Re: [Bug report] coredump when ncurses allocated fail

bug-ncurses
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug report] coredump when ncurses allocated fail

From:	Thomas Dickey
Subject:	Re: [Bug report] coredump when ncurses allocated fail
Date:	Mon, 19 Jun 2023 14:49:34 -0400
On Mon, Jun 19, 2023 at 09:45:18PM +0800, eaglegai wrote:
> hi，
> I'm doing some tests about ncurses, and find some problems.

This is missing some information:

a) what version (and patch-date)?

b) there's no sample program provided to demonstrate the problems
 
Without that, no one can analyze the problems :-)

> 1.  Promblem 1
> smt_buff is NULL,then strlen(smt_buff) causes coredump.
> bt1:
> Core was generated by `/usr/bin/slabtop -d 5'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0 __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:78
> 78 VPCMP $0, (%rdi), %YMMZERO, %k0
> (gdb) bt
> #0 __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:78
> #1 0x00007f54758aa660 in tparam_internal (data=0x7ffea5f53cd0, 
> string=<optimized out>, tps=0x55e6f6c33170) at ../../ncurses/tinfo/lib_
> #2 _nc_tiparm (expected=expected@entry=2, string=<optimized out>) at 
> ../../ncurses/tinfo/lib_tparm.c:1207
> #3 0x00007f54758e25ac in EmitRange (sp=sp@entry=0x55e6f6c32a10, 
> ntext=0x55e6f6c402ac, num=19) at ../../ncurses/tty/tty_update.c:651
> #4 0x00007f54758e2ee9 in PutRange (last=<optimized out>, first=<optimized 
> out>, row=<optimized out>, ntext=<optimized out>, otext=<opt
>     at ../../ncurses/tty/tty_update.c:716
> #5 PutRange (sp=0x55e6f6c32a10, otext=<optimized out>, ntext=0x55e6f6c401c0, 
> row=6, first=<optimized out>, last=<optimized out>) at ..
> #6 0x00007f54758e3baa in TransformLine (sp=sp@entry=0x55e6f6c32a10, 
> lineno=lineno@entry=6) at ../../ncurses/tty/tty_update.c:1584
> #7 0x00007f54758e4c1d in ClrUpdate (sp=0x55e6f6c32a10) at 
> ../../ncurses/tty/tty_update.c:1142
> #8 doupdate_sp (sp=sp@entry=0x55e6f6c32a10) at 
> ../../ncurses/tty/tty_update.c:992
> #9 0x00007f54758d9624 in wrefresh (win=0x55e6f6c43af0) at 
> ../../ncurses/base/lib_refresh.c:66
> #10 0x000055e6f576759f in main (argc=<optimized out>, argv=<optimized out>) 
> at slabtop.c:362
> (gdb) f 1
> #1 0x00007f54758aa660 in tparam_internal (data=0x7ffea5f53cd0, 
> string=<optimized out>, tps=0x55e6f6c33170) at ../../ncurses/tinfo/lib_
> 819 save_number(tps, TPS(fmt_buff), x, len);
> (gdb) p tps->fmt_buff
> $1 = 0x0
> (gdb)
> bt2:
> Core was generated by `/usr/bin/slabtop -d 5'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0 __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:78
> 78 VPCMP $0, (%rdi), %YMMZERO, %k0
> (gdb) bt
> #0 __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:78
> #1 0x00007f9f25f1e660 in tparam_internal (data=0x7ffec901e650, 
> string=<optimized out>, tps=0x55b7081ac170)
>     at ../../ncurses/tinfo/lib_tparm.c:819
> #2 _nc_tiparm (expected=expected@entry=2, string=<optimized out>) at 
