Running `:command <name>` with the name of several built-in user commands (i.e. starts with an uppercase letter) causes neovim to terminate with a detected buffer overflow. The following commands produce the error: Explore, Hexplore, Inspect, InspectTree, Lexplore, NetUserPass, NetrwClean, NetrwSettings, Nread, Sexplore, Texplore, Vexplore The following commands produce no error and instead show the location of definition of the command (as expected) DoMatchParen, Man, MatchDebug, Nexplore, NoMatchParen, Nsource, Ntree, Nwrite, Pexplore, TOhtml, Tutor, UpdateRemotePlugins, Vimuntar Reproducible: Always Steps to Reproduce: 1. `dnf install -y neovim` 2. `nvim --clean` 3. type into the editor: `:command Explore` Actual Results: Neovim detects a buffer overflow, terminates and immediately clears the screen. (Screen clearing can be prevented by setting the `TERM` environment variable to a bogus value.) Expected Results: Neovim lists all commands whose name starts with "Explore": ``` Name Args Address Complete Definition !| Explore * 0c ? dir call netrw#Explore(<count>,0,0+<bang>0,<q-args>) ``` This bug has been reproduced on the container images fedora:38 and fedora-toolbox:38, and fedora:rawhide. It couldn't be reproduced on independent Arch Linux and NixOS boxes. The bug does not appear in the fedora:37 container image. It does not appear in classical `vi`. The upstream AppImage distributions of Neovim (0.9.0 and latest dev release) don't show the bug either.
This is probably related to FORTIFY_SOURCE=3 which is set by default on F38 and newer. I can reproduce it but not get a backtrace with gdb. WTH?
I have a fix https://github.com/neovim/neovim/pull/23225
FEDORA-2023-72f222f95f has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-72f222f95f
FEDORA-2023-72f222f95f has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-0176e4ef56 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-0176e4ef56
FEDORA-2023-9bb5e74036 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-9bb5e74036
FEDORA-2023-9bb5e74036 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-9bb5e74036` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-9bb5e74036 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-0176e4ef56 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-0176e4ef56` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-0176e4ef56 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-9bb5e74036 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-0176e4ef56 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.
Hmmm, this is strange. I _think_ I have received the update, but can still reproduce the crash. Is there something I've missed and I'm still running the old version by accident? ``` $ dnf list neovim neovim.x86_64 0.9.0-2.fc38 @updates $ dnf changelog neovim | head -n5 Auflistung aller Änderungsprotokolle Änderungsprotokolle für neovim-0.9.0-2.fc38.x86_64 * Fr 21 Apr 2023 00:00:00 Andreas Schneider <asn> - 0.9.0-2 - resolves: rhbz#2188229 - Fix buffer overflow for user command $ nvim --clean --headless '+command Explore' Name Args Address Complete Definition !| Explore *** buffer overflow detected ***: terminated Abgebrochen (Speicherabzug geschrieben) ``` Thanks to your PR, I managed to get a stacktrace this time and it looks identical to the original one: ``` Breakpoint 2, __pthread_kill_implementation (threadid=140737349343040, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:29 29 { (gdb) bt #0 __pthread_kill_implementation (threadid=140737349343040, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:29 #1 0x00007ffff7c248b3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78 #2 0x00007ffff7bd3abe in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007ffff7bbc87f in __GI_abort () at abort.c:79 #4 0x00007ffff7bbd60f in __libc_message ( fmt=fmt@entry=0x7ffff7d372e6 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:150 #5 0x00007ffff7cb8979 in __GI___fortify_fail ( msg=msg@entry=0x7ffff7d3728c "buffer overflow detected") at fortify_fail.c:24 #6 0x00007ffff7cb71b4 in __GI___chk_fail () at chk_fail.c:28 #7 0x00007ffff7cb6d95 in ___snprintf_chk (s=s@entry=0x55555593a6a5 <IObuff+5> "t' item", maxlen=maxlen@entry=1025, flag=flag@entry=2, slen=slen@entry=1020, format=format@entry=0x5555558b82a6 "%ldc") at snprintf_chk.c:29 #8 0x000055555581b59f in snprintf (__fmt=0x5555558b82a6 "%ldc", __n=1025, __s=0x55555593a6a5 <IObuff+5> "t' item") at /usr/include/bits/stdio2.h:54 #9 uc_list (name=name@entry=0x555555a16558 "Explore", name_len=name_len@entry=7) at /usr/src/debug/neovim-0.9.0-2.fc38.x86_64/src/nvim/usercmd.c:534 #10 0x000055555581c8a0 in ex_command (eap=0x7fffffffd540) at /usr/src/debug/neovim-0.9.0-2.fc38.x86_64/src/nvim/usercmd.c:1009 #11 0x00005555556a3537 in execute_cmd0 (retv=retv@entry=0x7fffffffd534, eap=eap@entry=0x7fffffffd540, errormsg=errormsg@entry=0x7fffffffd538, preview=preview@entry=false) at /usr/src/debug/neovim-0.9.0-2.fc38.x86_64/src/nvim/ex_docmd.c:1620 #12 0x00005555556a6c55 in do_one_cmd (cmdlinep=cmdlinep@entry=0x7fffffffd798, flags=flags@entry=10, cstack=cstack@entry=0x7fffffffd820, fgetline=fgetline@entry=0x0, cookie=cookie@entry=0x0) at /usr/src/debug/neovim-0.9.0-2.fc38.x86_64/src/nvim/ex_docmd.c:2279 #13 0x00005555556a77fe in do_cmdline (cmdline=<optimized out>, fgetline=fgetline@entry=0x0, cookie=cookie@entry=0x0, flags=flags@entry=10) at /usr/src/debug/neovim-0.9.0-2.fc38.x86_64/src/nvim/ex_docmd.c:578 #14 0x00005555556a8e75 in do_cmdline_cmd (cmd=<optimized out>) at /usr/src/debug/neovim-0.9.0-2.fc38.x86_64/src/nvim/ex_docmd.c:281 #15 0x00005555555cea5e in exe_commands (parmp=parmp@entry=0x7fffffffde20) at /usr/src/debug/neovim-0.9.0-2.fc38.x86_64/src/nvim/main.c:1894 #16 0x00005555555d1671 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/neovim-0.9.0-2.fc38.x86_64/src/nvim/main.c:579 ``` My operating environment is a toolbox inside Fedora 38 Silverblue, if that's any help.
FEDORA-2023-04f5e75b59 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-04f5e75b59
FEDORA-2023-04f5e75b59 has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-8a9dba1391 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-8a9dba1391
FEDORA-2023-4e9899dcb1 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-4e9899dcb1
FEDORA-2023-8a9dba1391 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-8a9dba1391` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-8a9dba1391 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-4e9899dcb1 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-4e9899dcb1` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-4e9899dcb1 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-4e9899dcb1 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-8a9dba1391 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.