Bug#860751: Bug#860695: win32-loader: FTBFS on i386: segmentation fault

[Thomas Dickey]

On Thu, Apr 20, 2017 at 05:11:17PM +0200, Bernhard Übelacker wrote:
> Hello,
> this seems to be the same problem seen in #391051 for regular
> expressions (collect_RE).
> 
> In this bug we overrun the size limit of string_buff (tempbuff._string_buff)
> in function collect_string.
> 
> Attached patch adds a similar check like in #391051 to collect_string.

hmm - upstream mawk makes 7 checks like this in scan.c

start here:

https://github.com/ThomasDickey/mawk-snapshots/blob/master/scan.c#L72

-- 
Thomas E. Dickey 
http://invisible-island.net
ftp://invisible-island.net


signature.asc
Description: Digital signature

Bug#860751: Bug#860695: win32-loader: FTBFS on i386: segmentation fault

[Bernhard Übelacker]

Hello,
this seems to be the same problem seen in #391051 for regular
expressions (collect_RE).

In this bug we overrun the size limit of string_buff (tempbuff._string_buff)
in function collect_string.

Attached patch adds a similar check like in #391051 to collect_string.

With that applied the build of win32-loader would fail with this message:
  awk: line 1: regular expression /grub2  ... exceeds implementation size 
limit


Kind regards,
Bernhard



(gdb) print sizeof(tempbuff._string_buff)
$1 = 400
(gdb) watch tempbuff._string_buff[399]
...
Hardware watchpoint 1: tempbuff._string_buff[399]

Old value = 0 '\000'
New value = 100 'd'
0x80004c60 in collect_string () at scan.c:985
985   switch (scan_code[*p++ = next()])
(gdb) bt
#0  0x80004c60 in collect_string () at scan.c:985
#1  yylex () at scan.c:651
#2  0x80002088 in yyparse () at y.tab.c:1735
#3  0x80003f15 in parse () at parse.y:1368
#4  0x8000188c in main (argc=3, argv=0xb274) at main.c:63
From b7bea87e72ee6a72691e1fa54d2a4555c9698026 Mon Sep 17 00:00:00 2001
From: root 
Date: Thu, 20 Apr 2017 16:54:05 +0200
Subject: Do not crash if argument is too long for our buffer

This patch modifies collect_string and is a copy of the
patch added to fix collect_RE in these bugs:
  https://bugs.launchpad.net/bug/23494
  https://bugs.debian.org/391051

Bug-Debian: https://bugs.debian.org/860751
---
 scan.c | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/scan.c b/scan.c
index ef4df50..e343890 100644
--- a/scan.c
+++ b/scan.c
@@ -982,6 +982,15 @@ collect_string()
int e_flag = 0 ;		 /* on if have an escape char */
 
while (1)
+   {
+  if (p >= string_buff + MIN_SPRINTF - 2)
+  {
+  compile_error(
+ "regular expression /%.10s ..."
+ " exceeds implementation size limit",
+ string_buff) ;
+ mawk_exit(2) ;
+  }
   switch (scan_code[*p++ = next()])
   {
 	 case SC_DQUOTE:	/* done */
@@ -1016,6 +1025,7 @@ collect_string()
 	 default:
 	break ;
   }
+   }
 
 out:
yylval.ptr = (PTR) new_STRING(
-- 
2.11.0

Bug#860695: win32-loader: FTBFS on i386: segmentation fault

[Didier 'OdyX' Raboud]

Control: clone -1 -2
Control: reassign -2 mawk 1.3.3-17
Control: reopen -2 o...@debian.org
Control: retitle -2 mawk: segfaults on i386 during win32-loader build
Control: severity -2 serious

Le mercredi, 19 avril 2017, 17.31:26 h CEST Didier 'OdyX' Raboud a écrit :
> Le mercredi, 19 avril 2017, 15.44:00 h CEST Sven Joachim a écrit :
> > >> Relevant part (hopefully):
> > > Actually:
> > >> > # Prepare the README file
> > >> > awk
> > >> > (…)
> > >> > Segmentation fault
> > > 
> > > `awk` segfaults here. This seems to be an awk bug, or problem. Is the
> > > command- line for it too long, or is it something else?
> > 
> > Possibly it's the same problem as #158481.  A workaround is to use
> > original-awk or gawk instead of awk (and build-depend on it, of course).
> > 
> > I don't feel like debugging this issue, since mawk in Debian is
> > unmaintained. :-(
> 
> Thanks for the information; I've successfully reproduced the awk segfault in
> a  i386 porterbox, and I can confirm the gawk replacement fixes that.

Hereby cloning, reopening and reassigning to mawk, with a severity: serious. 
Will see if I can reproduce with a simpler test-case.

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#860695: win32-loader: FTBFS on i386: segmentation fault

[Didier 'OdyX' Raboud]

Control: tags -1 -moreinfo +pending

Le mercredi, 19 avril 2017, 15.44:00 h CEST Sven Joachim a écrit :
> >> Relevant part (hopefully):
> > Actually:
> >> > # Prepare the README file
> >> > awk
> >> > (…)
> >> > Segmentation fault
> > 
> > `awk` segfaults here. This seems to be an awk bug, or problem. Is the
> > command- line for it too long, or is it something else?
> 
> Possibly it's the same problem as #158481.  A workaround is to use
> original-awk or gawk instead of awk (and build-depend on it, of course).
> 
> I don't feel like debugging this issue, since mawk in Debian is
> unmaintained. :-(

Thanks for the information; I've successfully reproduced the awk segfault in a 
i386 porterbox, and I can confirm the gawk replacement fixes that.

I will upload a simple fix later today.

-- 
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#860695: win32-loader: FTBFS on i386: segmentation fault

[Sven Joachim]

On 2017-04-19 13:32 +0200, Didier 'OdyX' Raboud wrote:

> Control: tags -1 +moreinfo +help
>
> Le mercredi, 19 avril 2017, 09.28:30 h CEST Lucas Nussbaum a écrit :
>> During a rebuild of all packages in stretch (in a stretch chroot, not a
>> sid chroot), your package failed to build on i386.
>
> win32-loader is a arch:all package, and is "usually" built on amd64 buildds, 
> on which it builds fine. This i386-specific FTBFS has been visible through 
> the 
> reproducible builds infrastructure for a while:
>
>   
> https://tests.reproducible-builds.org/debian/rb-pkg/testing/i386/win32-loader.html
>
>> Relevant part (hopefully):
>
> Actually:
>
>> > # Prepare the README file
>> > awk
>> > '{sub(/@PACKAGES_LIST@/,"grub2 2.02~beta3-5  
>> > http://ftp.debian.org/debian/pool/main/g/grub2\ncpio  
>> > 2.11+dfsg-6   http://ftp.debian.org/debian/pool/main/c/cpi
>> > o\ngzip  1.6-5 http://ftp.debian.o
>> > rg/debian/pool/main/g/gzip\ngnupg22.1.18-6
>> >   http://ftp.debian.org/debian/pool/main/g/gnupg2\ndebian-archive-keyr
>> > ing2014.3http://ftp.debian.org/debian/pool/main/d/
>> > debian-archive-keyring\nloadlin   1.6f-5  
>> >   http://ftp.debian.org/debian/pool/main/l/loadlin\nipxe  
>> > 1.0.0+git-20161027.b991c6
>> > http://ftp.debian.org/debian/pool/main/i/ipxe\nnsis  
>> > 2.51-1http://ftp.debian.org/debian/pool/main/n/nsis\nl
>> > ibgcrypt20   1.7.6-1   http://ftp.debian.org/d
>> > ebian/pool/main/l/libgcrypt20\nlibgpg-error  1.26-2   
>> >  http://ftp.debian.org/debian/pool/main/l/libgpg-error\n;)}1 \
>> > {sub(/@NSIS_VERSION@/,"2.51-1+b1")}1 \
>> > {sub(/@W32_VERSION@/,"0.8.2")}1' \
>> > debian/win32-loader_doc.txt > win32-loader_0.8.2_all.txt
>> > Segmentation fault
>
> `awk` segfaults here. This seems to be an awk bug, or problem. Is the command-
> line for it too long, or is it something else?

Possibly it's the same problem as #158481.  A workaround is to use
original-awk or gawk instead of awk (and build-depend on it, of course).

I don't feel like debugging this issue, since mawk in Debian is
unmaintained. :-(

Cheers,
   Sven

Bug#860695: win32-loader: FTBFS on i386: segmentation fault

[Didier 'OdyX' Raboud]

Control: tags -1 +moreinfo +help

Le mercredi, 19 avril 2017, 09.28:30 h CEST Lucas Nussbaum a écrit :
> During a rebuild of all packages in stretch (in a stretch chroot, not a
> sid chroot), your package failed to build on i386.

win32-loader is a arch:all package, and is "usually" built on amd64 buildds, 
on which it builds fine. This i386-specific FTBFS has been visible through the 
reproducible builds infrastructure for a while:


https://tests.reproducible-builds.org/debian/rb-pkg/testing/i386/win32-loader.html

> Relevant part (hopefully):

Actually:

> > # Prepare the README file
> > awk
> > '{sub(/@PACKAGES_LIST@/,"grub2 2.02~beta3-5  
> > http://ftp.debian.org/debian/pool/main/g/grub2\ncpio  
> > 2.11+dfsg-6   http://ftp.debian.org/debian/pool/main/c/cpi
> > o\ngzip  1.6-5 http://ftp.debian.o
> > rg/debian/pool/main/g/gzip\ngnupg22.1.18-6
> >   http://ftp.debian.org/debian/pool/main/g/gnupg2\ndebian-archive-keyr
> > ing2014.3http://ftp.debian.org/debian/pool/main/d/
> > debian-archive-keyring\nloadlin   1.6f-5  
> >   http://ftp.debian.org/debian/pool/main/l/loadlin\nipxe  
> > 1.0.0+git-20161027.b991c6
> > http://ftp.debian.org/debian/pool/main/i/ipxe\nnsis  
> > 2.51-1http://ftp.debian.org/debian/pool/main/n/nsis\nl
> > ibgcrypt20   1.7.6-1   http://ftp.debian.org/d
> > ebian/pool/main/l/libgcrypt20\nlibgpg-error  1.26-2   
> >  http://ftp.debian.org/debian/pool/main/l/libgpg-error\n;)}1 \
> > {sub(/@NSIS_VERSION@/,"2.51-1+b1")}1 \
> > {sub(/@W32_VERSION@/,"0.8.2")}1' \
> > debian/win32-loader_doc.txt > win32-loader_0.8.2_all.txt
> > Segmentation fault

`awk` segfaults here. This seems to be an awk bug, or problem. Is the command-
line for it too long, or is it something else?

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#860695: win32-loader: FTBFS on i386: segmentation fault

[Lucas Nussbaum]

Source: win32-loader
Version: 0.8.2
Severity: serious
Tags: stretch sid
User: debian...@lists.debian.org
Usertags: qa-ftbfs-20170418-i386 qa-ftbfs
Justification: FTBFS in stretch on i386

Hi,

During a rebuild of all packages in stretch (in a stretch chroot, not a
sid chroot), your package failed to build on i386.

Relevant part (hopefully):
> make[3]: Entering directory '/<>/l10n'
> gcc -DTEXTDOMAINDIR=\"/<>/l10n/locale\" win32-loader.c -o 
> win32-loader
> xgettext --msgid-bugs-address=win32-loa...@packages.debian.org 
> --from-code=utf-8 -ctranslate --keyword=_ win32-loader.sh win32-loader.c -o 
> po/messages.pot
> mkdir -p templates locale/ar/LC_MESSAGES
> msgmerge -U po/ar.po po/messages.pot
>  done.
> msgfmt -c --statistics -o locale/ar/LC_MESSAGES/win32-loader.mo po/ar.po
> 66 translated messages.
> LANGUAGE=ar ./win32-loader.sh > templates/ar.nsh
> mkdir -p templates locale/be/LC_MESSAGES
> msgmerge -U po/be.po po/messages.pot
>  done.
> msgfmt -c --statistics -o locale/be/LC_MESSAGES/win32-loader.mo po/be.po
> po/be.po:9: warning: header field 'Language' still has the initial default 
> value
> 66 translated messages.
> LANGUAGE=be ./win32-loader.sh > templates/be.nsh
> mkdir -p templates locale/bg/LC_MESSAGES
> msgmerge -U po/bg.po po/messages.pot
> ... done.
> msgfmt -c --statistics -o locale/bg/LC_MESSAGES/win32-loader.mo po/bg.po
> 66 translated messages.
> LANGUAGE=bg ./win32-loader.sh > templates/bg.nsh
> mkdir -p templates locale/bs/LC_MESSAGES
> msgmerge -U po/bs.po po/messages.pot
>  done.
> msgfmt -c --statistics -o locale/bs/LC_MESSAGES/win32-loader.mo po/bs.po
> 66 translated messages.
> LANGUAGE=bs ./win32-loader.sh > templates/bs.nsh
> mkdir -p templates locale/ca/LC_MESSAGES
> msgmerge -U po/ca.po po/messages.pot
>  done.
> msgfmt -c --statistics -o locale/ca/LC_MESSAGES/win32-loader.mo po/ca.po
> 66 translated messages.
> LANGUAGE=ca ./win32-loader.sh > templates/ca.nsh
> mkdir -p templates locale/cs/LC_MESSAGES
> msgmerge -U po/cs.po po/messages.pot
>  done.
> msgfmt -c --statistics -o locale/cs/LC_MESSAGES/win32-loader.mo po/cs.po
> 66 translated messages.
> LANGUAGE=cs ./win32-loader.sh > templates/cs.nsh
> mkdir -p templates locale/da/LC_MESSAGES
> msgmerge -U po/da.po po/messages.pot
>  done.
> msgfmt -c --statistics -o locale/da/LC_MESSAGES/win32-loader.mo po/da.po
> 66 translated messages.
> LANGUAGE=da ./win32-loader.sh > templates/da.nsh
> mkdir -p templates locale/de/LC_MESSAGES
> msgmerge -U po/de.po po/messages.pot
> ... done.
> msgfmt -c --statistics -o locale/de/LC_MESSAGES/win32-loader.mo po/de.po
> po/de.po:8: warning: header field 'Language' still has the initial default 
> value
> 66 translated messages.
> LANGUAGE=de ./win32-loader.sh > templates/de.nsh
> mkdir -p templates locale/el/LC_MESSAGES
> msgmerge -U po/el.po po/messages.pot
>  done.
> msgfmt -c --statistics -o locale/el/LC_MESSAGES/win32-loader.mo po/el.po
> 66 translated messages.
> LANGUAGE=el ./win32-loader.sh > templates/el.nsh
> mkdir -p templates
> LANGUAGE=C ./win32-loader.sh > templates/en.nsh
> mkdir -p templates locale/eo/LC_MESSAGES
> msgmerge -U po/eo.po po/messages.pot
>  done.
> msgfmt -c --statistics -o locale/eo/LC_MESSAGES/win32-loader.mo po/eo.po
> 66 translated messages.
> LANGUAGE=eo ./win32-loader.sh > templates/eo.nsh
> mkdir -p templates locale/es/LC_MESSAGES
> msgmerge -U po/es.po po/messages.pot
>  done.
> msgfmt -c --statistics -o locale/es/LC_MESSAGES/win32-loader.mo po/es.po
> po/es.po:36: warning: header field 'Language' still has the initial default 
> value
> 66 translated messages.
> LANGUAGE=es ./win32-loader.sh > templates/es.nsh
> mkdir -p templates locale/eu/LC_MESSAGES
> msgmerge -U po/eu.po po/messages.pot
>  done.
> msgfmt -c --statistics -o locale/eu/LC_MESSAGES/win32-loader.mo po/eu.po
> 43 translated messages, 13 fuzzy translations, 10 untranslated messages.
> LANGUAGE=eu ./win32-loader.sh > templates/eu.nsh
> mkdir -p templates locale/fa/LC_MESSAGES
> msgmerge -U po/fa.po po/messages.pot
>  done.
> msgfmt -c --statistics -o locale/fa/LC_MESSAGES/win32-loader.mo po/fa.po
> 66 translated messages.
> LANGUAGE=fa ./win32-loader.sh > templates/fa.nsh
>