From root@omicidio.nl  Sun May 25 11:36:41 2008
Return-Path: <root@omicidio.nl>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 283E41065676;
	Sun, 25 May 2008 11:36:41 +0000 (UTC)
	(envelope-from root@omicidio.nl)
Received: from bob.omicidio.nl (bob.omicidio.nl [62.212.76.219])
	by mx1.freebsd.org (Postfix) with ESMTP id E649E8FC1E;
	Sun, 25 May 2008 11:36:40 +0000 (UTC)
	(envelope-from root@omicidio.nl)
Received: by bob.omicidio.nl (Postfix, from userid 0)
	id 98F7F2F142F; Sun, 25 May 2008 13:19:33 +0200 (CEST)
Message-Id: <20080525111933.98F7F2F142F@bob.omicidio.nl>
Date: Sun, 25 May 2008 13:19:33 +0200 (CEST)
From: Jille <jille@quis.cx>
Reply-To: Jille <jille@quis.cx>
To: FreeBSD-gnats-submit@freebsd.org
Cc: Ed <ed@freebsd.org>
Subject: Segmentation fault in dialog with ghostscript-gpl-nox11 port
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         123977
>Category:       bin
>Synopsis:       Segmentation fault in dialog(1) with ghostscript-gpl-nox11 port
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          patched
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 25 11:40:01 UTC 2008
>Closed-Date:    
>Last-Modified:  Sun Jul 06 09:20:37 UTC 2008
>Originator:     Jille
>Release:        FreeBSD 6.2-RELEASE-p9 i386
>Organization:
Omicidio
>Environment:
System: FreeBSD bob.omicidio.nl 6.2-RELEASE-p9 FreeBSD 6.2-RELEASE-p9 #0: Sun Jan 13 12:50:30 CET 2008 quis@bob.omicidio.nl:/usr/obj/usr/src/sys/BOB i386

        libdialog.so.5 => /usr/lib/libdialog.so.5 (0x2807b000)
        libncurses.so.6 => /lib/libncurses.so.6 (0x28094000)
        libc.so.6 => /lib/libc.so.6 (0x280d3000)
>Description:
	When trying make config in /usr/ports/print/ghostscript-gpl-nox11,
	I get a normal dialog (with a lot of options, might be a/the problem ?)
	When I hit OK, Dialog crashes with SIGSEGV (when hitting Cancel it doesn't crash)
	Output:
	Segmentation fault (core dumped)
	===> Options unchanged

	# portsnap fetch extract
	didn't solve the problem
>How-To-Repeat:
	cd /usr/ports/print/ghostscript-gpl-nox11
	make config
	tab, enter (OK)
>Fix:
	Unfortunately I couldn't get a backtrace.
	(Recompiled dialog and libndialog with -g)
	I can give the memory adresses in the backtrace, but they seem quite useless.
	I'm willing to provide help of course, so tell me what to do :)

	Note: the recompiled dialog and libndialog where the 6.3-sources! (I had 6.3 checked out, and compiled, to be able to upgrade with a few commands)
	However the crash also occurred with the original 6.2-source.
>Release-Note:
>Audit-Trail:

From: Kris Kennaway <kris@FreeBSD.org>
To: Jille <jille@quis.cx>
Cc: FreeBSD-gnats-submit@FreeBSD.org, Ed <ed@FreeBSD.org>
Subject: Re: bin/123977: Segmentation fault in dialog with ghostscript-gpl-nox11
 port
Date: Sun, 25 May 2008 14:02:58 +0200

 Jille wrote:
 
 >> Environment:
 > System: FreeBSD bob.omicidio.nl 6.2-RELEASE-p9 FreeBSD 6.2-RELEASE-p9 #0: Sun Jan 13 12:50:30 CET 2008 quis@bob.omicidio.nl:/usr/obj/usr/src/sys/BOB i386
 > 
 >         libdialog.so.5 => /usr/lib/libdialog.so.5 (0x2807b000)
 >         libncurses.so.6 => /lib/libncurses.so.6 (0x28094000)
 >         libc.so.6 => /lib/libc.so.6 (0x280d3000)
 >> Description:
 > 	When trying make config in /usr/ports/print/ghostscript-gpl-nox11,
 > 	I get a normal dialog (with a lot of options, might be a/the problem ?)
 > 	When I hit OK, Dialog crashes with SIGSEGV (when hitting Cancel it doesn't crash)
 > 	Output:
 > 	Segmentation fault (core dumped)
 > 	===> Options unchanged
 > 
 > 	# portsnap fetch extract
 > 	didn't solve the problem
 >> How-To-Repeat:
 > 	cd /usr/ports/print/ghostscript-gpl-nox11
 > 	make config
 > 	tab, enter (OK)
 >> Fix:
 > 	Unfortunately I couldn't get a backtrace.
 > 	(Recompiled dialog and libndialog with -g)
 > 	I can give the memory adresses in the backtrace, but they seem quite useless.
 > 	I'm willing to provide help of course, so tell me what to do :)
 > 
 > 	Note: the recompiled dialog and libndialog where the 6.3-sources! (I had 6.3 checked out, and compiled, to be able to upgrade with a few commands)
 > 	However the crash also occurred with the original 6.2-source.
 
 In order to proceed with this we need either a reliable way to reproduce 
 this, or a backtrace.
 
 Kris

From: Jille <jille@quis.cx>
To: Kris Kennaway <kris@FreeBSD.org>
Cc: FreeBSD-gnats-submit@FreeBSD.org, Ed <ed@FreeBSD.org>
Subject: Re: bin/123977: Segmentation fault in dialog with ghostscript-gpl-nox11
 port
Date: Sun, 25 May 2008 14:11:25 +0200

 Kris Kennaway schreef:
 > Jille wrote:
 > 
 >>> Environment:
 >> System: FreeBSD bob.omicidio.nl 6.2-RELEASE-p9 FreeBSD 6.2-RELEASE-p9 
 >> #0: Sun Jan 13 12:50:30 CET 2008 
 >> quis@bob.omicidio.nl:/usr/obj/usr/src/sys/BOB i386
 >>
 >>         libdialog.so.5 => /usr/lib/libdialog.so.5 (0x2807b000)
 >>         libncurses.so.6 => /lib/libncurses.so.6 (0x28094000)
 >>         libc.so.6 => /lib/libc.so.6 (0x280d3000)
 >>> Description:
 >>     When trying make config in /usr/ports/print/ghostscript-gpl-nox11,
 >>     I get a normal dialog (with a lot of options, might be a/the 
 >> problem ?)
 >>     When I hit OK, Dialog crashes with SIGSEGV (when hitting Cancel it 
 >> doesn't crash)
 >>     Output:
 >>     Segmentation fault (core dumped)
 >>     ===> Options unchanged
 >>
 >>     # portsnap fetch extract
 >>     didn't solve the problem
 >>> How-To-Repeat:
 >>     cd /usr/ports/print/ghostscript-gpl-nox11
 >>     make config
 >>     tab, enter (OK)
 >>> Fix:
 >>     Unfortunately I couldn't get a backtrace.
 >>     (Recompiled dialog and libndialog with -g)
 >>     I can give the memory adresses in the backtrace, but they seem 
 >> quite useless.
 >>     I'm willing to provide help of course, so tell me what to do :)
 >>
 >>     Note: the recompiled dialog and libndialog where the 6.3-sources! 
 >> (I had 6.3 checked out, and compiled, to be able to upgrade with a few 
 >> commands)
 >>     However the crash also occurred with the original 6.2-source.
 > 
 > In order to proceed with this we need either a reliable way to reproduce 
 > this, or a backtrace.
 I just tested and couldn't reproduce it on 6.3-p2 with the same port 
 (that system does have X11)
 I can reproduce it on the 6.2 box.
 
 Could you tell me what to do to produce a backtrace ?
 The backtrace I could get (without function names, files, linenos etc) 
 was huge, I didn't made it to the top (> 500).
 I can try to dump it entirely, might it ever stop.
 
