Bug 1643753

Summary: There is a Segmentation fault on unknown address in function _nc_name_match in libncurses6.1
Product: Red Hat Enterprise Linux 7 Reporter: shuitao gan <ganshuitao>
Component: ncursesAssignee: Miroslav Lichvar <mlichvar>
Status: CLOSED NOTABUG QA Contact: qe-baseos-daemons
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.7-AltCC: beuc, dickey, thozza
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-20 15:59:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Trigger by "./captoinfo POC0" none

Description shuitao gan 2018-10-28 12:24:29 UTC 
Created attachment 1498272 [details]
Trigger by "./captoinfo POC0"

version: ncurses6.1
Summary: 

There is a Segmentation fault on unknown address in libncurses. 

Description:

The asan debug is as follows:

$./captoinfo POC0

=================================================================
==84588==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004d72cf sp 0x7fffba4e11a0 bp 0x7fffba4e34f0 T0)
==84588==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x4d72ce (/home/company/real_sanitize/poc_check/ncurses/captoinfo_addr+0x4d72ce)
    #1 0x4ef543 (/home/company/real_sanitize/poc_check/ncurses/captoinfo_addr+0x4ef543)
    #2 0x4827a2 (/home/company/real_sanitize/poc_check/ncurses/captoinfo_addr+0x4827a2)
    #3 0x7f41c86c3a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #4 0x47e428 (/home/company/real_sanitize/poc_check/ncurses/captoinfo_addr+0x47e428)


normal execution as below:

$./captoinfo POC0

Program received signal SIGSEGV, Segmentation fault.
0x0000000000450755 in _nc_name_match ()
(gdb) bt
#0  0x0000000000450755 in _nc_name_match ()
#1  0x00000000004726d1 in _nc_resolve_uses2 ()
#2  0x000000000040662a in main ()
Comment 2 Miroslav Lichvar 2018-10-29 08:57:05 UTC 
In RHEL7 there is no ncurses-6.1. Can you please report it on the upstream mailing list?
Comment 3 Huzaifa S. Sidhpurwala 2018-11-27 06:29:41 UTC 
(In reply to Miroslav Lichvar from comment #2)
> In RHEL7 there is no ncurses-6.1. Can you please report it on the upstream
> mailing list?

And mention clearly how to reproduce this, instead of sending a termcap file?
Comment 4 Miroslav Lichvar 2018-11-28 15:00:10 UTC 
The comment #0 suggests it should be an input of the captoinfo utility. But it doesn't seem to crash for me with the current ncurses-6.1 code (nor the other POC file from the bug #1643754).

It would be good to at least know which ncurses-6.1 version exactly crashed.

I'm CCing the upstream maintainer if he could make any sense of this.
Comment 5 Thomas E. Dickey 2018-11-28 21:45:53 UTC 
It doesn't crash with current ncurses, and as noted is not relevant to RHEL7.
In a quick check, it doesn't crash with ncurses 6.1 release, either.
Comment 6 Sylvain Beucler 2019-04-23 09:36:17 UTC 
FYI this was fixed back in 6.0.20170701
https://lists.gnu.org/archive/html/bug-ncurses/2019-04/msg00020.html
https://invisible-island.net/ncurses/NEWS.html#t20170701