Source: tty-clock
Version: 1.1-1
Severity: serious
Justification: use-after-free and who knows what else
Hi!
Just saw ttyclock in the wanna-build Needs-Build list for m68k,
and thought to have a look at what it can do (comparison with
my /usr/share/doc/mksh/examples/uhr.gz script, for example),
compiled and run it under MirBSD (since I sat at it), SIGABRT.
Okay, what’s it do…
tg@blau:~ $ gdb --args ./ttyclock -i
GNU gdb 6.3.50.20050707
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "--host=i386-ecce-mirbsd10 --target="...
(gdb) r
Starting program: /home/tg/ttyclock -i
TTY-Clock 2 © by Martin Duquesnoy (xor...@gmail.com)
ttyclock in free(): error: bogus pointer (double free?) 0xdfdfdfdf
Program received signal SIGABRT, Aborted.
0x03e435e7 in kill () from /usr/lib/libc.so.41.10
(gdb) bt
#0 0x03e435e7 in kill () from /usr/lib/libc.so.41.10
#1 0x03e7aac8 in abort () from /usr/lib/libc.so.41.10
#2 0x03e637a0 in wrterror () from /usr/lib/libc.so.41.10
#3 0x03e64fcd in free () from /usr/lib/libc.so.41.10
#4 0x1c001f5d in main (argc=2, argv=0xcfbf9670) at ttyclock.c:482
(gdb) frame 4
#4 0x1c001f5d in main (argc=2, argv=0xcfbf9670) at ttyclock.c:482
482 free(ttyclock->option.format);
(gdb) print *ttyclock
$1 = {running = 3755991007, bg = -538976289, option = {second = 3755991007,
twelve = 3755991007,
center = 3755991007, rebound = 3755991007, box = 3755991007,
format = 0xdfdfdfdf <Address 0xdfdfdfdf out of bounds>, color = -538976289,
delay = -538976289}, geo = {
x = -538976289, y = -538976289, w = -538976289, h = -538976289, a =
-538976289, b = -538976289}, date = {
hour = {3755991007, 3755991007}, minute = {3755991007, 3755991007}, second
= {3755991007, 3755991007},
datestr = '�' <repeats 256 times>}, tm = 0xdfdfdfdf, lt =
-2314885530818453537,
meridiem = 0xdfdfdfdf <Address 0xdfdfdfdf out of bounds>, framewin =
0xdfdfdfdf, datewin = 0xdfdfdfdf}
Argh. Okay. So omalloc found something… looking at the source:
479 case 'i':
480 puts("TTY-Clock 2 © by Martin Duquesnoy
(xor...@gmail.com)");
481 free(ttyclock);
482 free(ttyclock->option.format);
483 exit(EXIT_SUCCESS);
This is an obvious use-after-free. The code is full with it.
I think that this program is not in shape for distribution.
Calling stdio (line 130), ncurses (line 119, 120, 129) and
other funny stuff in the signal handler is also almost cer‐
tainly broken. Even line 125 will not work, as the only data
type that can safely be accessed from a signal handler is of
the type “volatile sig_atomic_t”, which ttyclock->running is
not.
bye,
//mirabilos
--
Support mksh as /bin/sh and RoQA dash NOW!
‣ src:bash (257 (276) bugs: 0 RC, 178 (192) I&N, 79 (84) M&W, 0 (0) F&P)
‣ src:dash (84 (98) bugs: 3 RC, 39 (43) I&N, 42 (52) M&W, 0 F&P)
‣ src:mksh (1 bug: 0 RC, 0 I&N, 1 M&W, 0 F&P)
http://qa.debian.org/data/bts/graphs/d/dash.png is pretty red, innit?
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