 I can also upload my dialog-binary, dialog-core, libdialog-with-debug, 
 and libc somewhere ?
 
 I have compiled dialog and libdialog with -g, should I also do it with 
 libc ?
 
 A few minutes after submitting this PR I saw
 http://www.freebsd.org/cgi/query-pr.cgi?pr=gnu/45168
 A buffer overflow in dialog, when having too many options selected 
 (MAX_LEN (output length) = 2048, and they're using strcpy)
 
 (The category should be changed from bin -> gnu btw, missed the gnu in 
 the list)
 
 I'm gonna try to get to the top of the backtrace now.
 
 -- Jille
 > 
 > Kris

From: Kris Kennaway <kris@FreeBSD.org>
To: Jille <jille@quis.cx>
Cc: FreeBSD-gnats-submit@FreeBSD.org, Ed <ed@FreeBSD.org>
Subject: Re: bin/123977: Segmentation fault in dialog with ghostscript-gpl-nox11
 port
Date: Sun, 25 May 2008 14:43:39 +0200

 Jille wrote:
 > 
 > 
 > Kris Kennaway schreef:
 >> Jille wrote:
 >>
 >>>> Environment:
 >>> System: FreeBSD bob.omicidio.nl 6.2-RELEASE-p9 FreeBSD 6.2-RELEASE-p9 
 >>> #0: Sun Jan 13 12:50:30 CET 2008 
 >>> quis@bob.omicidio.nl:/usr/obj/usr/src/sys/BOB i386
 >>>
 >>>         libdialog.so.5 => /usr/lib/libdialog.so.5 (0x2807b000)
 >>>         libncurses.so.6 => /lib/libncurses.so.6 (0x28094000)
 >>>         libc.so.6 => /lib/libc.so.6 (0x280d3000)
 >>>> Description:
 >>>     When trying make config in /usr/ports/print/ghostscript-gpl-nox11,
 >>>     I get a normal dialog (with a lot of options, might be a/the 
 >>> problem ?)
 >>>     When I hit OK, Dialog crashes with SIGSEGV (when hitting Cancel 
 >>> it doesn't crash)
 >>>     Output:
 >>>     Segmentation fault (core dumped)
 >>>     ===> Options unchanged
 >>>
 >>>     # portsnap fetch extract
 >>>     didn't solve the problem
 >>>> How-To-Repeat:
 >>>     cd /usr/ports/print/ghostscript-gpl-nox11
 >>>     make config
 >>>     tab, enter (OK)
 >>>> Fix:
 >>>     Unfortunately I couldn't get a backtrace.
 >>>     (Recompiled dialog and libndialog with -g)
 >>>     I can give the memory adresses in the backtrace, but they seem 
 >>> quite useless.
 >>>     I'm willing to provide help of course, so tell me what to do :)
 >>>
 >>>     Note: the recompiled dialog and libndialog where the 6.3-sources! 
 >>> (I had 6.3 checked out, and compiled, to be able to upgrade with a 
 >>> few commands)
 >>>     However the crash also occurred with the original 6.2-source.
 >>
 >> In order to proceed with this we need either a reliable way to 
 >> reproduce this, or a backtrace.
 > I just tested and couldn't reproduce it on 6.3-p2 with the same port 
 > (that system does have X11)
 > I can reproduce it on the 6.2 box.
 > 
 > Could you tell me what to do to produce a backtrace ?
 
 The process is documented in the developers handbook.
 
 > The backtrace I could get (without function names, files, linenos etc) 
 > was huge, I didn't made it to the top (> 500).
 > I can try to dump it entirely, might it ever stop.
 > 
 > I can also upload my dialog-binary, dialog-core, libdialog-with-debug, 
 > and libc somewhere ?
 > 
 > I have compiled dialog and libdialog with -g, should I also do it with 
 > libc ?
 
