1066
#6 _nc_mvcur_sp (sp=sp@entry=0x5564fbb34a10, yold=<optimized out>, xold=<optimized out>, ynew=ynew@entry=7, xnew=xnew@entry=0) at ../../ncurses/tty/lib_mvcur.c:1055
#7 0x00007fb515d87821 in GoTo (col=0, row=7, sp=0x5564fbb34a10) at ../../ncurses/tty/tty_update.c:204
#8 TransformLine (sp=sp@entry=0x5564fbb34a10, lineno=lineno@entry=7) at ../../ncurses/tty/tty_update.c:1517
#9 0x00007fb515d88c1d in ClrUpdate (sp=0x5564fbb34a10) at ../../ncurses/tty/tty_update.c:1142
#10 doupdate_sp (sp=sp@entry=0x5564fbb34a10) at ../../ncurses/tty/tty_update.c:992
#11 0x00007fb515d7d624 in wrefresh (win=0x5564fbb45af0) at ../../ncurses/base/lib_refresh.c:66
#12 0x00005564fa72859f in main (argc=<optimized out>, argv=<optimized out>) at slabtop.c:362
(gdb) f 1
#1 0x00007fb515d4e660 in tparam_internal (data="" string=<optimized out>, tps=0x5564fbb35170) at ../../ncurses/tinfo/lib_tparm.c:819
819 save_number(tps, TPS(fmt_buff), x, len);
(gdb) p tps->fmt_buff
$1 = 0x0
(gdb)
there are two solutions which could fix the crash
:
solutions1:
add judgment for fmt_buff and fmt_size before typeRealloc , patch: solution1-for-problems1.patch
solutions2:
add check for fmt_buff before use , patch: solutions2-for-problem1.patch
2. problems 2
shift is too large, and memmove crash because of out-of-bounds reading.
bt
Core was generated by `/usr/bin/slabtop -d 5'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __memmove_evex_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:397
397 movq -8(%rsi,%rdx), %rcx
(gdb) bt
#0 __memmove_evex_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:397
#1 0x00007f2d22d71f9d in memmove (__len=8, __src=<optimized out>, __dest=<optimized out>) at /usr/include/bits/string_fortified.h:36
#2 _nc_scroll_oldhash_sp (sp=sp@entry=0x557fb13b6a10, n=n@entry=21886, top=top@entry=1, bot=bot@entry=21887) at ../../ncurses/tty/hashmap.c:452
#3 0x00007f2d22d85c8a in _nc_scrolln_sp (sp=sp@entry=0x557fb13b6a10, n=21886, top=1, bot=21887, maxy=<optimized out>) at ../../ncurses/tty/tty_update.c:2130
#4 0x00007f2d22d7131b in _nc_scroll_optimize_sp (sp=sp@entry=0x557fb13b6a10) at ../../ncurses/tty/hardscroll.c:244
#5 0x00007f2d22d88d06 in doupdate_sp (sp=sp@entry=0x557fb13b6a10) at ../../ncurses/tty/tty_update.c:1004
#6 0x00007f2d22d7d5e4 in wrefresh (win=0x557fb13c7af0) at ../../ncurses/base/lib_refresh.c:66
#7 0x0000557fb0b4d59f in main (argc=<optimized out>, argv=<optimized out>) at slabtop.c:362
(gdb) f 2
#2 _nc_scroll_oldhash_sp (sp=sp@entry=0x557fb13b6a10, n=n@entry=21886, top=top@entry=1, bot=bot@entry=21887) at ../../ncurses/tty/hashmap.c:452
452 memmove(oldhash(SP_PARM) + top, oldhash(SP_PARM) + top + n, size);
(gdb) p sp->oldhash
$1 = (unsigned long *) 0x557fb13d8950
(gdb) p sp->newhash
$2 = (unsigned long *) 0x0
(gdb) p *(sp->oldhash +1)
$3 = 0
(gdb) p *(sp->oldhash +21886)
Cannot access memory at address 0x557fb1403540
(gdb)
dmesg:
[98210.240032] slabtop[267465]: segfault at 557fb1403548 ip 00007f2d22cc3a7f sp 00007ffd41f333e8 error 4 in libc.so.6[7f2d22b60000+171000]
[98210.240042] Code: 80 fa 01 77 43 72 05 0f b6 0e 88 0f c3 62 e1 fe 08 6f 06 62 e1 fe 08 6f 4c 16 ff 62 e1 fe 08 7f 07 62 e1 fe 08 7f 4c 17 ff c3 <48> 8b 4c 16 f8 48 8b 36 48 89 4c 17 f8 48 89 37 c3 8b 4c 16 fc 8b
there are two solutions which will fix the crash.
solutions1:
check oldhash and newhash to avoid using random shift , patch: solutions1-for-problems2.patch
solutions2:
change void _nc_hash_map to int _nc_hash_map to avoid using random shift , patch: solutions2-for-problems2.patch
3. problems 3
myname malloc failure, and then strlen(myname) causes coredump.
bt:
Core was generated by `/usr/bin/slabtop -d 5'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:78
78 VPCMP $0, (%rdi), %YMMZERO, %k0
(gdb) bt
#0 __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:78
#1 0x00007fda0d1585f3 in _nc_setupterm (tname=0x55770b37d3b0 "xterm", Filedes=1, errret=0x7ffe562a1b44, reuse=0) at ../../ncurses/tinfo/lib_setup.c:683
#2 0x00007fda0d18f121 in newterm_sp (sp=0x55770b37da10, name=0x55770b37d3b0 "xterm", ofp=0x7fda0d1335a0 <_IO_2_1_stdout_>, ifp=0x7fda0d1328c0 <_IO_2_1_stdin_>) at ../../ncurses/base/lib_newterm.c:212
#3 0x00007fda0d18f5ff in newterm (name=0x55770b37d3b0 "xterm", ofp=0x7fda0d1335a0 <_IO_2_1_stdout_>, ifp=0x7fda0d1328c0 <_IO_2_1_stdin_>) at ../../ncurses/base/lib_newterm.c:367
#4 0x00007fda0d189aa1 in initscr () at ../../ncurses/base/lib_initscr.c:93
#5 0x00005577094526dc in main (argc=3, argv=<optimized out>) at slabtop.c:317
(gdb) f 1
#1 0x00007fda0d1585f3 in _nc_setupterm (tname=0x55770b37d3b0 "xterm", Filedes=1, errret=0x7ffe562a1b44, reuse=0) at ../../ncurses/tinfo/lib_setup.c:683
683 if (strlen(myname) > MAX_NAME_SIZE) {
(gdb) l 680
675 if (!NonEmpty(tname)) {
676 T(("Failure with TERM=%s", NonNull(tname)));
677 ret_error0(TGETENT_ERR, "TERM environment variable not set.\n");
678 }
679 #endif
680 }
681 myname = strdup(tname);
682
683 if (strlen(myname) > MAX_NAME_SIZE) {
684 ret_error(TGETENT_ERR,
(gdb) p myname
$1 = 0x0
(gdb)
here is the solution.
solution: add check for myname before use, patch: add-check-for-myname.patch
If there are any other ways to fix these problems,it will be better.
Looking forward to your reply, thanks.
