Wind River Support Network

HomeDefectsLIN6-4396
Fixed

LIN6-4396 : wrlinux 4.3 - bash segfault

Created: May 29, 2013    Updated: Dec 3, 2018
Resolved Date: Mar 13, 2014
Previous ID: LIN4-20021
Found In Version: 6.0
Fix Version: 6.0.0.5
Severity: Severe
Applicable for: Wind River Linux 6
Component/s: Userspace

Description

in bash's input.c source, the bufferindex, can get incremented without any limits.
because of this a segfault can be encountered (attached a coredump to this CQ)
In the example, at crash's time, the local_index's value was 6848

static char localbuf[128];
static int local_index = 0, local_bufused = 0;
.......
uc = localbuf[local_index++];

=excerpt from the code:
/* Functions to handle reading input on systems that don't restart read(2)
   if a signal is received. */

static char localbuf[128];
static int local_index = 0, local_bufused = 0;
/* Posix and USG systems do not guarantee to restart read () if it is
   interrupted by a signal.  We do the read ourselves, and restart it
   if it returns EINTR. */
int
getc_with_restart (stream)
     FILE *stream;
{
  unsigned char uc;

  CHECK_TERMSIG;

  /* Try local buffering to reduce the number of read(2) calls. */
  if (local_index == local_bufused || local_bufused == 0)
    {
      while (1)
        {
          CHECK_TERMSIG;
          local_bufused = read (fileno (stream), localbuf, sizeof(localbuf));
          if (local_bufused > 0)
            break;
          else if (local_bufused == 0 || errno != EINTR)
            {
              local_index = 0;
              return EOF;
            }
        }
      local_index = 0;
    }
  uc = localbuf[local_index++];
  return uc;
}

Steps to Reproduce

no proper reproducer at this moment.
only a coredump and code analysis.

Other Downloads


Live chat
Online