 It may be necessary, but if it is crashing in dialog then those parts of 
 the backtrace should be fine at least.  If you are not seeing any 
 file:line details then something went wrong with your -g binaries, e.g. 
 they were stripped when they were installed.
 
 > A few minutes after submitting this PR I saw
 > http://www.freebsd.org/cgi/query-pr.cgi?pr=gnu/45168
 > A buffer overflow in dialog, when having too many options selected 
 > (MAX_LEN (output length) = 2048, and they're using strcpy)
 
 Yes, the dialog code is quite "low-grade" :)
 
 > (The category should be changed from bin -> gnu btw, missed the gnu in 
 > the list)
 > 
 > I'm gonna try to get to the top of the backtrace now.
 
 Kris
State-Changed-From-To: open->patched 
State-Changed-By: ache 
State-Changed-When: Sun May 25 13:05:41 UTC 2008 
State-Changed-Why:  
MAX_LEN bumped to 4096 long time ago 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123977 

From: Jille <jille@quis.cx>
To: Kris Kennaway <kris@FreeBSD.org>
Cc: FreeBSD-gnats-submit@FreeBSD.org, Ed <ed@FreeBSD.org>, 
 ache@freebsd.org
Subject: Re: bin/123977: Segmentation fault in dialog with ghostscript-gpl-nox11
 port
Date: Sun, 25 May 2008 16:02:39 +0200

 ache: Bumping MAX_LEN from 2048 -> 4096 is not really the fix.
 See the url below, and try it.
 Yes, it fixes my situation, with 3426 bytes, but it will crash again if 
 (eg) ghostscript gets more options.
 
 Kris Kennaway wrote:
 > Jille wrote:
 >>
 >>
 >> Kris Kennaway wrt:
 [...]
 > 
 > The process is documented in the developers handbook.
 > 
 >> The backtrace I could get (without function names, files, linenos etc) 
 >> was huge, I didn't made it to the top (> 500).
 >> I can try to dump it entirely, might it ever stop.
 >>
 >> I can also upload my dialog-binary, dialog-core, libdialog-with-debug, 
 >> and libc somewhere ?
 >>
 >> I have compiled dialog and libdialog with -g, should I also do it with 
 >> libc ?
 > 
 > It may be necessary, but if it is crashing in dialog then those parts of 
 > the backtrace should be fine at least.  If you are not seeing any 
 > file:line details then something went wrong with your -g binaries, e.g. 
 > they were stripped when they were installed.
 > 
 >> A few minutes after submitting this PR I saw
 >> http://www.freebsd.org/cgi/query-pr.cgi?pr=gnu/45168
 >> A buffer overflow in dialog, when having too many options selected 
 >> (MAX_LEN (output length) = 2048, and they're using strcpy)
 > 
 > Yes, the dialog code is quite "low-grade" :)
 > 
 >> (The category should be changed from bin -> gnu btw, missed the gnu in 
 >> the list)
 >>
 >> I'm gonna try to get to the top of the backtrace now.
 Okay, I can't get a backtrace, the stack gets fucked up.
 I stepped (next't) trough the program till it crashed.
 Last lines:
 269            fprintf(stderr, "\"%s\"", h);
 (gdb)
 "GS_wtscmyk"270         h = s;
 (gdb)
 339         EndDialog(clear_screen);
 (gdb)
 
 346     }
 (gdb)
 340         return retval;
 (gdb)
 346     }
 (gdb)
 Warning:
 Cannot insert breakpoint 0.
 Error accessing memory address 0x53470066: Bad address.
 
 The file is /usr/src/gnu/usr.bin/dialog/dialog.c at the end of main().
 
 Quite interesting, is that the EndDialog on line 339 should only be 
 called if (!strcmp(argv[offset+1], "--tree")),
 which is _NOT_ the case.
 
 On this url you can find the commandline arguments:
 http://junk.quis.cx/suWFMqdS/dialog-crash.sh
 (I would like to hear whether it reproduces)
 (I generated it from ports)
 
 -- Jille
 > 
 > Kris
>Unformatted:
