Bug 2181836 - Neovim :help causes buffer overflow
Summary: Neovim :help causes buffer overflow
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: neovim
Version: 38
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Andreas Schneider
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-03-26 12:54 UTC by Mathew Robinson
Modified: 2023-04-15 02:10 UTC (History)
5 users (show)

Fixed In Version: neovim-0.8.3-4.fc39 neovim-0.8.3-4.fc38 neovim-0.8.3-4.fc37 neovim-0.8.3-4.fc36
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-03-27 07:33:03 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
Coredump from when the :help command is used (19.20 MB, application/x-core)
2023-03-26 12:54 UTC, Mathew Robinson 		no flags Details
View All

Description Mathew Robinson 2023-03-26 12:54:22 UTC 
Created attachment 1953736 [details]
Coredump from when the :help command is used

Description of problem:

With neovim-0.8.3-3.fc38.x86_64 when using :help or :help <topic> commands in neovim the program crashes due to a buffer overlow.

*** buffer overflow detected ***: terminated
[1]    65867 IOT instruction (core dumped)  nvim .



Version-Release number of selected component (if applicable):


How reproducible: Always

Steps to Reproduce:
1.Open nvim (it does not seem to matter if a filepath, directory path, or no path is used)
2.Run :help or :help <topic> (such as :help g:clipboard)
3.Observe the crash.

Actual results:

Program crashes

Expected results:

Neovim help docs are shown

Additional info:

This seems to be introduced by a patch that is applied by the package maintainers. I've compiled neovim 0.8.3 from source on Fedora 38 and it does not have this issue.

I have attached a coredump of when this happens:

           PID: 65867 (nvim)
           UID: 1000 (chasinglogic)
           GID: 1000 (chasinglogic)
        Signal: 6 (ABRT)
     Timestamp: Sun 2023-03-26 13:45:48 BST (5min ago)
  Command Line: nvim .
    Executable: /usr/bin/nvim
 Control Group: /user.slice/user-1000.slice/user/app.slice/app-org.gnome.Terminal.slice/vte-spawn-1a25f0e7-1491-4ab1-af83-889a25e6ccfb.scope
          Unit: user
     User Unit: vte-spawn-1a25f0e7-1491-4ab1-af83-889a25e6ccfb.scope
         Slice: user-1000.slice
     Owner UID: 1000 (chasinglogic)
       Boot ID: c2270be640324b9f8a8ef7ed616e7af9
    Machine ID: c041d5c792634062aded0cdbfe41f32d
      Hostname: fedora
       Storage: /var/lib/systemd/coredump/core.nvim.1000.c2270be640324b9f8a8ef7ed616e7af9.65867.1679834748000000.zst (present)
  Size on Disk: 1.7M
       Package: neovim/0.8.3-3.fc38
      build-id: 4a25cec37759f7c6489b3ee8a449d777815d67b2
       Message: Process 65867 (nvim) of user 1000 dumped core.
                
                Module /home/chasinglogic/.local/share/nvim/telescope-fzy-native.nvim/deps/fzy-lua-native/static/libfzy-linux-x86_64.so from rpm neovim-0.8.3-3.fc38.x86_64
                Module libluajit-5.1.so.2 from rpm luajit-2.1.0-0.27beta3.fc38.x86_64
                Module libtree-sitter.so.0 from rpm tree-sitter-0.20.7-2.fc38.x86_64
                Module libunibilium.so.4 from rpm unibilium-2.1.1-4.fc38.x86_64
                Module libtermkey.so.1 from rpm libtermkey-0.22-4.fc38.x86_64
                Module libvterm.so.0 from rpm libvterm-0.3-2.fc38.x86_64
                Module libmsgpackc.so.2 from rpm msgpack-3.1.0-11.fc38.x86_64
                Module libuv.so.1 from rpm libuv-1.44.2-3.fc38.x86_64
                Module luv.so from rpm lua-luv-1.44.2.1-2.fc38.x86_64
                Module nvim from rpm neovim-0.8.3-3.fc38.x86_64
                Stack trace of thread 65867:
                #0  0x00007fd73e3cfb94 __pthread_kill_implementation (libc.so.6 + 0x8eb94)
                #1  0x00007fd73e37eaee raise (libc.so.6 + 0x3daee)
                #2  0x00007fd73e36787f abort (libc.so.6 + 0x2687f)
                #3  0x00007fd73e36860f __libc_message.cold (libc.so.6 + 0x2760f)
                #4  0x00007fd73e463b29 __fortify_fail (libc.so.6 + 0x122b29)
                #5  0x00007fd73e462364 __chk_fail (libc.so.6 + 0x121364)
                #6  0x00007fd73e461f45 __snprintf_chk (libc.so.6 + 0x120f45)
                #7  0x0000555638ff20b1 find_tags (nvim + 0x2a20b1)
                #8  0x0000555638ecd0e1 find_help_tags (nvim + 0x17d0e1)
                #9  0x0000555638ecb6ac ex_help (nvim + 0x17b6ac)
                #10 0x0000555638e91460 execute_cmd0 (nvim + 0x141460)
                #11 0x0000555638e94bf1 do_one_cmd (nvim + 0x144bf1)
                #12 0x0000555638e95798 do_cmdline (nvim + 0x145798)
                #13 0x0000555638f3b9dd nv_colon.lto_priv.0 (nvim + 0x1eb9dd)
                #14 0x0000555638f3900b normal_execute.lto_priv.0 (nvim + 0x1e900b)
                #15 0x0000555638fdb1a4 state_enter (nvim + 0x28b1a4)
                #16 0x0000555638f35e32 normal_enter (nvim + 0x1e5e32)
                #17 0x0000555638efe396 main (nvim + 0x1ae396)
                #18 0x00007fd73e368b4a __libc_start_call_main (libc.so.6 + 0x27b4a)
                #19 0x00007fd73e368c0b __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x27c0b)
                #20 0x0000555638dc7a75 _start (nvim + 0x77a75)
                
