Bug 1139625

Summary: Terminology crashes from catting a file
Product: [Fedora] Fedora Reporter: Andrew Griffiths <agriffit>
Component: terminologyAssignee: Conrad Meyer <cse.cem+redhatbugz>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 20CC: bressers, kumarpraveen.nitdgp, security-response-team
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---Flags: cse.cem+redhatbugz: needinfo+
Hardware: x86_64   
OS: Linux   
Whiteboard: fst_owner=kumarpraveen
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-06-30 01:08:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
cat termcrash -> terminology crashes none

Description Andrew Griffiths 2014-09-09 11:06:03 UTC
Created attachment 935648 [details]
cat termcrash -> terminology crashes

Description of problem:

terminology can crash from catting a file, related to I suspect the terminal escape code handling.

Version-Release number of selected component (if applicable):

terminology-0.6.1-1.fc20.x86_64
terminology-debuginfo-0.6.1-1.fc20.x86_64

How reproducible:

Almost always (I suspect heap corruption is occurring, due to valgrind messages)

Steps to Reproduce:
1. gunzip termcrash.gz && cat termcrash (in terminology, of course)
2. ?? 
3. Profit! 

Actual results:

terminology crashes. If you run under valgrind, you can see a variety of error messages which can change over time. One single time, I did not have any crash, despite multiple times of catting the file.


