From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/13962 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: "A. Wilcox" Newsgroups: gmane.linux.lib.musl.general Subject: Re: segfault on sscanf Date: Thu, 14 Mar 2019 07:44:55 -0500 Message-ID: <7B2780E2-36BF-4D23-8556-FA138B227CD1@adelielinux.org> References: <20190314104617.711ac7d8@faultier2go> Reply-To: musl@lists.openwall.com Mime-Version: 1.0 (1.0) Content-Type: multipart/alternative; boundary=Apple-Mail-04CAB968-7A88-4C5A-958E-1EE65BD2DB4E Content-Transfer-Encoding: 7bit Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="241383"; mail-complaints-to="usenet@blaine.gmane.org" Cc: Natanael ncopa Copa To: musl@lists.openwall.com Original-X-From: musl-return-13978-gllmg-musl=m.gmane.org@lists.openwall.com Thu Mar 14 13:45:22 2019 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by blaine.gmane.org with smtp (Exim 4.89) (envelope-from ) id 1h4Pjd-0010dK-45 for gllmg-musl@m.gmane.org; Thu, 14 Mar 2019 13:45:21 +0100 Original-Received: (qmail 20173 invoked by uid 550); 14 Mar 2019 12:45:18 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Original-Received: (qmail 20154 invoked from network); 14 Mar 2019 12:45:18 -0000 X-Mailer: iPhone Mail (15E302) In-Reply-To: <20190314104617.711ac7d8@faultier2go> Xref: news.gmane.org gmane.linux.lib.musl.general:13962 Archived-At: --Apple-Mail-04CAB968-7A88-4C5A-958E-1EE65BD2DB4E Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On Mar 14, 2019, at 4:46 AM, Marian Buschsieweke wrote: >=20 > Hi, >=20 > running pdflatex on Alpine Linux for a specific document resulted in a > segfault, which I could trace down to a specific call to sscanf. This is a= > minimum example to reproduce that segfault: >=20 > #include > =20 > int main(void) { > const char *too_parse =3D "0 1 -1 0"; > double f1,f2,f3,f4; > char dummy; > sscanf(too_parse, " %lf %lf %lf %lf %c", &f1, &f2, &f3, &f4, &dummy= ); > =20 > printf("f1=3D%f, f2=3D%f, f3=3D%f, f4=3D%f, dummy=3D\"%c\"\n", f1, f= 2, f3, f4, dummy); > =20 > return 0; > } >=20 > This is the backtrace: >=20 > #0 0x00007ffff7fb7eba in vfscanf (f=3Df@entry=3D0x7fffffffe6f8,=20 > fmt=3D, ap=3Dap@entry=3D0x7fffffffe7f8) at src/stdio= /vfscanf.c:262 > #1 0x00007ffff7fb971a in vsscanf (s=3D, fmt=3D,=20 > ap=3Dap@entry=3D0x7fffffffe7f8) at src/stdio/vsscanf.c:14 > #2 0x00007ffff7fb594d in sscanf (s=3D, fmt=3D) > at src/stdio/sscanf.c:9 > #3 0x0000555555555213 in main () at test.c:7 >=20 > I have the package Alpine Linux package musl-1.1.21-r0 installed, which is= musl > version 1.1.21 with minimal changes. >=20 > Kind regards, > Marian Hi Marian, In your example you have four fields, but sscanf is looking for five. You ha= ve run off the end of the string. This is illegal/UB. Is this intentional i= n your test case? Best, =E2=80=94arw=20 -- A. Wilcox (Sent from my iPhone - not signed) Project Lead, Ad=C3=A9lie Linux https://adelielinux.org= --Apple-Mail-04CAB968-7A88-4C5A-958E-1EE65BD2DB4E Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable

On Mar 14, 2019, at 4:46 AM, Marian Bu= schsieweke <marian.buschsi= eweke@ovgu.de> wrote:

Hi,

running pdflatex on Alpine Linux for= a specific document resulted in a
segfault, which I could t= race down to a specific call to sscanf. This is a
minimum ex= ample to reproduce that segfault:

&= nbsp;#include <stdio.h>

int main(void) {
= const char *too_parse =3D "0 1 -1 0";
&= nbsp;double f1,f2,f3,f4;
char du= mmy;
sscanf(too_parse, " %lf %lf= %lf %lf %c", &f1, &f2, &f3, &f4, &dummy);

printf("f1=3D%= f, f2=3D%f, f3=3D%f, f4=3D%f, dummy=3D\"%c\"\n", f1, f2, f3, f4, dummy);

retu= rn 0;
}

This i= s the backtrace:

#0 0x0= 0007ffff7fb7eba in vfscanf (f=3Df@entry=3D0x7fffffffe6f8,
&= nbsp;    fmt=3D<optimized out>, ap=3Dap@entry=3D= 0x7fffffffe7f8) at src/stdio/vfscanf.c:262
#1 &= nbsp;0x00007ffff7fb971a in vsscanf (s=3D<optimized out>, fmt=3D<opt= imized out>,
   ap=3Dap@en= try=3D0x7fffffffe7f8) at src/stdio/vsscanf.c:14
&nbs= p;#2 0x00007ffff7fb594d in sscanf (s=3D<optimized out>, fmt=3D&l= t;optimized out>)
   at src= /stdio/sscanf.c:9
#3 0x0000555555555213 i= n main () at test.c:7

I have the package Al= pine Linux package musl-1.1.21-r0 installed, which is musl
v= ersion 1.1.21 with minimal changes.

Kind re= gards,
Marian

Hi Maria= n,

In your example you have four fields, but sscanf is looking for fiv= e. You have run off the end of the string. This is illegal/UB. Is this= intentional in your test case?

Best,

=E2=80=94arw

--

A. Wilcox (Sent from my i= Phone - not signed)

Project Lead, Ad=C3=A9lie L= inux

https:= //adelielinux.org

= --Apple-Mail-04CAB968-7A88-4C5A-958E-1EE65BD2DB4E--