[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Segfault when padding is negative
|
From: |
Tim Ruehsen |
|
Subject: |
Re: [Bug-wget] Segfault when padding is negative |
|
Date: |
Tue, 23 Feb 2016 12:09:15 +0100 |
|
User-agent: |
KMail/4.14.10 (Linux/4.3.0-1-amd64; KDE/4.14.14; x86_64; ; ) |
Thanks for feedback.
Just want to mention that you won't need docker.
'stty cols x' is enough to reproduce the crash. 'x' must be low enough
(somewhere around 40 here).
Tim
On Tuesday 23 February 2016 03:36:10 Lauchlin Wilkinson wrote:
> Hi Darshit,
>
> Patch works perfectly.
>
> To reproduce the problem you can do the following:
>
> docker run --rm -ti fedora:23 /bin/bash
> yum -y install wget
> stty cols 40
> wget http://www.gnu.org/
>
> I've pasted some output from the above commands below.
>
> I guess if you just run this on any machine with wget 1.17.1 with stty cols
> set to 40 you'd see the same behaviour.
>
> Thanks,
>
> Lauchlin
>
> docker run --rm -ti fedora:23 /bin/bash
> address@hidden /]# yum -y install wget
> Yum command has been deprecated, redirecting to '/usr/bin/dnf -y install
> wget'.
> See 'man dnf' and 'man yum2dnf' for more information.
> To transfer transaction metadata from yum to DNF, run:
> 'dnf install python-dnf-plugins-extras-migrate && dnf-2 migrate'
>
> Fedora 23 - x86_64 - Updates
> 2.6 MB/s | 19 MB 00:07
> Fedora 23 - x86_64
> 5.4 MB/s | 43 MB 00:07
> Last metadata expiration check performed 0:00:19 ago on Tue Feb 23 03:31:49
> 2016.
> Dependencies resolved.
> ============================================================================
> ================================================================ Package
> Arch Version Repository
> Size
> ============================================================================
> ================================================================ Installing:
> libicu x86_64 54.1-5.fc23
> fedora 8.4 M
> libpsl x86_64 0.7.0-5.fc23
> fedora 52 k
> wget x86_64
> 1.17.1-1.fc23 updates 640 k
>
> Transaction Summary
> ============================================================================
> ================================================================ Install 3
> Packages
>
> Total download size: 9.0 M
> Installed size: 32 M
> Downloading Packages:
> (1/3): wget-1.17.1-1.fc23.x86_64.rpm
> 548 kB/s | 640 kB 00:01
> (2/3): libpsl-0.7.0-5.fc23.x86_64.rpm
> 27 kB/s | 52 kB 00:01
> (3/3): libicu-54.1-5.fc23.x86_64.rpm
> 1.8 MB/s | 8.4 MB 00:04
> ----------------------------------------------------------------------------
> ---------------------------------------------------------------- Total
> 1.1 MB/s | 9.0 MB 00:08
> Running transaction check
> Transaction check succeeded.
> Running transaction test
> Transaction test succeeded.
> Running transaction
> Installing : libicu-54.1-5.fc23.x86_64
> 1/3
> Installing : libpsl-0.7.0-5.fc23.x86_64
> 2/3
> Installing : wget-1.17.1-1.fc23.x86_64
> 3/3
> Verifying : wget-1.17.1-1.fc23.x86_64
> 1/3
> Verifying : libpsl-0.7.0-5.fc23.x86_64
> 2/3
> Verifying : libicu-54.1-5.fc23.x86_64
> 3/3
>
> Installed:
> libicu.x86_64 54.1-5.fc23 libpsl.x86_64 0.7.0-5.fc23
> wget.x86_64 1.17.1-1.fc23
>
> Complete!
> address@hidden /]# stty cols 40
> nu.org/e2b3bf32633 /]# wget http://www.g
> --2016-02-23 03:32:58-- http://www.gnu.org/
> Resolving www.gnu.org (www.gnu.org)... 208.118.235.148, 2001:4830:134:3::a
> Connecting to www.gnu.org (www.gnu.org)|208.118.235.148|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: unspecified [text/html]
> Saving to: 'index.html'
>
> index.html 16.55K 21.1KB/s Segmentation fault (core dumped)
> address@hidden /]# exit
>
> On Tue, 23 Feb 2016 at 01:10 Darshit Shah <address@hidden> wrote:
> > I've attached a small patch to this mail. Kindly test it it out if
> > possible and
> > let us know if it works.
