Bug 2188229
| Summary: | Buffer overflow when running :command Explore | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | troiganto+redhat |
| Component: | neovim | Assignee: | Andreas Schneider <asn> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 38 | CC: | aron, asn, gchamoul, igor.raits, michel |
| Target Milestone: | --- | Keywords: | Desktop |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | neovim-0.9.0-2.fc39 neovim-0.9.0-2.fc37 neovim-0.9.0-2.fc38 neovim-0.9.0-3.fc39 neovim-0.9.0-3.fc37 neovim-0.9.0-3.fc38 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-04-21 18:10:16 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This is probably related to FORTIFY_SOURCE=3 which is set by default on F38 and newer. I can reproduce it but not get a backtrace with gdb. WTH? I have a fix https://github.com/neovim/neovim/pull/23225 FEDORA-2023-72f222f95f has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-72f222f95f FEDORA-2023-72f222f95f has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2023-0176e4ef56 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-0176e4ef56 FEDORA-2023-9bb5e74036 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-9bb5e74036 FEDORA-2023-9bb5e74036 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-9bb5e74036` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-9bb5e74036 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-0176e4ef56 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-0176e4ef56` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-0176e4ef56 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-9bb5e74036 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2023-0176e4ef56 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report. Hmmm, this is strange. I _think_ I have received the update, but can still reproduce the crash.
Is there something I've missed and I'm still running the old version by accident?
```
$ dnf list neovim
neovim.x86_64 0.9.0-2.fc38 @updates
$ dnf changelog neovim | head -n5
Auflistung aller Änderungsprotokolle
Änderungsprotokolle für neovim-0.9.0-2.fc38.x86_64
* Fr 21 Apr 2023 00:00:00 Andreas Schneider <asn> - 0.9.0-2
- resolves: rhbz#2188229 - Fix buffer overflow for user command
$ nvim --clean --headless '+command Explore'
Name Args Address Complete Definition
!| Explore *** buffer overflow detected ***: terminated
Abgebrochen (Speicherabzug geschrieben)
```
Thanks to your PR, I managed to get a stacktrace this time and it looks identical to the original one:
```
Breakpoint 2, __pthread_kill_implementation (threadid=140737349343040, signo=signo@entry=6,
no_tid=no_tid@entry=0) at pthread_kill.c:29
29 {
(gdb) bt
#0 __pthread_kill_implementation (threadid=140737349343040, signo=signo@entry=6,
no_tid=no_tid@entry=0) at pthread_kill.c:29
#1 0x00007ffff7c248b3 in __pthread_kill_internal (signo=6, threadid=<optimized out>)
at pthread_kill.c:78
#2 0x00007ffff7bd3abe in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3 0x00007ffff7bbc87f in __GI_abort () at abort.c:79
#4 0x00007ffff7bbd60f in __libc_message (
fmt=fmt@entry=0x7ffff7d372e6 "*** %s ***: terminated\n")
at ../sysdeps/posix/libc_fatal.c:150
#5 0x00007ffff7cb8979 in __GI___fortify_fail (
msg=msg@entry=0x7ffff7d3728c "buffer overflow detected") at fortify_fail.c:24
#6 0x00007ffff7cb71b4 in __GI___chk_fail () at chk_fail.c:28
#7 0x00007ffff7cb6d95 in ___snprintf_chk (s=s@entry=0x55555593a6a5 <IObuff+5> "t' item",
maxlen=maxlen@entry=1025, flag=flag@entry=2, slen=slen@entry=1020,
format=format@entry=0x5555558b82a6 "%ldc") at snprintf_chk.c:29
#8 0x000055555581b59f in snprintf (__fmt=0x5555558b82a6 "%ldc", __n=1025,
__s=0x55555593a6a5 <IObuff+5> "t' item") at /usr/include/bits/stdio2.h:54
#9 uc_list (name=name@entry=0x555555a16558 "Explore", name_len=name_len@entry=7)
