[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Invalid byte sequence under UTF-8 locale generates a segmentation fa

From: Eduardo A . Bustamante López
Subject: Re: Invalid byte sequence under UTF-8 locale generates a segmentation fault when using printf %q (ansic_quote)
Date: Thu, 13 Feb 2014 11:32:11 -0800
User-agent: Mutt/1.5.21 (2010-09-15)

On Thu, Feb 13, 2014 at 11:37:27AM -0500, Chet Ramey wrote:
> On 2/13/14 11:33 AM, Eduardo A. Bustamante López wrote:
> > Using an invalid byte sequence with printf %q segfaults bash, for a
> > UTF-8 locale.
> http://lists.gnu.org/archive/html/bug-bash/2014-02/msg00033.html
Uhm, apparently the patch doesn't fix the issue entirely. It did fix
the issue for the original payload, but I tested with new payloads,
and it still fails. Found three ways to trigger it:

address@hidden:~/nbug$ ls
command-name  invalid-bytes  payloads  printf-q  quote.patch  set-x
address@hidden:~/nbug$ cat command-name 
address@hidden:~/nbug$ cat printf-q 
printf %q "$payload"
address@hidden:~/nbug$ cat set-x 
(set -x; : "$payload")
address@hidden:~/nbug$ gdb ~/local/bin/bash
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
Reading symbols from /home/dualbus/local/bin/bash...done.
(gdb) r ./printf-q
Starting program: /home/dualbus/local/bin/bash ./printf-q

Program received signal SIGSEGV, Segmentation fault.
0x00000000004b4ba6 in ansic_quote (str=0x7b0ec8 '3' <repeats 200 times>..., 
flags=0, rlen=0x0) at strtrans.c:279
279             *r++ = c;
(gdb) bt
#0  0x00000000004b4ba6 in ansic_quote (str=0x7b0ec8 '3' <repeats 200 times>..., 
flags=0, rlen=0x0) at strtrans.c:279
#1  0x00000000004a4121 in printf_builtin (list=0x7b0dc8) at ./printf.def:567
#2  0x0000000000440e37 in execute_builtin (builtin=0x4a2e64 <printf_builtin>, 
words=0x7b0d88, flags=0, subshell=0)
    at execute_cmd.c:4337
#3  0x0000000000441a4a in execute_builtin_or_function (words=0x7b0d88, 
builtin=0x4a2e64 <printf_builtin>, var=0x0, redirects=0x0, 
    fds_to_close=0x7b0ba8, flags=0) at execute_cmd.c:4758
#4  0x00000000004408e8 in execute_simple_command (simple_command=0x7b0708, 
pipe_in=-1, pipe_out=-1, async=0, fds_to_close=0x7b0ba8)
    at execute_cmd.c:4161
#5  0x000000000043a796 in execute_command_internal (command=0x7b0788, 
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x7b0ba8)
    at execute_cmd.c:787
#6  0x0000000000439d44 in execute_command (command=0x7b0788) at 
#7  0x00000000004255e1 in reader_loop () at eval.c:160
#8  0x0000000000423431 in main (argc=2, argv=0x7fffffffeab8, 
env=0x7fffffffead0) at shell.c:755
(gdb) list
274             }
275           if (l)
276             *r++ = '\\';
278           if (clen == 1)
279             *r++ = c;
280           else
281             {
282               for (b = 0; b < (int)clen; b++)
283                 *r++ = (unsigned char)s[b];
284               s += clen - 1;        /* -1 because of the increment above */
285             }
286         }
288       *r++ = '\'';
289       *r = '\0';
290       if (rlen)
291         *rlen = r - ret;
292       return ret;
293     }
(gdb) info locals
r = 0x7b2000 <Address 0x7b2000 out of bounds>
ret = 0x7b0e48 "$'5\\247@", '3' <repeats 192 times>...
s = 0x7b1fff "3" <Address 0x7b2000 out of bounds>
l = 0
rsize = 56
c = 51 '3'
clen = 1
b = 1
wc = 64 L'@'
(gdb) quit
A debugging session is active.

        Inferior 1 [process 2017] will be killed.

Quit anyway? (y or n) y

As you can see from the gdb list command, the patch has been applied,
and it still shows the issue. If you are interested, I have a list of
payloads that trigger the bug differently for each of the three
tests (some segfault, some not).

You have to ''set follow-fork-mode child'' for the command-name
example to trace it in gdb.

Eduardo Alan Bustamante López

reply via email to

[Prev in Thread] Current Thread [Next in Thread]