From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <felix.janda@posteo.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 sa.local.altlinux.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00, DNS_FROM_AHBL_RHSBL,
 RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RP_MATCHES_RCVD,
 SPF_PASS autolearn=ham autolearn_force=no version=3.4.0
Date: Sun, 27 Mar 2016 20:59:22 +0100
From: Felix Janda <felix.janda@posteo.de>
To: Linux console tools development discussion <kbd@lists.altlinux.org>
Message-ID: <20160327195922.GA13409@nyan>
References: <20160321104152.654b0d38@pc1>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20160321104152.654b0d38@pc1>
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: Re: [kbd] Invalid out of bounds memory read when running make check
X-BeenThere: kbd@lists.altlinux.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Linux console tools development discussion <kbd@lists.altlinux.org>
List-Id: Linux console tools development discussion <kbd.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/options/kbd>,
 <mailto:kbd-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/kbd>
List-Post: <mailto:kbd@lists.altlinux.org>
List-Help: <mailto:kbd-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/kbd>,
 <mailto:kbd-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Mar 2016 19:59:43 -0000
Archived-At: <http://lore.altlinux.org/kbd/20160327195922.GA13409@nyan/>
List-Archive: <http://lore.altlinux.org/kbd/>

Subject: ksyms: Fix out of bounds memory read in codetoksym

Bug detected by Hanno Böck using asan.
---
 src/libkeymap/ksyms.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libkeymap/ksyms.c b/src/libkeymap/ksyms.c
index 22b1336..3d35ead 100644
--- a/src/libkeymap/ksyms.c
+++ b/src/libkeymap/ksyms.c
@@ -197,7 +197,7 @@ codetoksym(struct lk_ctx *ctx, int code) {
 		i = ctx->charset;
 		while (1) {
 			p = (sym *) charsets[i].charnames;
-			if (p) {
+			if (p && (KVAL(code) >= charsets[i].start)) {
 				p += KVAL(code) - charsets[i].start;
 
 				if (p->name[0])
-- 
2.7.3

Hanno Böck wrote:
> Hi,
> 
> When compiling kbd (latest version 2.0.3) with address sanitizer and
> running the test suite (make check) it will show a global out of bounds
> memory read. I have attached the address sanitizer error message at the
> end of this mail.
> 
> I have not fully tracked down the bug, but the error happens in the
> file ksyms.c in line 203.
> 
> The test that's causing this can be manually run with
> ./libkeymap-dumpkeys ./dumpkeys.ua-ws.map SEPARATE_LINE FALSE
> in the tests dir.
> 
> This line from dumpkeys.ua-ws.map causes it:
> altgr keycode   3 = 157
> 
> To reproduce:
> ./configure CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address"
> make
> make check

It segfaults for me on a musl based system without asan. I think that
the patch above should fix it.

Felix