* [kbd] Invalid out of bounds memory read when running make check
@ 2016-03-21 9:41 Hanno Böck
2016-03-27 19:59 ` Felix Janda
0 siblings, 1 reply; 3+ messages in thread
From: Hanno Böck @ 2016-03-21 9:41 UTC (permalink / raw)
To: kbd
[-- Attachment #1: Type: text/plain, Size: 3183 bytes --]
Hi,
When compiling kbd (latest version 2.0.3) with address sanitizer and
running the test suite (make check) it will show a global out of bounds
memory read. I have attached the address sanitizer error message at the
end of this mail.
I have not fully tracked down the bug, but the error happens in the
file ksyms.c in line 203.
The test that's causing this can be manually run with
./libkeymap-dumpkeys ./dumpkeys.ua-ws.map SEPARATE_LINE FALSE
in the tests dir.
This line from dumpkeys.ua-ws.map causes it:
altgr keycode 3 = 157
To reproduce:
./configure CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address"
make
make check
Here's the full asan error:
==19183==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000006473d8 at pc 0x417ce5 bp 0x7ffc88302d70 sp 0x7ffc88302d60
READ of size 8 at 0x0000006473d8 thread T0
#0 0x417ce4 in codetoksym /mnt/ram/kbd/src/libkeymap/ksyms.c:203
#1 0x418e82 in convert_code /mnt/ram/kbd/src/libkeymap/ksyms.c:415
#2 0x40bc3f in yyparse /mnt/ram/kbd/src/libkeymap/parser.y:396
#3 0x40ce98 in lk_parse_keymap /mnt/ram/kbd/src/libkeymap/parser.y:421
#4 0x402167 in main /mnt/ram/kbd/tests/libkeymap-dumpkeys.c:32
#5 0x7f9a0f87b62f in __libc_start_main (/lib64/libc.so.6+0x2062f)
#6 0x401db8 in _start (/mnt/ram/kbd/tests/libkeymap-dumpkeys+0x401db8)
0x0000006473d8 is located 24 bytes to the right of global variable 'koi8_syms' from 'ksyms.c' (0x646bc0) of size 2048
0x0000006473d8 is located 40 bytes to the left of global variable 'latin1_syms' from 'ksyms.c' (0x647400) of size 1536
SUMMARY: AddressSanitizer: global-buffer-overflow /mnt/ram/kbd/src/libkeymap/ksyms.c:203 codetoksym
Shadow bytes around the buggy address:
0x0000800c0e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800c0e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800c0e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800c0e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800c0e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800c0e70: 00 00 00 00 00 00 00 00 f9 f9 f9[f9]00 00 00 00
0x0000800c0e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800c0e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800c0ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800c0eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800c0ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==19183==ABORTING
--
Hanno Böck
https://hboeck.de/
mail/jabber: hanno@hboeck.de
GPG: BBB51E42
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [kbd] Invalid out of bounds memory read when running make check
2016-03-21 9:41 [kbd] Invalid out of bounds memory read when running make check Hanno Böck
@ 2016-03-27 19:59 ` Felix Janda
2016-04-02 16:36 ` Alexey Gladkov
0 siblings, 1 reply; 3+ messages in thread
From: Felix Janda @ 2016-03-27 19:59 UTC (permalink / raw)
To: Linux console tools development discussion
Subject: ksyms: Fix out of bounds memory read in codetoksym
Bug detected by Hanno Böck using asan.
---
src/libkeymap/ksyms.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/libkeymap/ksyms.c b/src/libkeymap/ksyms.c
index 22b1336..3d35ead 100644
--- a/src/libkeymap/ksyms.c
+++ b/src/libkeymap/ksyms.c
@@ -197,7 +197,7 @@ codetoksym(struct lk_ctx *ctx, int code) {
i = ctx->charset;
while (1) {
p = (sym *) charsets[i].charnames;
- if (p) {
+ if (p && (KVAL(code) >= charsets[i].start)) {
p += KVAL(code) - charsets[i].start;
if (p->name[0])
--
2.7.3
Hanno Böck wrote:
> Hi,
>
> When compiling kbd (latest version 2.0.3) with address sanitizer and
> running the test suite (make check) it will show a global out of bounds
> memory read. I have attached the address sanitizer error message at the
> end of this mail.
>
> I have not fully tracked down the bug, but the error happens in the
> file ksyms.c in line 203.
>
> The test that's causing this can be manually run with
> ./libkeymap-dumpkeys ./dumpkeys.ua-ws.map SEPARATE_LINE FALSE
> in the tests dir.
>
> This line from dumpkeys.ua-ws.map causes it:
> altgr keycode 3 = 157
>
> To reproduce:
> ./configure CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address"
> make
> make check
It segfaults for me on a musl based system without asan. I think that
the patch above should fix it.
Felix
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [kbd] Invalid out of bounds memory read when running make check
2016-03-27 19:59 ` Felix Janda
@ 2016-04-02 16:36 ` Alexey Gladkov
0 siblings, 0 replies; 3+ messages in thread
From: Alexey Gladkov @ 2016-04-02 16:36 UTC (permalink / raw)
To: Linux console tools development discussion
On Sun, Mar 27, 2016 at 08:59:22PM +0100, Felix Janda wrote:
> Subject: ksyms: Fix out of bounds memory read in codetoksym
>
> Bug detected by Hanno Böck using asan.
> ---
> src/libkeymap/ksyms.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/libkeymap/ksyms.c b/src/libkeymap/ksyms.c
> index 22b1336..3d35ead 100644
> --- a/src/libkeymap/ksyms.c
> +++ b/src/libkeymap/ksyms.c
> @@ -197,7 +197,7 @@ codetoksym(struct lk_ctx *ctx, int code) {
> i = ctx->charset;
> while (1) {
> p = (sym *) charsets[i].charnames;
> - if (p) {
> + if (p && (KVAL(code) >= charsets[i].start)) {
> p += KVAL(code) - charsets[i].start;
>
> if (p->name[0])
> --
> 2.7.3
Applied, thanks!
--
Rgrds, legion
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-04-02 16:36 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-03-21 9:41 [kbd] Invalid out of bounds memory read when running make check Hanno Böck
2016-03-27 19:59 ` Felix Janda
2016-04-02 16:36 ` Alexey Gladkov
Linux console tools development discussion
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/kbd/0 kbd/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 kbd kbd/ http://lore.altlinux.org/kbd \
kbd@lists.altlinux.org kbd@lists.altlinux.ru kbd@lists.altlinux.com
public-inbox-index kbd
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.kbd
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git