Package: minicom
Version: 2.8-1
Severity: important
Steps to reproduce:
1. Start Minicom connected to a serial port with MINICOM="-m -c on -8"
(although I was also able to reproduce the problem with MINICOM="" if the
keystrokes below are changed appropriately.)
2. Cause whatever is connected to emit more than a screenful of text.
(Without this, Minicom won't let you enter history mode.)
3. Press Alt-B to enter history mode. Press / to search, type something
short that doesn't exist in the history and press Enter.
Expected result:
Minicom searches for the specified text in the buffer as it always did
successfully in the Buster version of Minicom.
Actual result:
*** stack smashing detected ***: terminated
and Minicom exits.
I tried compiling Minicom from the Debian package source with CC="gcc
-fsanitize=address" and got:
=================================================================
==3332560==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffc81d544e0 at pc 0x556347a102d8 bp 0x7ffc81d54080 sp 0x7ffc81d54078
WRITE of size 4 at 0x7ffc81d544e0 thread T0
#0 0x556347a102d7 in mc_wdrawelm_var ../../src/window.c:1055
#1 0x5563479efb65 in find_next ../../src/minicom.c:336
#2 0x5563479ec687 in scrollback ../../src/minicom.c:533
#3 0x5563479ec687 in main ../../src/minicom.c:1646
#4 0x7f0b62d83d09 in __libc_start_main ../csu/libc-start.c:308
#5 0x5563479ee6c9 in _start
(/overflow/mac/Debian/minicom-2.8/build/src/minicom+0x236c9)
Address 0x7ffc81d544e0 is located in stack of thread T0 at offset 1056 in frame
#0 0x5563479efa0f in find_next ../../src/minicom.c:309
This frame has 1 object(s):
[32, 1056) 'tmp_line' (line 312) <== Memory access at offset 1056 overflows
this variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../src/window.c:1055 in
mc_wdrawelm_var
Shadow bytes around the buggy address:
0x1000103a2840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000103a2850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000103a2860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000103a2870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000103a2880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000103a2890: 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3
0x1000103a28a0: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
0x1000103a28b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000103a28c0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00
0x1000103a28d0: 00 f2 00 00 00 f2 f2 f2 00 00 f2 f2 f8 f8 f8 f2
0x1000103a28e0: f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3332560==ABORTING
find_next has:
wchar_t tmp_line[MAXCOLS];
According to gdb inside mc_wdrawelm_var:
(gdb) p w->x1
$5 = 0
(gdb) p w->x2
$6 = 263
(other useful stuff like "c" was optimised out.)
If I add:
if (c >= MAXCOLS)
abort();
inside the loop in mc_wdrawelm_var then the process aborts as would be
expected rather than the sanitizer complaining.
-- System Information:
Debian Release: 11.0
APT prefers testing-security
APT policy: (500, 'testing-security'), (500, 'testing-debug'), (500,
'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-6-amd64 (SMP w/32 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages minicom depends on:
ii libc6 2.31-12
ii libtinfo6 6.2+20201114-2
Versions of packages minicom recommends:
ii lrzsz 0.12.21-10+b1
minicom suggests no packages.
-- no debconf information
