[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#28859: Segmentation fault with NULL pointer dereference in 'stty'

From: Jim Meyering
Subject: bug#28859: Segmentation fault with NULL pointer dereference in 'stty'
Date: Mon, 16 Oct 2017 10:49:32 -0700

On Mon, Oct 16, 2017 at 2:30 AM, Pádraig Brady <address@hidden> wrote:
> On 15/10/17 18:07, Jaeseung Choi wrote:
>> Dear GNU team,
>> While testing coreutils for a research purpose, we found the following
>> crash in 'stty'. Running stty with the command-line "stty eol -F AA"
>> raises a crash as below. We did not change any terminal setting, and
>> believe the bug is irrelevant from any specific terminal
>> configuration.
>> address@hidden:~$ tar -xf coreutils-8.28.tar.xz
>> address@hidden:~$ cd coreutils-8.28/
>> address@hidden:~/coreutils-8.28$ mkdir obj
>> address@hidden:~/coreutils-8.28$ cd obj
>> address@hidden:~/coreutils-8.28/obj$ ../configure --disable-nls && make
>> ...
>> address@hidden:~/coreutils-8.28/obj$ gdb ./src/stty -q
>> Reading symbols from ./src/stty...done.
>> (gdb) run eol -F AA
>> Starting program: /home/jason/coreutils-8.28/obj/src/stty eol -F AA
>> Program received signal SIGSEGV, Segmentation fault.
>> set_control_char (info=0x40a6f8 <control_info+120>, info=0x40a6f8
>> <control_info+120>, mode=0x6103c0 <check_mode>, arg=0x0) at
>> ../src/stty.c:1695
>> 1695      else if (arg[0] == '\0' || arg[1] == '\0')
>> (gdb) x/i $rip
>> => 0x40387a <apply_settings+746>:       movzbl (%rbx),%r14d
>> (gdb) info reg rbx
>> rbx            0x0      0
>> (gdb)
>> We could reproduce the bug in coreutils from version 8.27 to 8.28.
>> Also, the bug was reproducible in both Ubuntu 16.04 and Debian 9.1.
>> But the stty program pre-built in Debian 9.1 did not crash because
>> currently 8.26 version is installed in Debian.
> This is actually an old bug which you can reproduce with -F /dev/tty.
> The attached should fix it up.

Thank you!
If it's not too hard to determine, would you please mention in the log
the commit that introduced the bug?

reply via email to

[Prev in Thread] Current Thread [Next in Thread]