Bug 698532 - Segfault for jfbterm on Fedora 14
Summary: Segfault for jfbterm on Fedora 14
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: jfbterm
Version: 14
Hardware: i686
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Mamoru TASAKA
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-04-21 07:20 UTC by Steven Shiau
Modified: 2011-05-09 20:57 UTC (History)
1 user (show)

Fixed In Version: jfbterm-0.4.7-25.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-09 20:56:48 UTC


Attachments (Terms of Use)
Patch to fix this segfault on exit (703 bytes, text/plain)
2011-04-26 05:09 UTC, Steven Shiau
no flags Details
gdb and new patch for tterm_reset_utmp function (3.66 KB, application/x-gzip)
2011-04-27 08:22 UTC, Thomas Tsai
no flags Details


Links
System ID Priority Status Summary Last Updated
Launchpad 253163 None None None Never

Description Steven Shiau 2011-04-21 07:20:54 UTC
Description of problem:
A "Segmentation fault (core dumped)" is shown when running jfbterm in framebuffer mode.

Version-Release number of selected component (if applicable):
Both jfbterm-0.4.7-22 and jfbterm-0.4.7-24

How reproducible:
On i686 version of Fedora 14:
[fc14]~>uname -r
2.6.35.12-88.fc14.i686.PAE
[fc14]~>rpm -q jfbterm
jfbterm-0.4.7-22.fc12.i686


Steps to Reproduce:
1. Boot Fedora 14, and in the boot menu, add the boot parameter "vga=788"
2. As root, run: "chvt 1"
3. Install program "screen" by: "yum install screen"
4. Enter screen by running "screen"
5. jfbterm -e ls
  
Actual results:
A "Segmentation fault (core dumped)" will be shown in the end.

If jfbterm is run run in screen, it will hang and won't back to command line prompt.

I also tried to recompile http://mirrors.kernel.org/fedora/development/15/source/SRPMS/jfbterm-0.4.7-24.fc15.src.rpm on Fedora 14, and run it. Same results.


Expected results:
Back to command line prompt without segfault.

Additional info:

Comment 1 Steven Shiau 2011-04-21 07:26:35 UTC
BTW, the above testing was run on a virtual machine of VMware workstation.
I also tried the same steps on a real machine running Fedora 14:
CPU: Intel(R) Pentium(R) 4 CPU 2.60GHz
VGA card: Intel Corporation 82865G Integrated Graphics Controller (rev 02)
This issue is reproducible.

Comment 2 Steven Shiau 2011-04-21 07:30:00 UTC
Oops.. 
"If jfbterm is run run in screen, it will hang and won't back to command line
prompt." -> I mean: 
"If jfbterm is _not_ run in screen, it will hang and won't back to command line
prompt."

Comment 3 Steven Shiau 2011-04-26 05:09:25 UTC
Created attachment 494812 [details]
Patch to fix this segfault on exit

This patch was created by Thomas Tsai. After this patch was applied, the issue has gone.

Comment 4 Mamoru TASAKA 2011-04-26 13:18:34 UTC
The attached patch looks good from a quick glance, however
as I cannot reproduce the issue for now I cannot judge if the
patch should really be applied or I cannot judge if this
issue (if exists) is a bug on jfbterm side.

Would you attach a backtrace from gdm for this issue if possible?

Comment 5 Mamoru TASAKA 2011-04-26 13:36:10 UTC
(In reply to comment #4)
> 
> Would you attach a backtrace from gdm for this issue if possible?

s/gdm/gdb

Comment 6 Thomas Tsai 2011-04-27 08:22:37 UTC
Created attachment 495144 [details]
gdb and new patch for tterm_reset_utmp function

Hello,

I think the segfault is happening with incorrect ut_id value. I tried to fix ut_id, but it works not well especially on Debian for some unknown reason. After some test, I also found some ut_id is empty, so the new patch replace ut_id with ut_line and therefore return code checking is not necessary. Just in caes, we still keep it.

I attached segfault log, new patch and fixed log. There is utmp structure value dump from gdb, just compare utmp and utp to confirm the bug issue.

BR, Thomas.

---- summary of error log dump ----
(gdb) p utmp
$1 = {ut_type = 7, ut_pid = 0, ut_line = '\000' <repeats 31 times>, ut_i
d = "\000\000\000",
  ut_user = '\000' <repeats 31 times>, ut_host = '\000' <repeats 255 times>, ut_exit = {
    e_termination = 0, e_exit = 0}, ut_session = 0, ut_tv = {tv_sec = 0, tv_usec = 0},
  ut_addr_v6 = {0, 0, 0, 0}, __unused = '\000' <repeats 19 times>}
(gdb) p *utp
Cannot access memory at address 0x0
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
tterm_reset_utmp (p=<value optimized out>) at term.c:309
---- done ----