                Stack trace of thread 65868:
                #0  0x00007fd73e453e72 epoll_wait (libc.so.6 + 0x112e72)
                #1  0x00007fd73e727bd1 uv__io_poll.part.0 (libuv.so.1 + 0x27bd1)
                #2  0x00007fd73e71060a uv_run (libuv.so.1 + 0x1060a)
                #3  0x0000555638e83539 loop_uv_run (nvim + 0x133539)
                #4  0x0000555638e84135 loop_poll_events (nvim + 0x134135)
                #5  0x0000555639005576 tui_main (nvim + 0x2b5576)
                #6  0x00005556390066fe ui_thread_run (nvim + 0x2b66fe)
                #7  0x00007fd73e3cdc57 start_thread (libc.so.6 + 0x8cc57)
                #8  0x00007fd73e453a70 __clone3 (libc.so.6 + 0x112a70)
                ELF object binary architecture: AMD x86-64
Comment 1 Andreas Schneider 2023-03-27 06:23:07 UTC 
Yeah, those are all showing up because -D_FORTIFY_SOURCE=3 is the default now. I think we need to backport

https://github.com/neovim/neovim/commit/84027f7515b8ee6f818462f105882fc0052783c4
Comment 2 Fedora Update System 2023-03-27 07:29:22 UTC 
FEDORA-2023-d1e409413f has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-d1e409413f
Comment 3 Fedora Update System 2023-03-27 07:33:03 UTC 
FEDORA-2023-d1e409413f has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 4 Fedora Update System 2023-03-27 09:43:47 UTC 
FEDORA-2023-b9ec085715 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-b9ec085715
Comment 5 Fedora Update System 2023-03-27 10:30:11 UTC 
FEDORA-2023-5e6280ef5d has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5e6280ef5d
Comment 6 Mathew Robinson 2023-03-27 19:38:07 UTC 
Can confirm that this https://bodhi.fedoraproject.org/updates/FEDORA-2023-b9ec085715 build no longer has this issue and is working for me. Thanks for the quick turn around!
Comment 7 Fedora Update System 2023-03-28 03:27:59 UTC 
FEDORA-2023-5e6280ef5d has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-5e6280ef5d`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-5e6280ef5d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2023-03-28 03:42:21 UTC 
FEDORA-2023-b9ec085715 has been pushed to the Fedora 38 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-b9ec085715

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2023-04-04 00:17:28 UTC 
FEDORA-2023-b9ec085715 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 10 Fedora Update System 2023-04-05 01:34:56 UTC 
FEDORA-2023-5e6280ef5d has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 11 Fedora Update System 2023-04-06 12:30:49 UTC 
FEDORA-2023-1d9f5179bd has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2023-1d9f5179bd
Comment 12 Fedora Update System 2023-04-07 01:54:47 UTC 
FEDORA-2023-1d9f5179bd has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-1d9f5179bd`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-1d9f5179bd

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 13 Fedora Update System 2023-04-15 02:10:10 UTC 
FEDORA-2023-1d9f5179bd has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.