> >
> > Also, it would be nice if you could provide a way for us to replicate the
> > issue, so that we can understand the specific condition causing it.
> >
> > On 02/22, Lauchlin Wilkinson wrote:
> > >Hi,
> > >
> > >
> > >recently I've come across a bug where wget is segfaulting when it reaches
> >
> > a
> >
> > >condition in process.c line 1167. Namely it seems that somehow padding
> > >is
> > >being being set to a negative value which is then being used in memset
> > >and
> > >thus causing the segfault. It is a bit tricky to reproduce the problem
> > >as
> > >I can only seem to trigger the crash when wget is getting called via
> > >ssh from a shell script as part of a packer.io provisioner step. I'm
> > >guessing it has something to do with the way the ssh session is setting
> >
> > the
> >
> > >pty options to do with width and height of the terminal. Even if the
> > >settings are odd, I'm thinking that wget still should be able to handle
> >
> > the
> >
> > >situation gracefully and not segfault.
> > >
> > >
> > >Would it be a good idea at line 1167 of progress.c to add some validation
> > >to ensure padding is never set to a negative value before memset() is
> > >called?
> > >
> > >
> > >wget version and a dump from valgrind attached.
> > >
> > >
> > >- Lauchlin
> > >
> > >
> > >##########################################################
> > >
> > >
> > >wget --version
> > >GNU Wget 1.17.1 built on linux-gnu.
> > >
> > >+digest -gpgme +https +ipv6 +iri +large-file -metalink +nls +ntlm
> > >+opie +psl +ssl/openssl
> > >
> > >Wgetrc:
> > >/etc/wgetrc (system)
> > >Locale:
> > >/usr/share/locale
> > >Compile:
> > >gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
> > >-DLOCALEDIR="/usr/share/locale" -I. -I../lib -I../lib -DHAVE_LIBSSL
> > >-DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> > >-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
> > >Link:
> > >gcc -DHAVE_LIBSSL -DNDEBUG -O2 -g -pipe -Wall
> > >-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
> > >--param=ssp-buffer-size=4 -m64 -mtune=generic -luuid -lssl -lcrypto
> > >-lz -lpsl -lidn ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a
> > >
> > >Copyright (C) 2015 Free Software Foundation, Inc.
> > >License GPLv3+: GNU GPL version 3 or later
> > ><http://www.gnu.org/licenses/gpl.html>.
> > >This is free software: you are free to change and redistribute it.
> > >There is NO WARRANTY, to the extent permitted by law.
> > >
> > >Originally written by Hrvoje Niksic <address@hidden>.
> > >Please send bug reports and questions to <address@hidden>.
> > >
> > >##########################################################
> > >
> > >
> > >==1528== Memcheck, a memory error detector
> > >==1528== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
> > >==1528== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright
> >
> > info
> >
> > >==1528== Command: wget -c -O index.html https://www.property.com.au/
> > >==1528==
> > >--2016-02-22 05:30:52-- https://www.property.com.au/
> > >Resolving www.property.com.au (www.property.com.au)... 104.114.168.114
> > >Connecting to www.property.com.au (www.property.com.au
> >
> > )|104.114.168.114|:443...
> >
> > >connected.
> > >HTTP request sent, awaiting response... 301 Moved Permanently
> > >Location: /buy [following]
> > >--2016-02-22 05:30:54-- https://www.property.com.au/buy
> > >Reusing existing connection to www.property.com.au:443.
