bug#28859: Segmentation fault with NULL pointer dereference in 'stty'

[Jaeseung Choi]

Dear GNU team,

While testing coreutils for a research purpose, we found the following
crash in 'stty'. Running stty with the command-line "stty eol -F AA"
raises a crash as below. We did not change any terminal setting, and
believe the bug is irrelevant from any specific terminal
configuration.

address@hidden:~$ tar -xf coreutils-8.28.tar.xz
address@hidden:~$ cd coreutils-8.28/
address@hidden:~/coreutils-8.28$ mkdir obj
address@hidden:~/coreutils-8.28$ cd obj
address@hidden:~/coreutils-8.28/obj$ ../configure --disable-nls && make
...
address@hidden:~/coreutils-8.28/obj$ gdb ./src/stty -q
Reading symbols from ./src/stty...done.
(gdb) run eol -F AA
Starting program: /home/jason/coreutils-8.28/obj/src/stty eol -F AA

Program received signal SIGSEGV, Segmentation fault.
set_control_char (info=0x40a6f8 <control_info+120>, info=0x40a6f8
<control_info+120>, mode=0x6103c0 <check_mode>, arg=0x0) at
../src/stty.c:1695
1695      else if (arg[0] == '\0' || arg[1] == '\0')
(gdb) x/i $rip
=> 0x40387a <apply_settings+746>:       movzbl (%rbx),%r14d
(gdb) info reg rbx
rbx            0x0      0
(gdb)

We could reproduce the bug in coreutils from version 8.27 to 8.28.
Also, the bug was reproducible in both Ubuntu 16.04 and Debian 9.1.
But the stty program pre-built in Debian 9.1 did not crash because
currently 8.26 version is installed in Debian.

Please let us know if you have a problem in reproducing the bug.

Thank you.

Sincerely,
Jaeseung