Buffer underflow in nano 2.4.2-1ubuntu0.1 causes SIGSEGV

Bug #1539627 reported by Bartłomiej Żogała on 2016-01-29
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nano (Ubuntu)
Undecided
Unassigned

Bug Description

nusch@XPS13:~$ touch .the_test.swp
nusch@XPS13:~$ nano the_test
core dumped
LANG env is ="pl_PL.UTF" without it it doen't Segfault so error is connected with unicode handling.

Compiling nano from source(apt-get source - so the same version) doesn't geneate nano binary which beheaves same way.

The difference is in libncurses>w< library:
nusch@XPS13:~$ ldd /bin/nano
 linux-vdso.so.1 => (0x00007ffe5cb00000)
 libncursesw.so.5 => /lib/x86_64-linux-gnu/libncursesw.so.5 (0x00007fdec11c5000) << with w
 libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007fdec0f9c000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fdec0bd1000)
 libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fdec09cd000)
 /lib64/ld-linux-x86-64.so.2 (0x000055cc1e5d6000)
nusch@XPS13:~$ ldd /bin/nano_from_src
 linux-vdso.so.1 => (0x00007ffd22d48000)
 libncurses.so.5 => /lib/x86_64-linux-gnu/libncurses.so.5 (0x00007f75dc891000) << without w
 libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f75dc668000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f75dc29d000)
 libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f75dc099000)
 /lib64/ld-linux-x86-64.so.2 (0x000055f9b15ce000)

Backtrace of segfault:
Program received signal SIGSEGV, Segmentation fault.
                                                    0x0000000000404047 in ?? ()
(gdb) bt
#0 0x0000000000404047 in ?? ()
#1 0x00007ffff75d1a40 in __libc_start_main (main=0x403770, argc=2, argv=0x7fffffffe2a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe298) at libc-start.c:289
#2 0x0000000000404329 in ?? ()

Disassembly of that part of code:
  40401d: 0f 84 3c 01 00 00 je 40415f <__sprintf_chk@plt+0x9ff>
  404023: 83 7c 24 10 00 cmp DWORD PTR [rsp+0x10],0x0
  404028: 75 0a jne 404034 <__sprintf_chk@plt+0x8d4>
  40402a: 81 25 1c e8 22 00 ff and DWORD PTR [rip+0x22e81c],0xffffbfff # 632850 <stderr+0x1f0>
  404031: bf ff ff
  404034: 48 8b 05 dd e7 22 00 mov rax,QWORD PTR [rip+0x22e7dd] # 632818 <stderr+0x1b8>
  40403b: 48 8b 80 90 00 00 00 mov rax,QWORD PTR [rax+0x90]
  404042: 48 85 c0 test rax,rax
  404045: 74 0b je 404052 <__sprintf_chk@plt+0x8f2>
  404047: 83 78 38 00 cmp DWORD PTR [rax+0x38],0x0
  40404b: 7e 05 jle 404052 <__sprintf_chk@plt+0x8f2>
  40404d: e8 3e fc 00 00 call 413c90 <__sprintf_chk@plt+0x10530>
  404052: 48 8b 7c 24 20 mov rdi,QWORD PTR [rsp+0x20]
  404057: 48 85 ff test rdi,rdi
  40405a: 0f 8e b5 00 00 00 jle 404115 <__sprintf_chk@plt+0x9b5>
  404060: 48 8b 74 24 28 mov rsi,QWORD PTR [rsp+0x28]

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: nano 2.4.2-1ubuntu0.1
ProcVersionSignature: Ubuntu 4.2.0-25.30-generic 4.2.6
Uname: Linux 4.2.0-25-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.19.1-0ubuntu5
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Jan 29 15:13:25 2016
InstallationDate: Installed on 2015-05-08 (266 days ago)
InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
SourcePackage: nano
UpgradeStatus: Upgraded to wily on 2015-11-15 (74 days ago)

Bartłomiej Żogała (nusch) wrote :
description: updated

When I follow your recipe (touch .the_test.swp; nano the_test), I don't get a segfault but just an error message on the status bar:

  [ Error reading lock file ./.the_test.swp: Not enough data read ]

Please try the command 'nano --ignore --locking the_test' instead (to test only the locking mechanism and exclude any other settings). And please paste the output of the command 'locale' -- because pl_PL.UTF does not look like the name of a locale to me.

Waiting for the info requested in comment #2.

Changed in nano (Ubuntu):
status: New → Incomplete
Bartłomiej Żogała (nusch) wrote :

Hello, missed your first reply, also sorry for typo - locale is pl_PL.UTF-8 not pl_PL.UTF .
Are you sure you are runnigng exactly the same version from deb package as mine - linked to libncursesw.so.5 (with 'w')? If I recompiled from apt-source I've got result as yours - no undhandled bugs but it was linked to libncurses.so.5 (without 'w')

I don't use Ubuntu's package; I only run nano built from source.
This is what 'ldd /usr/local/bin/nano' says here:

 linux-gate.so.1 => (0x00d0b000)
 libncursesw.so.5 => /lib/libncursesw.so.5 (0x005dc000)
 libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x00110000)
 libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0x0029a000)
 /lib/ld-linux.so.2 (0x00d89000)

So, it also uses wide curses (w = wide).

Do you still have the old nano, the one that segfaults?
If yes, could you then provide the output of 'locale',
and of 'touch .XXX.swp && nano --ignore --locking XXX'.

Ping? Bartłomiej?

Bartłomiej Żogała (nusch) wrote :

Hello, no longer reproducible for me on any of my machines

Thanks for confirming. Strangely, I was now able to reproduce the crash with your recipe on nano-2.4.2.

I think it has been fixed since then by commit 8a06dfa on August 2 last year, which was a fix for a Debian bug [1],
which went into 2.4.3 and later.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787914

Changed in nano (Ubuntu):
status: Incomplete → Fix Committed
Changed in nano (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.