[Bug 1539627] [NEW] Buffer underflow in nano 2.4.2-1ubuntu0.1 causes SIGSEGV

Bartłomiej Żogała Fri, 29 Jan 2016 06:51:18 -0800

Public bug reported:

nusch@XPS13:~$ touch .the_test.swp
nusch@XPS13:~$ nano  the_test
core dumped
LANG env is ="pl_PL.UTF" without it it doen't Segfault so error is connected 
with unicode handling.


Compiling nano from source(apt-get source - so the same version) doesn't
geneate nano binary which beheaves same way.

The difference is in libncurses>w< library:
nusch@XPS13:~$ ldd /bin/nano
 linux-vdso.so.1 =>  (0x00007ffe5cb00000)
 libncursesw.so.5 => /lib/x86_64-linux-gnu/libncursesw.so.5 
(0x00007fdec11c5000) << with w
 libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007fdec0f9c000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fdec0bd1000)
 libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fdec09cd000)
 /lib64/ld-linux-x86-64.so.2 (0x000055cc1e5d6000)
nusch@XPS13:~$ ldd /bin/nano_from_src
 linux-vdso.so.1 =>  (0x00007ffd22d48000)
 libncurses.so.5 => /lib/x86_64-linux-gnu/libncurses.so.5 (0x00007f75dc891000) 
<< without w
 libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f75dc668000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f75dc29d000)
 libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f75dc099000)
 /lib64/ld-linux-x86-64.so.2 (0x000055f9b15ce000)

Backtrace of segfault:
Program received signal SIGSEGV, Segmentation fault.
                                                    0x0000000000404047 in ?? ()
(gdb) bt
#0  0x0000000000404047 in ?? ()
#1  0x00007ffff75d1a40 in __libc_start_main (main=0x403770, argc=2, 
argv=0x7fffffffe2a8, init=<optimized out>, fini=<optimized out>, 
rtld_fini=<optimized out>, stack_end=0x7fffffffe298) at libc-start.c:289
#2  0x0000000000404329 in ?? ()

Disassembly of that part of code:
  40401d:       0f 84 3c 01 00 00       je     40415f <__sprintf_chk@plt+0x9ff>
  404023:       83 7c 24 10 00          cmp    DWORD PTR [rsp+0x10],0x0
  404028:       75 0a                   jne    404034 <__sprintf_chk@plt+0x8d4>
  40402a:       81 25 1c e8 22 00 ff    and    DWORD PTR 
[rip+0x22e81c],0xffffbfff        # 632850 <stderr+0x1f0>
  404031:       bf ff ff
  404034:       48 8b 05 dd e7 22 00    mov    rax,QWORD PTR [rip+0x22e7dd]     
   # 632818 <stderr+0x1b8>
  40403b:       48 8b 80 90 00 00 00    mov    rax,QWORD PTR [rax+0x90]
  404042:       48 85 c0                test   rax,rax
  404045:       74 0b                   je     404052 <__sprintf_chk@plt+0x8f2>
  404047:       83 78 38 00             cmp    DWORD PTR [rax+0x38],0x0
  40404b:       7e 05                   jle    404052 <__sprintf_chk@plt+0x8f2>
  40404d:       e8 3e fc 00 00          call   413c90 
<__sprintf_chk@plt+0x10530>
  404052:       48 8b 7c 24 20          mov    rdi,QWORD PTR [rsp+0x20]
  404057:       48 85 ff                test   rdi,rdi
  40405a:       0f 8e b5 00 00 00       jle    404115 <__sprintf_chk@plt+0x9b5>
  404060:       48 8b 74 24 28          mov    rsi,QWORD PTR [rsp+0x28]

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: nano 2.4.2-1ubuntu0.1
ProcVersionSignature: Ubuntu 4.2.0-25.30-generic 4.2.6
Uname: Linux 4.2.0-25-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.19.1-0ubuntu5
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Jan 29 15:13:25 2016
InstallationDate: Installed on 2015-05-08 (266 days ago)
InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
SourcePackage: nano
UpgradeStatus: Upgraded to wily on 2015-11-15 (74 days ago)

** Affects: nano (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug wily

** Description changed:

  nusch@XPS13:~$ touch .the_test.swp
- nusch@XPS13:~$ nano  .the_test.swp
+ nusch@XPS13:~$ nano  the_test
  core dumped
  LANG env is ="pl_PL.UTF" without it it doen't Segfault so error is connected 
with unicode handling.
  
  Compiling nano from source(apt-get source - so the same version) doesn't
  geneate nano binary which beheaves same way.
  
  The difference is in libncurses>w< library:
  nusch@XPS13:~$ ldd /bin/nano
-       linux-vdso.so.1 =>  (0x00007ffe5cb00000)
-       libncursesw.so.5 => /lib/x86_64-linux-gnu/libncursesw.so.5 
(0x00007fdec11c5000) << with w
-       libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 
(0x00007fdec0f9c000)
-       libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fdec0bd1000)
-       libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fdec09cd000)
-       /lib64/ld-linux-x86-64.so.2 (0x000055cc1e5d6000)
+  linux-vdso.so.1 =>  (0x00007ffe5cb00000)
+  libncursesw.so.5 => /lib/x86_64-linux-gnu/libncursesw.so.5 
(0x00007fdec11c5000) << with w
+  libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007fdec0f9c000)
+  libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fdec0bd1000)
+  libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fdec09cd000)
+  /lib64/ld-linux-x86-64.so.2 (0x000055cc1e5d6000)
  nusch@XPS13:~$ ldd /bin/nano_from_src
-       linux-vdso.so.1 =>  (0x00007ffd22d48000)
-       libncurses.so.5 => /lib/x86_64-linux-gnu/libncurses.so.5 
(0x00007f75dc891000) << without w
-       libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 
(0x00007f75dc668000)
-       libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f75dc29d000)
-       libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f75dc099000)
-       /lib64/ld-linux-x86-64.so.2 (0x000055f9b15ce000)
- 
+  linux-vdso.so.1 =>  (0x00007ffd22d48000)
+  libncurses.so.5 => /lib/x86_64-linux-gnu/libncurses.so.5 
(0x00007f75dc891000) << without w
+  libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f75dc668000)
+  libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f75dc29d000)
+  libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f75dc099000)
+  /lib64/ld-linux-x86-64.so.2 (0x000055f9b15ce000)
  
  Backtrace of segfault:
  Program received signal SIGSEGV, Segmentation fault.
-                                                     0x0000000000404047 in ?? 
()
+                                                     0x0000000000404047 in ?? 
()
  (gdb) bt
  #0  0x0000000000404047 in ?? ()
  #1  0x00007ffff75d1a40 in __libc_start_main (main=0x403770, argc=2, 
argv=0x7fffffffe2a8, init=<optimized out>, fini=<optimized out>, 
rtld_fini=<optimized out>, stack_end=0x7fffffffe298) at libc-start.c:289
  #2  0x0000000000404329 in ?? ()
  
- 
  Disassembly of that part of code:
-   40401d:       0f 84 3c 01 00 00       je     40415f 
<__sprintf_chk@plt+0x9ff>
-   404023:       83 7c 24 10 00          cmp    DWORD PTR [rsp+0x10],0x0
-   404028:       75 0a                   jne    404034 
<__sprintf_chk@plt+0x8d4>
-   40402a:       81 25 1c e8 22 00 ff    and    DWORD PTR 
[rip+0x22e81c],0xffffbfff        # 632850 <stderr+0x1f0>
-   404031:       bf ff ff 
-   404034:       48 8b 05 dd e7 22 00    mov    rax,QWORD PTR [rip+0x22e7dd]   
     # 632818 <stderr+0x1b8>
-   40403b:       48 8b 80 90 00 00 00    mov    rax,QWORD PTR [rax+0x90]
-   404042:       48 85 c0                test   rax,rax
-   404045:       74 0b                   je     404052 
<__sprintf_chk@plt+0x8f2>
-   404047:       83 78 38 00             cmp    DWORD PTR [rax+0x38],0x0
-   40404b:       7e 05                   jle    404052 
<__sprintf_chk@plt+0x8f2>
-   40404d:       e8 3e fc 00 00          call   413c90 
<__sprintf_chk@plt+0x10530>
-   404052:       48 8b 7c 24 20          mov    rdi,QWORD PTR [rsp+0x20]
-   404057:       48 85 ff                test   rdi,rdi
-   40405a:       0f 8e b5 00 00 00       jle    404115 
<__sprintf_chk@plt+0x9b5>
-   404060:       48 8b 74 24 28          mov    rsi,QWORD PTR [rsp+0x28]
+   40401d:       0f 84 3c 01 00 00       je     40415f 
<__sprintf_chk@plt+0x9ff>
+   404023:       83 7c 24 10 00          cmp    DWORD PTR [rsp+0x10],0x0
+   404028:       75 0a                   jne    404034 
<__sprintf_chk@plt+0x8d4>
+   40402a:       81 25 1c e8 22 00 ff    and    DWORD PTR 
[rip+0x22e81c],0xffffbfff        # 632850 <stderr+0x1f0>
+   404031:       bf ff ff
+   404034:       48 8b 05 dd e7 22 00    mov    rax,QWORD PTR [rip+0x22e7dd]   
     # 632818 <stderr+0x1b8>
+   40403b:       48 8b 80 90 00 00 00    mov    rax,QWORD PTR [rax+0x90]
+   404042:       48 85 c0                test   rax,rax
+   404045:       74 0b                   je     404052 
<__sprintf_chk@plt+0x8f2>
+   404047:       83 78 38 00             cmp    DWORD PTR [rax+0x38],0x0
+   40404b:       7e 05                   jle    404052 
<__sprintf_chk@plt+0x8f2>
+   40404d:       e8 3e fc 00 00          call   413c90 
<__sprintf_chk@plt+0x10530>
+   404052:       48 8b 7c 24 20          mov    rdi,QWORD PTR [rsp+0x20]
+   404057:       48 85 ff                test   rdi,rdi
+   40405a:       0f 8e b5 00 00 00       jle    404115 
<__sprintf_chk@plt+0x9b5>
+   404060:       48 8b 74 24 28          mov    rsi,QWORD PTR [rsp+0x28]
  
  ProblemType: Bug
  DistroRelease: Ubuntu 15.10
  Package: nano 2.4.2-1ubuntu0.1
  ProcVersionSignature: Ubuntu 4.2.0-25.30-generic 4.2.6
  Uname: Linux 4.2.0-25-generic x86_64
  NonfreeKernelModules: wl
  ApportVersion: 2.19.1-0ubuntu5
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Fri Jan 29 15:13:25 2016
  InstallationDate: Installed on 2015-05-08 (266 days ago)
  InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
  SourcePackage: nano
  UpgradeStatus: Upgraded to wily on 2015-11-15 (74 days ago)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1539627

Title:
  Buffer underflow in nano 2.4.2-1ubuntu0.1  causes  SIGSEGV

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nano/+bug/1539627/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1539627] [NEW] Buffer underflow in nano 2.4.2-1ubuntu0.1 causes SIGSEGV

Reply via email to