--- after new patch ----
(gdb) p utmp
$1 = {ut_type = 7, ut_pid = 0, ut_line = "pts/3", '\000' <repeats 26 times>,
  ut_id = "\000\000\000", ut_user = '\000' <repeats 31 times>,
  ut_host = '\000' <repeats 255 times>, ut_exit = {e_termination = 0, e_exit = 0}, ut_session = 0,
  ut_tv = {tv_sec = 0, tv_usec = 0}, ut_addr_v6 = {0, 0, 0, 0},
  __unused = '\000' <repeats 19 times>}
(gdb) p *utp
$2 = {ut_type = 7, ut_pid = 3842, ut_line = "pts/3", '\000' <repeats 26 times>,
  ut_id = "\000\000\000", ut_user = "root", '\000' <repeats 27 times>,
  ut_host = '\000' <repeats 255 times>, ut_exit = {e_termination = 0, e_exit = 0}, ut_session = 0,
  ut_tv = {tv_sec = 1303916197, tv_usec = 0}, ut_addr_v6 = {0, 0, 0, 0},
  __unused = '\000' <repeats 19 times>}
(gdb) c
Continuing.

Breakpoint 1, tterm_reset_utmp (p=0x8058c40) at term.c:298
298     {
(gdb) c
Continuing.

Program exited normally.
---- done ----

Comment 7 Mamoru TASAKA 2011-04-28 17:01:18 UTC
Well, now I am trying slowly to understand what tterm_reset_utmp() in term.c is doing, however, $ man getutid says:

    If ut->ut_type is one of INIT_PROCESS, LOGIN_PROCESS, 
    USER_PROCESS, or DEAD_PROCESS, getutid() will find the 
    first entry  whose  ut_id  field matches ut->ut_id.

So changing strncpy(utmp.ut_id, tn, sizeof(utmp.ut_id)); to
strncpy(utmp.ut_line, tn, sizeof(utmp.ut_line)); before calling 
utp = getutid(&utmp); seems wrong to me: As memset is called beforehand, after your patch is applied utmp.ut_id will be "\0" when getutid(&utmp) is called, and utp will be always NULL (perhaps).

Comment 8 Mamoru TASAKA 2011-04-29 03:04:11 UTC
Thomas, if possible would you dump the contents of TTerm* p on tterm_reset_utmp when this issue happens (especially p->name)?

Comment 9 Thomas Tsai 2011-04-29 08:26:03 UTC
Hello,

The TTerm values dump here:
$3 = (TTerm *) 0x8058c40
(gdb) p *p
$4 = {ptyfd = 9, ttyfd = 10, name = "/dev/pts/2", '\000' <repeats 53 times>, 
,.......(skip)
(gdb) p p->name
$5 = "/dev/pts/2", '\000' <repeats 53 times>

The correct ut_id should be '/2', and 'rindex(...)+4' may get incorrect ut_id.
We could still try to back to fix ut_id, or replace getutid(&utmp) with getutline(&utmp).

If you need more information, I am happy to dump it for you.
Thank You.

BR, Thomas.

Comment 10 Mamoru TASAKA 2011-04-29 19:20:23 UTC
Okay, thank you for followups. I will submit possible fix for this issue soon. I would appreciate it if you would try the new rpms which may fix this issue.

Comment 11 Fedora Update System 2011-04-29 19:22:33 UTC
jfbterm-0.4.7-25.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/jfbterm-0.4.7-25.fc15

Comment 12 Fedora Update System 2011-04-29 19:23:12 UTC
jfbterm-0.4.7-25.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/jfbterm-0.4.7-25.fc14

Comment 13 Fedora Update System 2011-04-29 19:23:40 UTC
jfbterm-0.4.7-25.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/jfbterm-0.4.7-25.fc13

Comment 14 Steven Shiau 2011-04-30 00:27:39 UTC
I confirmed that this patch fixes the issue.
I have downloaded 
http://kojipkgs.fedoraproject.org/packages/jfbterm/0.4.7/25.fc14/i686/jfbterm-0.4.7-25.fc14.i686.rpm
and install it on an i686 Fedora 14 machine. After that, no segfault issue when jfbterm exists.
Cool!
BTW, do you know anyone in the upstream:
http://sourceforge.jp/projects/jfbterm/memberlist
?
Is that possible all the patches in Fedora can be mergered by the upstream project and have another release (e.g. 0.4.8)? 
Thanks.

Steven.

Comment 15 Fedora Update System 2011-04-30 23:20:23 UTC
Package jfbterm-0.4.7-25.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing jfbterm-0.4.7-25.fc14'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/jfbterm-0.4.7-25.fc14
then log in and leave karma (feedback).

Comment 16 Fedora Update System 2011-05-05 05:07:52 UTC
jfbterm-0.4.7-25.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2011-05-09 20:56:43 UTC
jfbterm-0.4.7-25.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2011-05-09 20:57:20 UTC
jfbterm-0.4.7-25.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.