> > >HTTP request sent, awaiting response... 200 OK
> > >Length: unspecified [text/html]
> > >Saving to: ‘index.html’
> > >
> > >index.html 0 --.-KB/s ==1528== Invalid write of
> >
> > size 8
> >
> > >==1528== at 0x4C2EE57: memset (in
> > >/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
> > >==1528== by 0x42627A: memset (string3.h:84)
> > >==1528== by 0x42627A: create_image (progress.c:1167)
> > >==1528== by 0x42662A: bar_finish (progress.c:673)
> > >==1528== by 0x429498: fd_read_body (retr.c:429)
> > >==1528== by 0x419D75: read_response_body (http.c:1682)
> > >==1528== by 0x41F778: gethttp (http.c:3753)
> > >==1528== by 0x41FC08: http_loop (http.c:3971)
> > >==1528== by 0x42A054: retrieve_url (retr.c:817)
> > >==1528== by 0x406F2B: main (main.c:1868)
> > >==1528== Address 0x10278090 is 0 bytes after a block of size 144 alloc'd
> > >==1528== at 0x4C28BCD: malloc (in
> > >/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
> > >==1528== by 0x43ADC8: xmalloc (xmalloc.c:41)
> > >==1528== by 0x4267DD: bar_create (progress.c:598)
> > >==1528== by 0x429319: fd_read_body (retr.c:274)
> > >==1528== by 0x419D75: read_response_body (http.c:1682)
> > >==1528== by 0x41F778: gethttp (http.c:3753)
> > >==1528== by 0x41FC08: http_loop (http.c:3971)
> > >==1528== by 0x42A054: retrieve_url (retr.c:817)
> > >==1528== by 0x406F2B: main (main.c:1868)
> > >==1528==
> > >==1528==
> > >==1528== Process terminating with default action of signal 11 (SIGSEGV)
> > >==1528== Bad permissions for mapped region at address 0x10553000
> > >==1528== at 0x4C2EE57: memset (in
> > >/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
> > >==1528== by 0x42627A: memset (string3.h:84)
> > >==1528== by 0x42627A: create_image (progress.c:1167)
> > >==1528== by 0x42662A: bar_finish (progress.c:673)
> > >==1528== by 0x429498: fd_read_body (retr.c:429)
> > >==1528== by 0x419D75: read_response_body (http.c:1682)
> > >==1528== by 0x41F778: gethttp (http.c:3753)
> > >==1528== by 0x41FC08: http_loop (http.c:3971)
> > >==1528== by 0x42A054: retrieve_url (retr.c:817)
> > >==1528== by 0x406F2B: main (main.c:1868)
> > >==1528== Invalid read of size 8
> > >==1528== at 0x5D69209: __gconv_release_step (gconv_db.c:211)
> > >==1528== by 0x5D6A0E3: __gconv_close_transform (gconv_db.c:784)
> > >==1528== by 0x5DF22D6: _nl_cleanup_ctype (wcsmbsload.c:267)
> > >==1528== by 0x5EAA112: _nl_archive_subfreeres (in /lib64/libc-2.17.so)
> > >==1528== by 0x5EA9E2A: free_mem (in /lib64/libc-2.17.so)
> > >==1528== by 0x5EAA511: __libc_freeres (in /lib64/libc-2.17.so)
> > >==1528== by 0x4A24684: _vgnU_freeres (in
> > >/usr/lib64/valgrind/vgpreload_core-amd64-linux.so)
> > >==1528== by 0x10278030: ???
> > >==1528== by 0x42627A: memset (string3.h:84)
> > >==1528== by 0x42627A: create_image (progress.c:1167)
> > >==1528== by 0x42662A: bar_finish (progress.c:673)
> > >==1528== by 0x429498: fd_read_body (retr.c:429)
> > >==1528== by 0x419D75: read_response_body (http.c:1682)
> > >==1528== Address 0x2d2d2d2d2d2d2cb8 is not stack'd, malloc'd or
> >
> > (recently)
> >
> > >free'd
> > >==1528==
> > >==1528==
> > >==1528== Process terminating with default action of signal 11 (SIGSEGV)
> > >==1528== General Protection Fault
> > >==1528== at 0x5D69209: __gconv_release_step (gconv_db.c:211)
> > >==1528== by 0x5D6A0E3: __gconv_close_transform (gconv_db.c:784)
> > >==1528== by 0x5DF22D6: _nl_cleanup_ctype (wcsmbsload.c:267)
> > >==1528== by 0x5EAA112: _nl_archive_subfreeres (in /lib64/libc-2.17.so)
> > >==1528== by 0x5EA9E2A: free_mem (in /lib64/libc-2.17.so)
> > >==1528== by 0x5EAA511: __libc_freeres (in /lib64/libc-2.17.so)
> > >==1528== by 0x4A24684: _vgnU_freeres (in
> > >/usr/lib64/valgrind/vgpreload_core-amd64-linux.so)
> > >==1528== by 0x10278030: ???