at /usr/src/debug/neovim-0.9.0-2.fc38.x86_64/src/nvim/usercmd.c:534
#10 0x000055555581c8a0 in ex_command (eap=0x7fffffffd540)
at /usr/src/debug/neovim-0.9.0-2.fc38.x86_64/src/nvim/usercmd.c:1009
#11 0x00005555556a3537 in execute_cmd0 (retv=retv@entry=0x7fffffffd534,
eap=eap@entry=0x7fffffffd540, errormsg=errormsg@entry=0x7fffffffd538,
preview=preview@entry=false)
at /usr/src/debug/neovim-0.9.0-2.fc38.x86_64/src/nvim/ex_docmd.c:1620
#12 0x00005555556a6c55 in do_one_cmd (cmdlinep=cmdlinep@entry=0x7fffffffd798,
flags=flags@entry=10, cstack=cstack@entry=0x7fffffffd820, fgetline=fgetline@entry=0x0,
cookie=cookie@entry=0x0)
at /usr/src/debug/neovim-0.9.0-2.fc38.x86_64/src/nvim/ex_docmd.c:2279
#13 0x00005555556a77fe in do_cmdline (cmdline=<optimized out>, fgetline=fgetline@entry=0x0,
cookie=cookie@entry=0x0, flags=flags@entry=10)
at /usr/src/debug/neovim-0.9.0-2.fc38.x86_64/src/nvim/ex_docmd.c:578
#14 0x00005555556a8e75 in do_cmdline_cmd (cmd=<optimized out>)
at /usr/src/debug/neovim-0.9.0-2.fc38.x86_64/src/nvim/ex_docmd.c:281
#15 0x00005555555cea5e in exe_commands (parmp=parmp@entry=0x7fffffffde20)
at /usr/src/debug/neovim-0.9.0-2.fc38.x86_64/src/nvim/main.c:1894
#16 0x00005555555d1671 in main (argc=<optimized out>, argv=<optimized out>)
at /usr/src/debug/neovim-0.9.0-2.fc38.x86_64/src/nvim/main.c:579
```
My operating environment is a toolbox inside Fedora 38 Silverblue, if that's any help.
FEDORA-2023-04f5e75b59 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-04f5e75b59 FEDORA-2023-04f5e75b59 has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2023-8a9dba1391 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-8a9dba1391 FEDORA-2023-4e9899dcb1 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-4e9899dcb1 FEDORA-2023-8a9dba1391 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-8a9dba1391` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-8a9dba1391 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-4e9899dcb1 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-4e9899dcb1` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-4e9899dcb1 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-4e9899dcb1 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2023-8a9dba1391 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report. |
Running `:command <name>` with the name of several built-in user commands (i.e. starts with an uppercase letter) causes neovim to terminate with a detected buffer overflow. The following commands produce the error: Explore, Hexplore, Inspect, InspectTree, Lexplore, NetUserPass, NetrwClean, NetrwSettings, Nread, Sexplore, Texplore, Vexplore The following commands produce no error and instead show the location of definition of the command (as expected) DoMatchParen, Man, MatchDebug, Nexplore, NoMatchParen, Nsource, Ntree, Nwrite, Pexplore, TOhtml, Tutor, UpdateRemotePlugins, Vimuntar Reproducible: Always Steps to Reproduce: 1. `dnf install -y neovim` 2. `nvim --clean` 3. type into the editor: `:command Explore` Actual Results: Neovim detects a buffer overflow, terminates and immediately clears the screen. (Screen clearing can be prevented by setting the `TERM` environment variable to a bogus value.) Expected Results: Neovim lists all commands whose name starts with "Explore": ``` Name Args Address Complete Definition !| Explore * 0c ? dir call netrw#Explore(<count>,0,0+<bang>0,<q-args>) ``` This bug has been reproduced on the container images fedora:38 and fedora-toolbox:38, and fedora:rawhide. It couldn't be reproduced on independent Arch Linux and NixOS boxes. The bug does not appear in the fedora:37 container image. It does not appear in classical `vi`. The upstream AppImage distributions of Neovim (0.9.0 and latest dev release) don't show the bug either.