wget crashed with SIGSEGV in __memset_avx2()

Bug #1573307 reported by Evan Garofalo on 2016-04-21
56
This bug affects 9 people
Affects Status Importance Assigned to Milestone
wget (Ubuntu)
Medium
Unassigned
Xenial
High
Brian Murray

Bug Description

[Impact]
 * wget will crash while displaying progress bar under narrow terminal
 * Upstream already has fixed this issue in commit 7099f489 and 7cb9efa6
Steps to reproduce:
  1. execute "wget http://old-releases.ubuntu.com/releases/16.04.0/ubuntu-16.04-desktop-amd64.manifest" under a narrow terminal (such as width less than 40 characters)
Problems:
  1. The wget crash with segmentation fault
Expected behavior:
  1. wget will not crash

[Test Case]
  After upgrading to the new version, the repeating the above steps should give expected behavior.

[Regression Potential]
  Potential of causing regression is relatively small for a two line change for assertion check

[Other Info]

EDIT(other user): The crash actually happens when the terminal window is too small.

When I try to download a big file with wget on Ubuntu 16.04 it crashes after a couple seconds.

To reproduce the bug try the following:

wget http://releases.ubuntu.com/16.04/ubuntu-16.04-desktop-amd64.iso

I've asked another guy on IRC on channel #ubuntu-it to try and reproduce this bug
and he said it was crashing also on his machine.

evan@HPPC:~$ lsb_release -rd
Description: Ubuntu 16.04 LTS
Release: 16.04

evan@HPPC:~$ apt-cache policy wget
wget:
  Installato: 1.17.1-1ubuntu1
  Candidato: 1.17.1-1ubuntu1
  Tabella versione:
 *** 1.17.1-1ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
        100 /var/lib/dpkg/status

ProblemType: Crash
DistroRelease: Ubuntu 16.04
Package: wget 1.17.1-1ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-21.37-generic 4.4.6
Uname: Linux 4.4.0-21-generic x86_64
ApportVersion: 2.20.1-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Apr 22 01:34:10 2016
ExecutablePath: /usr/bin/wget
InstallationDate: Installed on 2016-04-21 (0 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
ProcCmdline: wget http://releases.ubuntu.com/16.04/ubuntu-16.04-desktop-amd64.iso
SegvAnalysis:
 Segfault happened at: 0x7f4eac3b7328 <__memset_avx2+392>: rep stos %al,%es:(%rdi)
 PC (0x7f4eac3b7328) ok
 source "%al" ok
 destination "%es:(%rdi)" (0x562969134000) not located in a known VMA region (needed writable region)!
SegvReason: writing unknown VMA
Signal: 11
SourcePackage: wget
StacktraceTop:
 __memset_avx2 () at ../sysdeps/x86_64/multiarch/memset-avx2.S:161
 ?? ()
 ?? ()
 ?? ()
 ?? ()
Title: wget crashed with SIGSEGV in __memset_avx2()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo

Evan Garofalo (evangarofalo) wrote :
information type: Private → Public

StacktraceTop:
 __memset_avx2 () at ../sysdeps/x86_64/multiarch/memset-avx2.S:161
 memset (__len=18446744073709551615, __ch=32, __dest=0x562969119a30) at /usr/include/x86_64-linux-gnu/bits/string3.h:90
 create_image (bp=bp@entry=0x56296911c450, dl_total_time=4.3320905730000003, done=done@entry=false) at ../../src/progress.c:1167
 bar_draw (progress=0x56296911c450) at ../../src/progress.c:658
 fd_read_body (downloaded_filename=<optimized out>, fd=fd@entry=4, out=out@entry=0x56296911a0f0, toread=1485881344, startpos=<optimized out>, qtyread=qtyread@entry=0x7ffed2993620, qtywritten=0x7ffed29935d0, elapsed=0x7ffed2993628, flags=1, out2=0x0) at ../../src/retr.c:417

Changed in wget (Ubuntu):
importance: Undecided → Medium
tags: removed: need-amd64-retrace
Evan Garofalo (evangarofalo) wrote :
Download full text (4.9 KiB)

I've downloaded the source package and debugged it... this seems related to a bug that is being discussed on the wget
mailing list at the following url: http://lists.gnu.org/archive/html/bug-wget/2016-02/msg00033.html

They say this happens with a small terminal window... but on me it happens no matter how big the terminal is...
i've tried to run wget with "quiet" mode and also chanding the progress from "bar" to "dot" and it works ...
anyways this is the backtrace done with gdb and you can see the padding is negative. Hope it helps :-)

evan@HPPC:~/Scaricati/wget-1.17.1/src$ gdb --args ./wget http://releases.ubuntu.com/16.04/ubuntu-16.04-desktop-amd64.iso
GNU gdb (Ubuntu 7.11-0ubuntu1) 7.11
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./wget...done.

(gdb) run
Starting program: /home/evan/Scaricati/wget-1.17.1/src/wget http://releases.ubuntu.com/16.04/ubuntu-16.04-desktop-amd64.iso
--2016-04-22 02:31:01-- http://releases.ubuntu.com/16.04/ubuntu-16.04-desktop-amd64.iso
Risoluzione di releases.ubuntu.com... 91.189.92.163, 2001:6b0:e:2018::1337
Connessione a releases.ubuntu.com|91.189.92.163|:80... connesso.
Richiesta HTTP inviata, in attesa di risposta... 302 Found
Posizione: http://d3f216qdpm0le3.cloudfront.net/ubuntu-16.04-desktop-amd64.iso [segue]
--2016-04-22 02:31:01-- http://d3f216qdpm0le3.cloudfront.net/ubuntu-16.04-desktop-amd64.iso
Risoluzione di d3f216qdpm0le3.cloudfront.net... 54.192.25.79, 54.192.25.232, 54.192.25.72, ...
Connessione a d3f216qdpm0le3.cloudfront.net|54.192.25.79|:80... connesso.
Richiesta HTTP inviata, in attesa di risposta... 200 OK
Lunghezza: 1485881344 (1,4G) [application/x-iso9660-image]
Salvataggio in: "ubuntu-16.04-desktop-amd64.iso.1"

ubuntu-16.04-desktop-amd64.iso.1 0%[ ] 2,74M 996KB/s
Program received signal SIGSEGV, Segmentation fault.
__memset_avx2 () at ../sysdeps/x86_64/multiarch/memset-avx2.S:161
161 ../sysdeps/x86_64/multiarch/memset-avx2.S: File o directory non esistente.

(gdb) backtrace
#0 __memset_avx2 () at ../sysdeps/x86_64/multiarch/memset-avx2.S:161
#1 0x0000000000431ac2 in create_image (bp=0x690220, dl_total_time=3,0172397000000002, done=false) at progress.c:1167
#2 0x0000000000430950 in bar_draw (progress=0x690220) at progress.c:658
#3 0x000000000042fd62 in progress_update (progress=0x690220, howmuch=1440, dltime=3,0172397000000002) at progress.c:188
#4 0x0000000000435689 in fd_read_body (downloaded_filename=0x68804...

Read more...

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in wget (Ubuntu):
status: New → Confirmed
Giuseppe D'Angelo (dangelo) wrote :

Guys, this is a serious bug. (In Debian it would be called "important").

Could you please just upgrade to wget 1.18, or at least backport

http://git.savannah.gnu.org/cgit/wget.git/commit/?id=7099f4899880eaefc2c40a3dc7693ab4174a819b

so that wget stops being unusable for ordinary usage?

Patrick Roncagliolo (roncapat) wrote :

Hi,

patrick@patrick-W230SD:~$ lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04

patrick@patrick-W230SD:~$ uname -srp
Linux 4.8.0 x86_64

patrick@patrick-W230SD:~$ apt policy wget
wget:
  Installato: 1.17.1-1ubuntu1.1
  Candidato: 1.17.1-1ubuntu1.1
  Tabella versione:
 *** 1.17.1-1ubuntu1.1 500
        500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu xenial-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1.17.1-1ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages

patrick@patrick-W230SD:~$ gdb --args wget http://download.altera.com/akdlm/software/acdsinst/16.0.2/222/ib_tar/Quartus-lite-16.0.2.222-linux.tar --limit-rate=200k
(gdb) r
Starting program: /usr/bin/wget http://download.altera.com/akdlm/software/acdsinst/16.0.2/222/ib_tar/Quartus-lite-16.0.2.222-linux.tar --limit-rate=200k
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
--2016-10-09 11:05:27-- http://download.altera.com/akdlm/software/acdsinst/16.0.2/222/ib_tar/Quartus-lite-16.0.2.222-linux.tar
Risoluzione di download.altera.com (download.altera.com)... 213.254.17.232, 213.254.17.225
Connessione a download.altera.com (download.altera.com)|213.254.17.232|:80... connesso.
Richiesta HTTP inviata, in attesa di risposta... 200 OK
Lunghezza: 13122283520 (12G) [application/x-tar]
Salvataggio in: "Quartus-lite-16.0.2.222-linux.tar.3"

 Quartus-lite-16.0.2.222-l 0%[ ] 582,49K 200KB/s
Program received signal SIGSEGV, Segmentation fault.
__memset_avx2 () at ../sysdeps/x86_64/multiarch/memset-avx2.S:161
161 ../sysdeps/x86_64/multiarch/memset-avx2.S: File o directory non esistente.

patrick@patrick-W230SD:~$ wget http://download.altera.com/akdlm/software/acdsinst/16.0.2/222/ib_tar/Quartus-lite-16.0.2.222-linux.tar --limit-rate=200k -c -b
Prosecuzione in background, pid 6146.
L'output sarà scritto su "wget-log".

patrick@patrick-W230SD:~$ progress -p 6146
[ 6146] wget /home/patrick/Quartus-lite-16.0.2.222-linux.tar
 100.0% (340.3 MiB / 340.3 MiB)

Comment:
background execution ok, seg fault while displaying download of large fles (12 Gb in this case).

mike (mike5346874) wrote :

Yea, seriously, this is an important bug.

description: updated

This issue could be reproduced with following command. More easily to be reproduced with narrow terminal (such as 40 characters width)

wget http://old-releases.ubuntu.com/releases/16.04.0/ubuntu-16.04-desktop-amd64.iso

This issue has been fixed by the following commit
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=7099f4899880eaefc2c40a3dc7693ab4174a819b

From 7099f4899880eaefc2c40a3dc7693ab4174a819b Mon Sep 17 00:00:00 2001
From: Darshit Shah <email address hidden>
Date: Mon, 22 Feb 2016 15:08:15 +0100
Subject: [PATCH] Sanitize value sent to memset to prevent SEGFAULT

---
 src/progress.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/progress.c b/src/progress.c
index 93f6246..8a5df21 100644
--- a/src/progress.c
+++ b/src/progress.c
@@ -1164,6 +1164,8 @@ create_image (struct bar_progress *bp, double dl_total_time, bool done)
     }

   padding = bp->width - count_cols (bp->buffer);
+ assert (padding > 0 && "Padding length became non-positive!");
+ padding = padding > 0 ? padding : 0;
   memset (p, ' ', padding);
   p += padding;
   *p = '\0';
@@ -1174,6 +1176,9 @@ create_image (struct bar_progress *bp, double dl_total_time, bool done)
    * from the release code since we do not want Wget to crash and burn when the
    * assertion fails. Instead Wget should continue downloading and display a
    * horrible and irritating progress bar that spams the screen with newlines.
+ *
+ * By default, all assertions are disabled in a Wget build and are enabled
+ * only with the --enable-assert configure option.
    */
   assert (count_cols (bp->buffer) == bp->width);
 }
--
2.7.4

The attachment "wget_1.17.1-1ubuntu1.2.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch

Hi,

I made a testing PPA at ppa:swem/lp1573307
Please help to check if it can fix this issue for you.

Brian Murray (brian-murray) wrote :

Your debdiff contains (LP: 1573307) while this might work (i.e. Launchpad-Bugs-Fixed will be properly created for this bug number) the syntax most commonly used is LP: #1573307. Notice the missing "#".

Changed in wget (Ubuntu Xenial):
status: New → Triaged
importance: Undecided → High
Brian Murray (brian-murray) wrote :

I'll upload this to the SRU queue, but it would be could if a test case and other information were added to the bug description per http://wiki.ubuntu.com/StableReleaseUpdates.

Changed in wget (Ubuntu):
status: Confirmed → Fix Released
Changed in wget (Ubuntu Xenial):
assignee: nobody → Brian Murray (brian-murray)
status: Triaged → In Progress

Hi, Murray

Thanks you help, I will update the bug description.

