When trying make config in /usr/ports/print/ghostscript-gpl-nox11, I get a normal dialog (with a lot of options, might be a/the problem ?) When I hit OK, Dialog crashes with SIGSEGV (when hitting Cancel it doesn't crash) Output: Segmentation fault (core dumped) ===> Options unchanged # portsnap fetch extract didn't solve the problem Fix: Unfortunately I couldn't get a backtrace. (Recompiled dialog and libndialog with -g) I can give the memory adresses in the backtrace, but they seem quite useless. I'm willing to provide help of course, so tell me what to do :) Note: the recompiled dialog and libndialog where the 6.3-sources! (I had 6.3 checked out, and compiled, to be able to upgrade with a few commands) However the crash also occurred with the original 6.2-source. How-To-Repeat: cd /usr/ports/print/ghostscript-gpl-nox11 make config tab, enter (OK)
Jille wrote: >> Environment: > System: FreeBSD bob.omicidio.nl 6.2-RELEASE-p9 FreeBSD 6.2-RELEASE-p9 #0: Sun Jan 13 12:50:30 CET 2008 quis@bob.omicidio.nl:/usr/obj/usr/src/sys/BOB i386 > > libdialog.so.5 => /usr/lib/libdialog.so.5 (0x2807b000) > libncurses.so.6 => /lib/libncurses.so.6 (0x28094000) > libc.so.6 => /lib/libc.so.6 (0x280d3000) >> Description: > When trying make config in /usr/ports/print/ghostscript-gpl-nox11, > I get a normal dialog (with a lot of options, might be a/the problem ?) > When I hit OK, Dialog crashes with SIGSEGV (when hitting Cancel it doesn't crash) > Output: > Segmentation fault (core dumped) > ===> Options unchanged > > # portsnap fetch extract > didn't solve the problem >> How-To-Repeat: > cd /usr/ports/print/ghostscript-gpl-nox11 > make config > tab, enter (OK) >> Fix: > Unfortunately I couldn't get a backtrace. > (Recompiled dialog and libndialog with -g) > I can give the memory adresses in the backtrace, but they seem quite useless. > I'm willing to provide help of course, so tell me what to do :) > > Note: the recompiled dialog and libndialog where the 6.3-sources! (I had 6.3 checked out, and compiled, to be able to upgrade with a few commands) > However the crash also occurred with the original 6.2-source. In order to proceed with this we need either a reliable way to reproduce this, or a backtrace. Kris
Kris Kennaway schreef: > Jille wrote: > >>> Environment: >> System: FreeBSD bob.omicidio.nl 6.2-RELEASE-p9 FreeBSD 6.2-RELEASE-p9 >> #0: Sun Jan 13 12:50:30 CET 2008 >> quis@bob.omicidio.nl:/usr/obj/usr/src/sys/BOB i386 >> >> libdialog.so.5 => /usr/lib/libdialog.so.5 (0x2807b000) >> libncurses.so.6 => /lib/libncurses.so.6 (0x28094000) >> libc.so.6 => /lib/libc.so.6 (0x280d3000) >>> Description: >> When trying make config in /usr/ports/print/ghostscript-gpl-nox11, >> I get a normal dialog (with a lot of options, might be a/the >> problem ?) >> When I hit OK, Dialog crashes with SIGSEGV (when hitting Cancel it >> doesn't crash) >> Output: >> Segmentation fault (core dumped) >> ===> Options unchanged >> >> # portsnap fetch extract >> didn't solve the problem >>> How-To-Repeat: >> cd /usr/ports/print/ghostscript-gpl-nox11 >> make config >> tab, enter (OK) >>> Fix: >> Unfortunately I couldn't get a backtrace. >> (Recompiled dialog and libndialog with -g) >> I can give the memory adresses in the backtrace, but they seem >> quite useless. >> I'm willing to provide help of course, so tell me what to do :) >> >> Note: the recompiled dialog and libndialog where the 6.3-sources! >> (I had 6.3 checked out, and compiled, to be able to upgrade with a few >> commands) >> However the crash also occurred with the original 6.2-source. > > In order to proceed with this we need either a reliable way to reproduce > this, or a backtrace. I just tested and couldn't reproduce it on 6.3-p2 with the same port (that system does have X11) I can reproduce it on the 6.2 box. Could you tell me what to do to produce a backtrace ? The backtrace I could get (without function names, files, linenos etc) was huge, I didn't made it to the top (> 500). I can try to dump it entirely, might it ever stop. I can also upload my dialog-binary, dialog-core, libdialog-with-debug, and libc somewhere ? I have compiled dialog and libdialog with -g, should I also do it with libc ? A few minutes after submitting this PR I saw http://www.freebsd.org/cgi/query-pr.cgi?pr=gnu/45168 A buffer overflow in dialog, when having too many options selected (MAX_LEN (output length) = 2048, and they're using strcpy) (The category should be changed from bin -> gnu btw, missed the gnu in the list) I'm gonna try to get to the top of the backtrace now. -- Jille > > Kris
Jille wrote: > > > Kris Kennaway schreef: >> Jille wrote: >> >>>> Environment: >>> System: FreeBSD bob.omicidio.nl 6.2-RELEASE-p9 FreeBSD 6.2-RELEASE-p9 >>> #0: Sun Jan 13 12:50:30 CET 2008 >>> quis@bob.omicidio.nl:/usr/obj/usr/src/sys/BOB i386 >>> >>> libdialog.so.5 => /usr/lib/libdialog.so.5 (0x2807b000) >>> libncurses.so.6 => /lib/libncurses.so.6 (0x28094000) >>> libc.so.6 => /lib/libc.so.6 (0x280d3000) >>>> Description: >>> When trying make config in /usr/ports/print/ghostscript-gpl-nox11, >>> I get a normal dialog (with a lot of options, might be a/the >>> problem ?) >>> When I hit OK, Dialog crashes with SIGSEGV (when hitting Cancel >>> it doesn't crash) >>> Output: >>> Segmentation fault (core dumped) >>> ===> Options unchanged >>> >>> # portsnap fetch extract >>> didn't solve the problem >>>> How-To-Repeat: >>> cd /usr/ports/print/ghostscript-gpl-nox11 >>> make config >>> tab, enter (OK) >>>> Fix: >>> Unfortunately I couldn't get a backtrace. >>> (Recompiled dialog and libndialog with -g) >>> I can give the memory adresses in the backtrace, but they seem >>> quite useless. >>> I'm willing to provide help of course, so tell me what to do :) >>> >>> Note: the recompiled dialog and libndialog where the 6.3-sources! >>> (I had 6.3 checked out, and compiled, to be able to upgrade with a >>> few commands) >>> However the crash also occurred with the original 6.2-source. >> >> In order to proceed with this we need either a reliable way to >> reproduce this, or a backtrace. > I just tested and couldn't reproduce it on 6.3-p2 with the same port > (that system does have X11) > I can reproduce it on the 6.2 box. > > Could you tell me what to do to produce a backtrace ? The process is documented in the developers handbook. > The backtrace I could get (without function names, files, linenos etc) > was huge, I didn't made it to the top (> 500). > I can try to dump it entirely, might it ever stop. > > I can also upload my dialog-binary, dialog-core, libdialog-with-debug, > and libc somewhere ? > > I have compiled dialog and libdialog with -g, should I also do it with > libc ? It may be necessary, but if it is crashing in dialog then those parts of the backtrace should be fine at least. If you are not seeing any file:line details then something went wrong with your -g binaries, e.g. they were stripped when they were installed. > A few minutes after submitting this PR I saw > http://www.freebsd.org/cgi/query-pr.cgi?pr=gnu/45168 > A buffer overflow in dialog, when having too many options selected > (MAX_LEN (output length) = 2048, and they're using strcpy) Yes, the dialog code is quite "low-grade" :) > (The category should be changed from bin -> gnu btw, missed the gnu in > the list) > > I'm gonna try to get to the top of the backtrace now. Kris
State Changed From-To: open->patched MAX_LEN bumped to 4096 long time ago
ache: Bumping MAX_LEN from 2048 -> 4096 is not really the fix. See the url below, and try it. Yes, it fixes my situation, with 3426 bytes, but it will crash again if (eg) ghostscript gets more options. Kris Kennaway wrote: > Jille wrote: >> >> >> Kris Kennaway wrt: [...] > > The process is documented in the developers handbook. > >> The backtrace I could get (without function names, files, linenos etc) >> was huge, I didn't made it to the top (> 500). >> I can try to dump it entirely, might it ever stop. >> >> I can also upload my dialog-binary, dialog-core, libdialog-with-debug, >> and libc somewhere ? >> >> I have compiled dialog and libdialog with -g, should I also do it with >> libc ? > > It may be necessary, but if it is crashing in dialog then those parts of > the backtrace should be fine at least. If you are not seeing any > file:line details then something went wrong with your -g binaries, e.g. > they were stripped when they were installed. > >> A few minutes after submitting this PR I saw >> http://www.freebsd.org/cgi/query-pr.cgi?pr=gnu/45168 >> A buffer overflow in dialog, when having too many options selected >> (MAX_LEN (output length) = 2048, and they're using strcpy) > > Yes, the dialog code is quite "low-grade" :) > >> (The category should be changed from bin -> gnu btw, missed the gnu in >> the list) >> >> I'm gonna try to get to the top of the backtrace now. Okay, I can't get a backtrace, the stack gets fucked up. I stepped (next't) trough the program till it crashed. Last lines: 269 fprintf(stderr, "\"%s\"", h); (gdb) "GS_wtscmyk"270 h = s; (gdb) 339 EndDialog(clear_screen); (gdb) 346 } (gdb) 340 return retval; (gdb) 346 } (gdb) Warning: Cannot insert breakpoint 0. Error accessing memory address 0x53470066: Bad address. The file is /usr/src/gnu/usr.bin/dialog/dialog.c at the end of main(). Quite interesting, is that the EndDialog on line 339 should only be called if (!strcmp(argv[offset+1], "--tree")), which is _NOT_ the case. On this url you can find the commandline arguments: http://junk.quis.cx/suWFMqdS/dialog-crash.sh (I would like to hear whether it reproduces) (I generated it from ports) -- Jille > > Kris
The ports collection stopped using dialog from base quite some time ago so even if the base dialog isn't fixed perfectly the details of the bug aren't relevant any more.