$ grep -A2 Invalid ../term.* 
../term.val:==5745== Invalid read of size 8
../term.val-==5745==    at 0x5BC1804: evas_object_textgrid_render (evas_object_textgrid.c:164)
../term.val-==5745==    by 0x5BCA3E9: evas_render_mapped (evas_render.c:1173)
--
../term.val:==5745== Invalid read of size 8
../term.val-==5745==    at 0x5C11980: evas_common_text_props_content_ref (evas_text_utils.c:48)
../term.val-==5745==    by 0x5BC1826: evas_object_textgrid_render (evas_object_textgrid.c:181)
--
../term.val:==5745== Invalid read of size 4
../term.val-==5745==    at 0x5C11989: evas_common_text_props_content_ref (evas_text_utils.c:51)
../term.val-==5745==    by 0x5BC1826: evas_object_textgrid_render (evas_object_textgrid.c:181)
--
../term.val1:==5813== Invalid read of size 8
../term.val1-==5813==    at 0x5BC1804: evas_object_textgrid_render (evas_object_textgrid.c:164)
../term.val1-==5813==    by 0x5BCA3E9: evas_render_mapped (evas_render.c:1173)
--
../term.val1:==5813== Invalid read of size 8
../term.val1-==5813==    at 0x5C11980: evas_common_text_props_content_ref (evas_text_utils.c:48)
../term.val1-==5813==    by 0x5BC1826: evas_object_textgrid_render (evas_object_textgrid.c:181)
--
../term.val1:==5813== Invalid read of size 4
../term.val1-==5813==    at 0x5C11989: evas_common_text_props_content_ref (evas_text_utils.c:51)
../term.val1-==5813==    by 0x5BC1826: evas_object_textgrid_render (evas_object_textgrid.c:181)
--
../term.val2:==5878== Invalid read of size 8
../term.val2-==5878==    at 0x5BC1804: evas_object_textgrid_render (evas_object_textgrid.c:164)
../term.val2-==5878==    by 0x5BCA3E9: evas_render_mapped (evas_render.c:1173)
--
../term.val2:==5878== Invalid write of size 8
../term.val2-==5878==    at 0x5BC216E: evas_object_textgrid_render (string3.h:84)
../term.val2-==5878==    by 0x5BCA3E9: evas_render_mapped (evas_render.c:1173)
--
../term.val2:==5878== Invalid write of size 4
../term.val2-==5878==    at 0x5C11970: evas_common_text_props_script_set (evas_text_utils.c:30)
../term.val2-==5878==    by 0x5BC21BB: evas_object_textgrid_render (evas_object_textgrid.c:173)
--
../term.val2:==5878== Invalid read of size 1
../term.val2-==5878==    at 0x5C11973: evas_common_text_props_script_set (evas_text_utils.c:31)
../term.val2-==5878==    by 0x5BC21BB: evas_object_textgrid_render (evas_object_textgrid.c:173)
--
../term.val2:==5878== Invalid read of size 8
../term.val2-==5878==    at 0x5C11D0D: evas_common_text_props_content_create (evas_text_utils.c:510)
../term.val2-==5878==    by 0x5BC2210: evas_object_textgrid_render (evas_object_textgrid.c:174)
--
../term.val2:==5878== Invalid read of size 8
../term.val2-==5878==    at 0x5C11D56: evas_common_text_props_content_create (evas_text_utils.c:521)
../term.val2-==5878==    by 0x5BC2210: evas_object_textgrid_render (evas_object_textgrid.c:174)
--
../term.val2:==5878== Invalid write of size 8
../term.val2-==5878==    at 0x5C11D5A: evas_common_text_props_content_create (evas_text_utils.c:519)
../term.val2-==5878==    by 0x5BC2210: evas_object_textgrid_render (evas_object_textgrid.c:174)
--
../term.val2:==5878== Invalid write of size 8
../term.val2-==5878==    at 0x5C11D72: evas_common_text_props_content_create (evas_text_utils.c:525)
../term.val2-==5878==    by 0x5BC2210: evas_object_textgrid_render (evas_object_textgrid.c:174)
--
../term.val2:==5878== Invalid read of size 1
../term.val2-==5878==    at 0x5C11DCF: evas_common_text_props_content_create (evas_text_utils.c:539)
../term.val2-==5878==    by 0x5BC2210: evas_object_textgrid_render (evas_object_textgrid.c:174)
--
../term.val2:==5878== Invalid read of size 8
../term.val2-==5878==    at 0x5C11E2D: evas_common_text_props_content_create (evas_text_utils.c:431)
../term.val2-==5878==    by 0x5BC2210: evas_object_textgrid_render (evas_object_textgrid.c:174)
--
../term.val2:==5878== Invalid read of size 4
../term.val2-==5878==    at 0x5C11E36: evas_common_text_props_content_create (evas_text_utils.c:434)
../term.val2-==5878==    by 0x5BC2210: evas_object_textgrid_render (evas_object_textgrid.c:174)
--
../term.val2:==5878== Invalid write of size 8
../term.val2-==5878==    at 0x5C11FBA: evas_common_text_props_content_create (evas_text_utils.c:496)
../term.val2-==5878==    by 0x5BC2210: evas_object_textgrid_render (evas_object_textgrid.c:174)
--
../term.val2:==5878== Invalid write of size 8
../term.val2-==5878==    at 0x5C11FCF: evas_common_text_props_content_create (evas_text_utils.c:549)
../term.val2-==5878==    by 0x5BC2210: evas_object_textgrid_render (evas_object_textgrid.c:174)
--
../term.val2:==5878== Invalid read of size 8
../term.val2-==5878==    at 0x5C11FD3: evas_common_text_props_content_create (evas_text_utils.c:550)
../term.val2-==5878==    by 0x5BC2210: evas_object_textgrid_render (evas_object_textgrid.c:174)
--
../term.val2:==5878== Invalid read of size 1
../term.val2-==5878==    at 0x5BC2229: evas_object_textgrid_render (evas_object_textgrid.c:177)
../term.val2-==5878==    by 0x5BCA3E9: evas_render_mapped (evas_render.c:1173)
--
../term.val2:==5878== Invalid read of size 8
../term.val2-==5878==    at 0x5BFDAE1: evas_common_font_draw_prepare (evas_font_draw.c:236)
../term.val2-==5878==    by 0x17D86ED0: eng_font_draw (evas_engine.c:1378)
--
../term.val2:==5878== Invalid read of size 8
../term.val2-==5878==    at 0x5BFDAEE: evas_common_font_draw_prepare (evas_font_draw.c:236)
../term.val2-==5878==    by 0x17D86ED0: eng_font_draw (evas_engine.c:1378)
--
../term.val2:==5878== Invalid read of size 8
../term.val2-==5878==    at 0x5BFDB02: evas_common_font_draw_prepare (evas_font_draw.c:238)
../term.val2-==5878==    by 0x17D86ED0: eng_font_draw (evas_engine.c:1378)
--
../term.val2:==5878== Invalid read of size 1
../term.val2-==5878==    at 0x5BFDB0F: evas_common_font_draw_prepare (evas_font_draw.c:241)
../term.val2-==5878==    by 0x17D86ED0: eng_font_draw (evas_engine.c:1378)
--
../term.val2:==5878== Invalid read of size 8
../term.val2-==5878==    at 0x5BFDB26: evas_common_font_draw_prepare (evas_font_draw.c:241)
../term.val2-==5878==    by 0x17D86ED0: eng_font_draw (evas_engine.c:1378)
--
../term.val2:==5878== Invalid read of size 4
../term.val2-==5878==    at 0x5BFDB2E: evas_common_font_draw_prepare (evas_font_draw.c:246)
../term.val2-==5878==    by 0x17D86ED0: eng_font_draw (evas_engine.c:1378)
--
../term.val2:==5878== Invalid write of size 4
../term.val2-==5878==    at 0x5BFDB35: evas_common_font_draw_prepare (evas_font_draw.c:247)
../term.val2-==5878==    by 0x17D86ED0: eng_font_draw (evas_engine.c:1378)
--
../term.val2:==5878== Invalid read of size 8
../term.val2-==5878==    at 0x5BFDB8A: evas_common_font_draw_prepare (evas_font_draw.c:260)
../term.val2-==5878==    by 0x17D86ED0: eng_font_draw (evas_engine.c:1378)
--
../term.val2:==5878== Invalid read of size 8
../term.val2-==5878==    at 0x5BFDB97: evas_common_font_draw_prepare (evas_font_draw.c:260)
../term.val2-==5878==    by 0x17D86ED0: eng_font_draw (evas_engine.c:1378)
--
../term.val2:==5878== Invalid read of size 8
../term.val2-==5878==    at 0x5BFDBAF: evas_common_font_draw_prepare (evas_font_draw.c:260)
../term.val2-==5878==    by 0x17D86ED0: eng_font_draw (evas_engine.c:1378)
--
../term.val2:==5878== Invalid write of size 8
../term.val2-==5878==    at 0x5BFDCB6: evas_common_font_draw_prepare (evas_font_draw.c:280)
../term.val2-==5878==    by 0x17D86ED0: eng_font_draw (evas_engine.c:1378)
--
../term.val2:==5878== Invalid read of size 8
../term.val2-==5878==    at 0x5BFDC59: evas_common_font_draw_prepare (evas_font_draw.c:260)
../term.val2-==5878==    by 0x17D86ED0: eng_font_draw (evas_engine.c:1378)
--
../term.val2:==5878== Invalid write of size 4
../term.val2-==5878==    at 0x5BFDC64: evas_common_font_draw_prepare (evas_font_draw.c:292)
../term.val2-==5878==    by 0x17D86ED0: eng_font_draw (evas_engine.c:1378)
--
../term.val2:==5878== Invalid write of size 8
../term.val2-==5878==    at 0x5BFDC68: evas_common_font_draw_prepare (evas_font_draw.c:293)
../term.val2-==5878==    by 0x17D86ED0: eng_font_draw (evas_engine.c:1378)
--
../term.val2:==5878== Invalid write of size 4
../term.val2-==5878==    at 0x5BFDC72: evas_common_font_draw_prepare (evas_font_draw.c:298)
../term.val2-==5878==    by 0x17D86ED0: eng_font_draw (evas_engine.c:1378)
--
../term.val2:==5878== Invalid read of size 8
../term.val2-==5878==    at 0x5BFDF31: evas_common_font_draw (evas_font_draw.c:361)
../term.val2-==5878==    by 0x17D86EE4: eng_font_draw (evas_engine.c:1379)
--
../term.val2:==5878== Invalid read of size 4
../term.val2-==5878==    at 0x5BFD662: evas_common_font_draw_internal.isra.1 (evas_font_draw.c:45)
../term.val2-==5878==    by 0x5BFDF39: evas_common_font_draw (evas_font_draw.c:361)
--
../term.val2:==5878== Invalid read of size 8
../term.val2-==5878==    at 0x5BC26A9: evas_object_textgrid_row_clear (evas_object_textgrid.c:319)
../term.val2-==5878==    by 0x5BC4DB3: evas_object_textgrid_update_add (evas_object_textgrid.c:1489)
--
../term.val2:==5878== Invalid read of size 4
../term.val2-==5878==    at 0x5C11A1D: evas_common_text_props_content_nofree_unref (evas_text_utils.c:63)
../term.val2-==5878==    by 0x5BC112F: evas_object_textgrid_render_post (evas_object_textgrid.c:861)
ts:

Running it under gdb:

Program received signal SIGSEGV, Segmentation fault.
evas_common_text_props_content_ref (props=props@entry=0xa4c790)
    at evas_text_utils.c:51
51	   props->info->refcount++;

(gdb) p/x props->info
$1 = 0x909090909090909

or

Program received signal SIGSEGV, Segmentation fault.
_op_blend_p_dp_mmx (s=0x0, m=m@entry=0x0, c=<optimized out>, 
    d=d@entry=0x7fffe31a3dec, l=l@entry=3)
    at evas_op_blend/op_blend_pixel_i386.c:11
11		MOV_P2R(*s, mm2, mm0)
(gdb) x/10i $pc
=> 0x7ffff6e1b5c0 <_op_blend_p_dp_mmx+32>:	movd   (%rdi),%mm2

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6df3804 in evas_object_textgrid_textprop_get (obj=<optimized out>, 
    o=<optimized out>, o=<optimized out>, used=0x896538 "", 
    glyphs_index=<optimized out>, codepoint=917587 L'

Comment 1 Andrew Griffiths 2014-09-09 11:22:05 UTC
bugzilla ate some of my post :-( I'll type some stuff in from what I recall.

Expected results:

terminology does not crash.

Additional information:

This is a security issue - could be triggered via irc, or tricking people when catting files to investigate stuff.

Additionally, I've had some gdb crashes where EIP was corrupted, so there is a possibility of arbitrary code execution.

/usr/bin/terminology:     file format elf64-x86-64
architecture: i386:x86-64, flags 0x00000112:
EXEC_P, HAS_SYMS, D_PAGED
start address 0x000000000040ba40

so it does not make use of Position Independent Executable which makes exploit development easier.

I've had two instances out of a bunch where terminology did not crash (presumably everything it touched was fine.)

Comment 2 Andrew Griffiths 2014-09-11 00:02:10 UTC
opening as public so that enlightenment upstream can see this issue / access the file

Comment 3 Praveen Kumar 2014-11-01 06:23:22 UTC
terminology package updated, can you please try out and check if this bug is still exist?

[fedora@fad ~]$ yum info terminology
Available Packages
Name        : terminology
Arch        : x86_64
Version     : 0.7.0
Release     : 1.fc20

Comment 5 Fedora End Of Life 2015-05-29 12:49:56 UTC
This message is a reminder that Fedora 20 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 20. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '20'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 20 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 6 Fedora Admin XMLRPC Client 2015-06-18 14:09:52 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 7 Conrad Meyer 2015-06-18 18:21:10 UTC
Still present in 0.7.0.

Comment 8 Conrad Meyer 2015-06-18 18:22:30 UTC
Attempting to clear NEEDINFO...

Comment 9 Conrad Meyer 2015-06-18 18:39:26 UTC
"Fixed" in 0.8.0, in that it no longer crashes Terminology.

Valgrind still spews a bunch of errors, though. I'll follow-up upstream...

Comment 10 Conrad Meyer 2015-06-18 18:46:23 UTC
Nevermind, it still can crash terminology 0.8.0. It doesn't crash 100% of attempts, though.

https://phab.enlightenment.org/T2506

Comment 11 Fedora End Of Life 2015-06-30 01:08:37 UTC
Fedora 20 changed to end-of-life (EOL) status on 2015-06-23. Fedora 20 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.