> ../../ncurses/tinfo/lib_tparm.c:1207
> #3 0x00007f9f25f4b60b in _nc_mvcur_init_sp (sp=0x55b7081aba10) at 
> ../../ncurses/tty/lib_mvcur.c:430
> #4 0x00007f9f25f4b81f in _nc_mvcur_init () at 
> ../../ncurses/tty/lib_mvcur.c:465
> #5 0x00007f9f25f4bcb5 in newterm_sp (sp=<optimized out>, 
> name=name@entry=0x55b7081ab3b0 "xterm",
>     ofp=ofp@entry=0x7f9f25ef65a0 <_IO_2_1_stdout_>, 
> ifp=ifp@entry=0x7f9f25ef58c0 <_IO_2_1_stdin_>)
>     at ../../ncurses/base/lib_newterm.c:343
> #6 0x00007f9f25f4bfa9 in newterm (name=name@entry=0x55b7081ab3b0 "xterm", 
> ofp=0x7f9f25ef65a0 <_IO_2_1_stdout_>,
>     ifp=0x7f9f25ef58c0 <_IO_2_1_stdin_>) at 
> ../../ncurses/base/lib_newterm.c:367
> #7 0x00007f9f25f47fd0 in initscr () at ../../ncurses/base/lib_initscr.c:93
> #8 0x000055b7079c96dc in main (argc=3, argv=<optimized out>) at slabtop.c:317
> (gdb) f 1
> #1 0x00007f9f25f1e660 in tparam_internal (data=0x7ffec901e650, 
> string=<optimized out>, tps=0x55b7081ac170)
>     at ../../ncurses/tinfo/lib_tparm.c:819
> 819 save_number(tps, TPS(fmt_buff), x, len);
> (gdb) p tps->fmt_buff
> $1 = 0x0
> (gdb)
> bt3:
> Core was generated by `/usr/bin/slabtop -d 5'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0 __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:78
> 78 VPCMP $0, (%rdi), %YMMZERO, %k0
> (gdb) bt
> #0 __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:78
> #1 0x00007fb515d4e660 in tparam_internal (data=0x7fffb28aee30, 
> string=<optimized out>, tps=0x5564fbb35170) at 
> ../../ncurses/tinfo/lib_tparm.c:819
> #2 _nc_tiparm (expected=expected@entry=2, string=<optimized out>) at 
> ../../ncurses/tinfo/lib_tparm.c:1207
> #3 0x00007fb515d7a5f8 in onscreen_mvcur (sp=sp@entry=0x5564fbb34a10, 
> yold=yold@entry=-1, xold=xold@entry=56, ynew=ynew@entry=7, xnew=xnew@entry=0, 
> ovw=ovw@entry=1, myOutCh=0x7fb515d4fb20 <_nc_outch_sp>)
>     at ../../ncurses/tty/lib_mvcur.c:795
> #4 0x00007fb515d7ace4 in _nc_real_mvcur (sp=sp@entry=0x5564fbb34a10, yold=-1, 
> xold=<optimized out>, ynew=7, xnew=0, myOutCh=0x7fb515d4fb20 <_nc_outch_sp>, 
> ovw=1) at ../../ncurses/tty/lib_mvcur.c:1031
> #5 0x00007fb515d7b865 in _nc_real_mvcur (ovw=1, myOutCh=<optimized out>, 
> xnew=xnew@entry=0, ynew=ynew@entry=-72080960, xold=<optimized out>, 
> yold=<optimized out>, sp=sp@entry=0x5564fbb34a10)
>     at ../../ncurses/tty/lib_mvcur.c:1066
> #6 _nc_mvcur_sp (sp=sp@entry=0x5564fbb34a10, yold=<optimized out>, 
> xold=<optimized out>, ynew=ynew@entry=7, xnew=xnew@entry=0) at 
> ../../ncurses/tty/lib_mvcur.c:1055
> #7 0x00007fb515d87821 in GoTo (col=0, row=7, sp=0x5564fbb34a10) at 
> ../../ncurses/tty/tty_update.c:204
> #8 TransformLine (sp=sp@entry=0x5564fbb34a10, lineno=lineno@entry=7) at 
> ../../ncurses/tty/tty_update.c:1517
> #9 0x00007fb515d88c1d in ClrUpdate (sp=0x5564fbb34a10) at 
> ../../ncurses/tty/tty_update.c:1142
> #10 doupdate_sp (sp=sp@entry=0x5564fbb34a10) at 
> ../../ncurses/tty/tty_update.c:992
> #11 0x00007fb515d7d624 in wrefresh (win=0x5564fbb45af0) at 
> ../../ncurses/base/lib_refresh.c:66
> #12 0x00005564fa72859f in main (argc=<optimized out>, argv=<optimized out>) 
> at slabtop.c:362
> (gdb) f 1
> #1 0x00007fb515d4e660 in tparam_internal (data=0x7fffb28aee30, 
> string=<optimized out>, tps=0x5564fbb35170) at 
> ../../ncurses/tinfo/lib_tparm.c:819
> 819 save_number(tps, TPS(fmt_buff), x, len);
> (gdb) p tps->fmt_buff
> $1 = 0x0
> (gdb)
> there are two solutions which could fix the crash : 
> solutions1: add judgment for fmt_buff and fmt_size before typeRealloc , 
> patch: solution1-for-problems1.patch
> solutions2: add check for fmt_buff before use , patch: 
> solutions2-for-problem1.patch
> 2. problems 2
> shift is too large, and memmove crash because of out-of-bounds reading.
> bt
> Core was generated by `/usr/bin/slabtop -d 5'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0 __memmove_evex_unaligned_erms () at 
> ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:397
> 397 movq -8(%rsi,%rdx), %rcx
> (gdb) bt
> #0 __memmove_evex_unaligned_erms () at 
> ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:397
> #1 0x00007f2d22d71f9d in memmove (__len=8, __src=<optimized out>, 
> __dest=<optimized out>) at /usr/include/bits/string_fortified.h:36
> #2 _nc_scroll_oldhash_sp (sp=sp@entry=0x557fb13b6a10, n=n@entry=21886, 
> top=top@entry=1, bot=bot@entry=21887) at ../../ncurses/tty/hashmap.c:452
> #3 0x00007f2d22d85c8a in _nc_scrolln_sp (sp=sp@entry=0x557fb13b6a10, n=21886, 
> top=1, bot=21887, maxy=<optimized out>) at ../../ncurses/tty/tty_update.c:2130
> #4 0x00007f2d22d7131b in _nc_scroll_optimize_sp (sp=sp@entry=0x557fb13b6a10) 
> at ../../ncurses/tty/hardscroll.c:244
> #5 0x00007f2d22d88d06 in doupdate_sp (sp=sp@entry=0x557fb13b6a10) at 
> ../../ncurses/tty/tty_update.c:1004
> #6 0x00007f2d22d7d5e4 in wrefresh (win=0x557fb13c7af0) at 
> ../../ncurses/base/lib_refresh.c:66
> #7 0x0000557fb0b4d59f in main (argc=<optimized out>, argv=<optimized out>) at 
> slabtop.c:362
> (gdb) f 2
> #2 _nc_scroll_oldhash_sp (sp=sp@entry=0x557fb13b6a10, n=n@entry=21886, 
> top=top@entry=1, bot=bot@entry=21887) at ../../ncurses/tty/hashmap.c:452
> 452 memmove(oldhash(SP_PARM) + top, oldhash(SP_PARM) + top + n, size);
> (gdb) p sp->oldhash
> $1 = (unsigned long *) 0x557fb13d8950
> (gdb) p sp->newhash
> $2 = (unsigned long *) 0x0
> (gdb) p *(sp->oldhash +1)
> $3 = 0
> (gdb) p *(sp->oldhash +21886)
> Cannot access memory at address 0x557fb1403540
> (gdb)
> dmesg:
> [98210.240032] slabtop[267465]: segfault at 557fb1403548 ip 00007f2d22cc3a7f 
> sp 00007ffd41f333e8 error 4 in libc.so.6[7f2d22b60000+171000]
> [98210.240042] Code: 80 fa 01 77 43 72 05 0f b6 0e 88 0f c3 62 e1 fe 08 6f 06 
> 62 e1 fe 08 6f 4c 16 ff 62 e1 fe 08 7f 07 62 e1 fe 08 7f 4c 17 ff c3 <48> 8b 
> 4c 16 f8 48 8b 36 48 89 4c 17 f8 48 89 37 c3 8b 4c 16 fc 8b
> 
> 
> there are two solutions which will fix the crash.
> solutions1:  check oldhash and newhash to avoid using random shift , patch: 
> solutions1-for-problems2.patch
> solutions2:  change void  _nc_hash_map to int  _nc_hash_map to avoid using 
> random shift , patch: solutions2-for-problems2.patch
> 3. problems 3
> myname malloc failure, and then strlen(myname) causes coredump.
> bt:
> Core was generated by `/usr/bin/slabtop -d 5'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0 __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:78
> 78 VPCMP $0, (%rdi), %YMMZERO, %k0
> (gdb) bt
> #0 __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:78
> #1 0x00007fda0d1585f3 in _nc_setupterm (tname=0x55770b37d3b0 "xterm", 
> Filedes=1, errret=0x7ffe562a1b44, reuse=0) at 
> ../../ncurses/tinfo/lib_setup.c:683
> #2 0x00007fda0d18f121 in newterm_sp (sp=0x55770b37da10, name=0x55770b37d3b0 
> "xterm", ofp=0x7fda0d1335a0 <_IO_2_1_stdout_>, ifp=0x7fda0d1328c0 
> <_IO_2_1_stdin_>) at ../../ncurses/base/lib_newterm.c:212
> #3 0x00007fda0d18f5ff in newterm (name=0x55770b37d3b0 "xterm", 
> ofp=0x7fda0d1335a0 <_IO_2_1_stdout_>, ifp=0x7fda0d1328c0 <_IO_2_1_stdin_>) at 
> ../../ncurses/base/lib_newterm.c:367
> #4 0x00007fda0d189aa1 in initscr () at ../../ncurses/base/lib_initscr.c:93
> #5 0x00005577094526dc in main (argc=3, argv=<optimized out>) at slabtop.c:317
> (gdb) f 1
> #1 0x00007fda0d1585f3 in _nc_setupterm (tname=0x55770b37d3b0 "xterm", 
> Filedes=1, errret=0x7ffe562a1b44, reuse=0) at 
> ../../ncurses/tinfo/lib_setup.c:683
> 683 if (strlen(myname) > MAX_NAME_SIZE) {
> (gdb) l 680
> 675 if (!NonEmpty(tname)) {
> 676 T(("Failure with TERM=%s", NonNull(tname)));
> 677 ret_error0(TGETENT_ERR, "TERM environment variable not set.\n");
> 678 }
> 679 #endif
> 680 }
> 681 myname = strdup(tname);
> 682
> 683 if (strlen(myname) > MAX_NAME_SIZE) {
> 684 ret_error(TGETENT_ERR,
> (gdb) p myname
> $1 = 0x0
> (gdb)
> 
> 
> here is the solution.
> solution:  add check for myname before use, patch: add-check-for-myname.patch
> 
> 
> 
> 
> If there are any other ways to fix these problems,it will be better.
> 
> 
> Looking forward to your reply, thanks.
> 
> 
> 
> 
> 
> 
> 
> 
> | |
> eaglegai
> |
> |
> eaglegai@163.com
> |







-- 
Thomas E. Dickey <dickey@invisible-island.net>
https://invisible-island.net
signature.asc
Description: PGP signature
[Prev in Thread]
Current Thread
[Next in Thread]
[Bug report] coredump when ncurses allocated fail, eaglegai, 2023/06/19
- Re: [Bug report] coredump when ncurses allocated fail, Thomas Dickey <=
  - Re: [Bug report] coredump when ncurses allocated fail, Thomas Dickey, 2023/06/19
Prev by Date: [Bug report] coredump when ncurses allocated fail
Next by Date: Re: [Bug report] coredump when ncurses allocated fail
Previous by thread: [Bug report] coredump when ncurses allocated fail
Next by thread: Re: [Bug report] coredump when ncurses allocated fail
Index(es):
- Date
- Thread