> > >==1528== by 0x42627A: memset (string3.h:84)
> > >==1528== by 0x42627A: create_image (progress.c:1167)
> > >==1528== by 0x42662A: bar_finish (progress.c:673)
> > >==1528== by 0x429498: fd_read_body (retr.c:429)
> > >==1528== by 0x419D75: read_response_body (http.c:1682)
> > >==1528==
> > >==1528== HEAP SUMMARY:
> > >==1528== in use at exit: 923,752 bytes in 19,829 blocks
> > >==1528== total heap usage: 38,638 allocs, 18,809 frees, 2,684,605 bytes
> > >allocated
> > >==1528==
> > >==1528== 208 bytes in 1 blocks are definitely lost in loss record 819 of
> >
> > 960
> >
> > >==1528== at 0x4C28BCD: malloc (in
> > >/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
> > >==1528== by 0x5D7140E: __gconv_lookup_cache (gconv_cache.c:371)
> > >==1528== by 0x5D69E29: __gconv_find_transform (gconv_db.c:721)
> > >==1528== by 0x5DF2466: __wcsmbs_getfct (wcsmbsload.c:92)
> > >==1528== by 0x5DF2466: __wcsmbs_load_conv (wcsmbsload.c:187)
> > >==1528== by 0x5DE855C: get_gconv_fcts (wcsmbsload.h:75)
> > >==1528== by 0x5DE855C: mbrtowc (mbrtowc.c:69)
> > >==1528== by 0x5D7F4EB: mbtowc (mbtowc.c:64)
> > >==1528== by 0x425307: count_cols (progress.c:804)
> > >==1528== by 0x425F1B: create_image (progress.c:908)
> > >==1528== by 0x4267FB: bar_create (progress.c:602)
> > >==1528== by 0x429319: fd_read_body (retr.c:274)
> > >==1528== by 0x419D75: read_response_body (http.c:1682)
> > >==1528== by 0x41F778: gethttp (http.c:3753)
> > >==1528==
> > >==1528== 208 bytes in 1 blocks are definitely lost in loss record 820 of
> >
> > 960
> >
> > >==1528== at 0x4C28BCD: malloc (in
> > >/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
> > >==1528== by 0x5D7140E: __gconv_lookup_cache (gconv_cache.c:371)
> > >==1528== by 0x5D69E29: __gconv_find_transform (gconv_db.c:721)
> > >==1528== by 0x5DF250D: __wcsmbs_getfct (wcsmbsload.c:92)
> > >==1528== by 0x5DF250D: __wcsmbs_load_conv (wcsmbsload.c:190)
> > >==1528== by 0x5DE855C: get_gconv_fcts (wcsmbsload.h:75)
> > >==1528== by 0x5DE855C: mbrtowc (mbrtowc.c:69)
> > >==1528== by 0x5D7F4EB: mbtowc (mbtowc.c:64)
> > >==1528== by 0x425307: count_cols (progress.c:804)
> > >==1528== by 0x425F1B: create_image (progress.c:908)
> > >==1528== by 0x4267FB: bar_create (progress.c:602)
> > >==1528== by 0x429319: fd_read_body (retr.c:274)
> > >==1528== by 0x419D75: read_response_body (http.c:1682)
> > >==1528== by 0x41F778: gethttp (http.c:3753)
> > >==1528==
> > >==1528== LEAK SUMMARY:
> > >==1528== definitely lost: 416 bytes in 2 blocks
> > >==1528== indirectly lost: 0 bytes in 0 blocks
> > >==1528== possibly lost: 0 bytes in 0 blocks
> > >==1528== still reachable: 923,336 bytes in 19,827 blocks
> > >==1528== suppressed: 0 bytes in 0 blocks
> > >==1528== Reachable blocks (those to which a pointer was found) are not
> > >shown.
> > >==1528== To see them, rerun with: --leak-check=full --show-leak-kinds=all
> > >==1528==
> > >==1528== For counts of detected and suppressed errors, rerun with: -v
> > >==1528== ERROR SUMMARY: 374197 errors from 4 contexts (suppressed: 1 from
> >
> > 1)
> >
> > --
> > Thanking You,
> > Darshit Shah
signature.asc
Description: This is a digitally signed message part.