URL:
<http://savannah.gnu.org/bugs/?52133>
Summary: Use after free of D_xtable in FreeDisplay
Project: GNU Screen
Submitted by: None
Submitted on: Thu 28 Sep 2017 01:57:21 AM UTC
Category: Crash/Freeze/Infloop
Severity: 3 - Normal
Priority: 5 - Normal
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Release: 4.6.1
Fixed Release: None
Planned Release: None
Work Required: None
_______________________________________________________
Details:
FreeDisplay() first calls FreeTransTable which frees D_xtable but does not
modify the value of D_xtable. Then SetTTY is called which calls Msg when an
error occurs. This can cause a segfault when RAW_PUTCHAR tries to access the
memory pointed to by D_xtable.
0 0x000055583e7032a4 in RAW_PUTCHAR (c=110) at display.c:656
1 0x000055583e6cbe4c in PutWinMsg (s=0x55583e932801 <winmsg_buf+1> "clark-dt
-* ",
s@entry=0x55583e932800 <winmsg_buf> "nclark-dt -* ", start=<optimized
out>, start@entry=0, max=40, max@entry=49) at screen.c:3053
2 0x000055583e7003f6 in PrePutWinMsg (s=0x55583e932800 <winmsg_buf>
"nclark-dt -* ", start=0, max=49) at display.c:2174
3 0x000055583e705339 in RefreshLine (y=65, from=<optimized out>, to=48,
isblank=0) at display.c:2399
4 0x000055583e70630c in MakeStatus (msg=0x7ffeaa03d7d0 "SetTTY (fd 3): ioctl
failed: Input/output error") at display.c:2056
5 0x000055583e6c8a68 in Msg (err=<optimized out>, fmt=<optimized out>) at
screen.c:2091
6 0x000055583e6c83a1 in CoreDump (sigsig=<optimized out>) at screen.c:1664
7 <signal handler called>
8 0x000055583e7032a4 in RAW_PUTCHAR (c=110) at display.c:656
9 0x000055583e6cbe4c in PutWinMsg (s=0x55583e932801 <winmsg_buf+1> "clark-dt
-* ",
s@entry=0x55583e932800 <winmsg_buf> "nclark-dt -* ", start=<optimized
out>, start@entry=0, max=40) at screen.c:3053
10 0x000055583e700443 in PrePutWinMsg (s=0x55583e932800 <winmsg_buf>
"nclark-dt -* ", start=0, max=<optimized out>) at display.c:2165
11 0x000055583e705339 in RefreshLine (y=65, from=<optimized out>, to=48,
isblank=0) at display.c:2399
12 0x000055583e70630c in MakeStatus (msg=0x7ffeaa040780 "SetTTY (fd 3): ioctl
failed: Input/output error") at display.c:2056
13 0x000055583e6c8a68 in Msg (err=<optimized out>, fmt=<optimized out>,
fmt@entry=0x55583e719f41 "SetTTY (fd %d): ioctl failed") at screen.c:2091
14 0x000055583e6dfadc in SetTTY (fd=<optimized out>, mp=<optimized out>) at
tty.c:624
15 0x000055583e707d08 in FreeDisplay () at display.c:340
16 0x000055583e6c8612 in Detach (mode=mode@entry=2) at screen.c:2000
17 0x000055583e6dbb52 in FinishDetach (m=0x55583e933b80 <m>) at socket.c:1607
18 0x000055583e6ddcd5 in FinishAttach (m=m@entry=0x55583e933b80 <m>) at
socket.c:1424
19 0x000055583e6de531 in ReceiveMsg () at socket.c:1235
20 0x000055583e711583 in sched () at sched.c:237
21 0x000055583e6c7113 in main (ac=0, av=<optimized out>) at screen.c:1466
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Thu 28 Sep 2017 01:57:21 AM UTC Name:
0001-termcap.c-in-FreeTransTable-set-D_xtable-to-NULL.patch Size: 3KiB By:
None
Patch to set D_xtable to NULL after free
<http://savannah.gnu.org/bugs/download.php?file_id=41912>
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?52133>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