Also, after checking the latest wget source code, I think upstream commit http://git.savannah.gnu.org/cgit/wget.git/commit/?id=7cb9efa668f80ab5ca4d25133c3133e10473d1ef is also needed.

From 7cb9efa668f80ab5ca4d25133c3133e10473d1ef Mon Sep 17 00:00:00 2001
From: Darshit Shah <email address hidden>
Date: Sat, 5 Mar 2016 11:58:53 +0100
Subject: [PATCH] Fix assertion in Progress bar

    * src/progress.c (create_image): Fix off-by-one error in assert()
    statement for progress bar width.
    Reported-By: Gisle Vanem <email address hidden>
---
 src/progress.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/progress.c b/src/progress.c
index 8a5df21..481e21e 100644
--- a/src/progress.c
+++ b/src/progress.c
@@ -1164,7 +1164,7 @@ create_image (struct bar_progress *bp, double dl_total_time, bool done)
     }

   padding = bp->width - count_cols (bp->buffer);
- assert (padding > 0 && "Padding length became non-positive!");
+ assert (padding >= 0 && "Padding length became non-positive!");
   padding = padding > 0 ? padding : 0;
   memset (p, ' ', padding);
   p += padding;
--
2.7.4

Update debdiff

description: updated

Hello Evan, or anyone else affected,

Accepted wget into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/wget/1.17.1-1ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in wget (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed
Simon Déziel (sdeziel) on 2017-03-09
tags: added: verification-done
removed: verification-needed
Brian Murray (brian-murray) wrote :

Simon - could you explain how you went about testing this?

Robie Basak (racb) wrote :

This fix still needs testing. Please see comment 17 - explain what testing you did and what version you tested before changing the tag to verification-done.

tags: added: verification-needed
removed: verification-done

After enabled xenial-proposed and upgrade wget to 1.17.1-1ubuntu1.2, this issue is fixed.

Reproduce Step:
1. download http://old-releases.ubuntu.com/releases/16.04.0/ubuntu-16.04-desktop-amd64.manifest via wget within narrow terminal (< 40 characters)

==== wget 1.17.1-1ubuntu1.1 ====
$ wget http://old-releases.ubuntu.com/releases/16.04.0/ubuntu-16.04-desktop-amd64.manifest
--2017-03-28 07:06:55-- http://old-releases.ubuntu.com/releases/16.04.0/ubuntu-16.04-desktop-amd64.manifest
Resolving old-releases.ubuntu.com (old-releases.ubuntu.com)... 91.189.88.17
Connecting to old-releases.ubuntu.com (old-releases.ubuntu.com)|91.189.88.17|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 64142 (63K) [application/x-ms-manifest]
Saving to: 'ubuntu-16.04-desktop-amd64.manifest.2'

Segmentation fault (core dumped)
========

==== wget 1.17.1-1ubuntu1.2 ====
$ wget http://old-releases.ubuntu.com/releases/16.04.0/ubuntu-16.04-desktop-amd64.manifest
--2017-03-28 07:07:17-- http://old-releases.ubuntu.com/releases/16.04.0/ubuntu-16.04-desktop-amd64.manifest
Resolving old-releases.ubuntu.com (old-releases.ubuntu.com)... 91.189.88.17
Connecting to old-releases.ubuntu.com (old-releases.ubuntu.com)|91.189.88.17|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 64142 (63K) [application/x-ms-manifest]
Saving to: 'ubuntu-16.04-desktop-amd64.manifest.3'

ubuntu-16.04-desktop-amd64.manifest.3 100%[==========================================================================>] 62.64K --.-KB/s in 0.007s

2017-03-28 07:07:17 (8.19 MB/s) - 'ubuntu-16.04-desktop-amd64.manifest.3' saved [64142/64142]
====

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package wget - 1.17.1-1ubuntu1.2

---------------
wget (1.17.1-1ubuntu1.2) xenial-proposed; urgency=medium

  * debian/patches/Sanitize-value-sent-to-memset-to-prevent-SEGFAULT.patch
    upstream commited 7099f489 patch to fix segmentation fault (LP: #1573307)

 -- Chen-Han Hsiao (Stanley) <email address hidden> Fri, 24 Feb 2017 12:24:53 -0800

Changed in wget (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for wget has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers