binutils-gdb/readline
Tom de Vries 830b67068c [readline] Fix heap-buffer-overflow in update_line
When:
- building trunk gdb with '-fsanitize=address -lasan',
- running gdb tests with "export ASAN_OPTIONS=detect_leaks=0",
I run into a heap-buffer-overflow failure for
gdb.base/utf8-identifiers.exp.

In more detail, the libasan error report looks like this:
...
=================================================================
==22340==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x619000054a80 at pc 0x7fcd0306b4c9 bp 0x7fffb1a8d880 sp 0x7fffb1a8d030
READ of size 32766 at 0x619000054a80 thread T0
    #0 0x7fcd0306b4c8  (/usr/lib64/libasan.so.4+0xae4c8)
    #1 0x15f12a1 in update_line
/data/gdb_versions/devel/src/readline/display.c:1377
    #2 0x15f03cb in rl_redisplay
/data/gdb_versions/devel/src/readline/display.c:1204
    #3 0x15bf932 in readline_internal_setup
/data/gdb_versions/devel/src/readline/readline.c:394
    #4 0x15fe723 in _rl_callback_newline
/data/gdb_versions/devel/src/readline/callback.c:89
    #5 0x15fe7ef in rl_callback_handler_install
/data/gdb_versions/devel/src/readline/callback.c:102
    #6 0xd7bce6 in gdb_rl_callback_handler_install(char const*)
/data/gdb_versions/devel/src/gdb/event-top.c:319
    #7 0xd7c0c6 in display_gdb_prompt(char const*)
/data/gdb_versions/devel/src/gdb/event-top.c:409
    #8 0xd7d6c1 in command_line_handler(std::unique_ptr<char,
gdb::xfree_deleter<char> >&&)
/data/gdb_versions/devel/src/gdb/event-top.c:776
    #9 0xd7b92a in gdb_rl_callback_handler
/data/gdb_versions/devel/src/gdb/event-top.c:217
    #10 0x15ff479 in rl_callback_read_char
/data/gdb_versions/devel/src/readline/callback.c:220
    #11 0xd7b4d5 in gdb_rl_callback_read_char_wrapper_noexcept
/data/gdb_versions/devel/src/gdb/event-top.c:175
    #12 0xd7b6b5 in gdb_rl_callback_read_char_wrapper
/data/gdb_versions/devel/src/gdb/event-top.c:192
    #13 0xd7c8aa in stdin_event_handler(int, void*)
/data/gdb_versions/devel/src/gdb/event-top.c:514
    #14 0xd76ca7 in handle_file_event
/data/gdb_versions/devel/src/gdb/event-loop.c:731
    #15 0xd7751f in gdb_wait_for_event
/data/gdb_versions/devel/src/gdb/event-loop.c:857
    #16 0xd7547e in gdb_do_one_event()
/data/gdb_versions/devel/src/gdb/event-loop.c:321
    #17 0xd75526 in start_event_loop()
/data/gdb_versions/devel/src/gdb/event-loop.c:370
    #18 0x101b04c in captured_command_loop
/data/gdb_versions/devel/src/gdb/main.c:331
    #19 0x101de73 in captured_main
/data/gdb_versions/devel/src/gdb/main.c:1173
    #20 0x101df03 in gdb_main(captured_main_args*)
/data/gdb_versions/devel/src/gdb/main.c:1188
    #21 0x872dba in main /data/gdb_versions/devel/src/gdb/gdb.c:32
    #22 0x7fcd00f2ff49 in __libc_start_main (/lib64/libc.so.6+0x20f49)
    #23 0x872bc9 in _start (/data/gdb_versions/devel/build/gdb/gdb+0x872bc9)

0x619000054a80 is located 0 bytes to the right of 1024-byte region
[0x619000054680,0x619000054a80)
allocated by thread T0 here:
    #0 0x7fcd03099510 in malloc (/usr/lib64/libasan.so.4+0xdc510)
    #1 0xae0078 in xmalloc
/data/gdb_versions/devel/src/gdb/common/common-utils.c:44
    #2 0x15eaccb in init_line_structures
/data/gdb_versions/devel/src/readline/display.c:458
    #3 0x15eb4d8 in rl_redisplay
/data/gdb_versions/devel/src/readline/display.c:526
    #4 0x15bf932 in readline_internal_setup
/data/gdb_versions/devel/src/readline/readline.c:394
    #5 0x15fe723 in _rl_callback_newline
/data/gdb_versions/devel/src/readline/callback.c:89
    #6 0x15fe7ef in rl_callback_handler_install
/data/gdb_versions/devel/src/readline/callback.c:102
    #7 0xd7bce6 in gdb_rl_callback_handler_install(char const*)
/data/gdb_versions/devel/src/gdb/event-top.c:319
    #8 0xd7c0c6 in display_gdb_prompt(char const*)
/data/gdb_versions/devel/src/gdb/event-top.c:409
    #9 0xaa041b in cli_interp_base::pre_command_loop()
/data/gdb_versions/devel/src/gdb/cli/cli-interp.c:286
    #10 0xf5342a in interp_pre_command_loop(interp*)
/data/gdb_versions/devel/src/gdb/interps.c:320
    #11 0x101b047 in captured_command_loop
/data/gdb_versions/devel/src/gdb/main.c:328
    #12 0x101de73 in captured_main
/data/gdb_versions/devel/src/gdb/main.c:1173
    #13 0x101df03 in gdb_main(captured_main_args*)
/data/gdb_versions/devel/src/gdb/main.c:1188
    #14 0x872dba in main /data/gdb_versions/devel/src/gdb/gdb.c:32
    #15 0x7fcd00f2ff49 in __libc_start_main (/lib64/libc.so.6+0x20f49)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/usr/lib64/libasan.so.4+0xae4c8)
Shadow bytes around the buggy address:
  0x0c3280002900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280002910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280002920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280002930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280002940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3280002950:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280002960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280002970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280002980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280002990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c32800029a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22340==ABORTING
...

I've written an assert in rl_redisplay that formulates the error condition:
...
@@ -1387,6 +1389,10 @@ rl_redisplay (void)
          cpos_adjusted = 0;
+         assert (last_lmargin + (_rl_screenwidth + visible_wrap_offset)
+                 <= line_size);
+         assert (lmargin + (_rl_screenwidth + (lmargin ? 0 : wrap_offset))
+                 <= line_size);
          update_line (&visible_line[last_lmargin],
                       &invisible_line[lmargin],
                       0,
                       _rl_screenwidth + visible_wrap_offset,
                       _rl_screenwidth + (lmargin ? 0 : wrap_offset),
                       0);
...
which triggers without needing the address sanitizer (or even an executable),
like this:
...
$ TERM=dumb gdb -q -ex "set width 0"
gdb: src/display.c:1393: rl_redisplay: Assertion
`last_lmargin + (_rl_screenwidth + visible_wrap_offset) <= line_size'
failed.
Aborted (core dumped)
...

The basic problem is this: visible_line and invisible_line have length
line_size, but the update_line call assumes that line_size is at least
_rl_screenwidth + 1.  Executing "set width 0" sets _rl_screenwidth to 32766 but
doesn't affect line_size, which is initialized to 1024.

Fix this by ensuring in init_line_structures and rl_redisplay that line_size
is at least _rl_screenwidth + 1.

Tested on x86_64-linux.

Reviewed by readline maintainer (
https://sourceware.org/ml/gdb-patches/2019-05/msg00566.html ).

readline/ChangeLog.gdb:

2019-07-12  Tom de Vries  <tdevries@suse.de>
	    Chet Ramey  <chet.ramey@case.edu>

	PR cli/24514
	* readline/display.c (init_line_structures, rl_redisplay): Ensure
	line_size is at	least _rl_screenwidth + 1.
2019-07-12 09:53:02 +02:00
..
cross-build
doc
examples
shlib
support config.guess,config.sub: synchronize with config project master sources 2019-05-23 18:19:56 +02:00
aclocal.m4
ansi_stdlib.h
bind.c
callback.c
CHANGELOG
ChangeLog.gdb [readline] Fix heap-buffer-overflow in update_line 2019-07-12 09:53:02 +02:00
CHANGES
chardefs.h
compat.c
complete.c
config.h.in
configure
configure.in
COPYING
display.c [readline] Fix heap-buffer-overflow in update_line 2019-07-12 09:53:02 +02:00
emacs_keymap.c
funmap.c
histexpand.c
histfile.c
histlib.h
history.c
history.h
histsearch.c
input.c
INSTALL
isearch.c
keymaps.c
keymaps.h
kill.c
macro.c
Makefile.in
MANIFEST
mbutil.c
misc.c
NEWS
nls.c
parens.c
patchlevel
posixdir.h
posixjmp.h
posixselect.h
posixstat.h
readline.c
readline.h
README
rlconf.h
rldefs.h
rlmbutil.h
rlprivate.h
rlshell.h
rlstdc.h
rltty.c
rltty.h
rltypedefs.h
rlwinsize.h
savestring.c
search.c
shell.c
signals.c
tcap.h
terminal.c
text.c
tilde.c
tilde.h
undo.c
USAGE
util.c
vi_keymap.c
vi_mode.c
xfree.c
xmalloc.c
xmalloc.h

Introduction
============

This is the Gnu Readline library, version 6.2.

The Readline library provides a set of functions for use by applications
that allow users to edit command lines as they are typed in.  Both
Emacs and vi editing modes are available.  The Readline library includes
additional functions to maintain a list of previously-entered command
lines, to recall and perhaps reedit those lines, and perform csh-like
history expansion on previous commands.

The history facilites are also placed into a separate library, the
History library, as part of the build process.  The History library
may be used without Readline in applications which desire its
capabilities.

The Readline library is free software, distributed under the terms of
the [GNU] General Public License as published by the Free Software
Foundation, version 3 of the License.  For more information, see the
file COPYING.

To build the library, try typing `./configure', then `make'.  The
configuration process is automated, so no further intervention should
be necessary.  Readline builds with `gcc' by default if it is
available.  If you want to use `cc' instead, type

        CC=cc ./configure

if you are using a Bourne-style shell.  If you are not, the following
may work:

        env CC=cc ./configure

Read the file INSTALL in this directory for more information about how
to customize and control the build process.

The file rlconf.h contains C preprocessor defines that enable and disable
certain Readline features.

The special make target `everything' will build the static and shared
libraries (if the target platform supports them) and the examples.

Examples
========

There are several example programs that use Readline features in the
examples directory.  The `rl' program is of particular interest.  It
is a command-line interface to Readline, suitable for use in shell
scripts in place of `read'.

Shared Libraries
================

There is skeletal support for building shared versions of the
Readline and History libraries.  The configure script creates
a Makefile in the `shlib' subdirectory, and typing `make shared'
will cause shared versions of the Readline and History libraries
to be built on supported platforms.

If `configure' is given the `--enable-shared' option, it will attempt
to build the shared libraries by default on supported platforms.

Configure calls the script support/shobj-conf to test whether or
not shared library creation is supported and to generate the values
of variables that are substituted into shlib/Makefile.  If you
try to build shared libraries on an unsupported platform, `make'
will display a message asking you to update support/shobj-conf for
your platform.

If you need to update support/shobj-conf, you will need to create
a `stanza' for your operating system and compiler.  The script uses
the value of host_os and ${CC} as determined by configure.  For
instance, FreeBSD 4.2 with any version of gcc is identified as
`freebsd4.2-gcc*'.

In the stanza for your operating system-compiler pair, you will need to
define several variables.  They are:

SHOBJ_CC	The C compiler used to compile source files into shareable
		object files.  This is normally set to the value of ${CC}
		by configure, and should not need to be changed.

SHOBJ_CFLAGS	Flags to pass to the C compiler ($SHOBJ_CC) to create
		position-independent code.  If you are using gcc, this
		should probably be set to `-fpic'.

SHOBJ_LD	The link editor to be used to create the shared library from
		the object files created by $SHOBJ_CC.  If you are using
		gcc, a value of `gcc' will probably work.

SHOBJ_LDFLAGS	Flags to pass to SHOBJ_LD to enable shared object creation.
		If you are using gcc, `-shared' may be all that is necessary.
		These should be the flags needed for generic shared object
		creation.

SHLIB_XLDFLAGS	Additional flags to pass to SHOBJ_LD for shared library
		creation.  Many systems use the -R option to the link
		editor to embed a path within the library for run-time
		library searches.  A reasonable value for such systems would
		be `-R$(libdir)'.

SHLIB_LIBS	Any additional libraries that shared libraries should be
		linked against when they are created.

SHLIB_LIBPREF	The prefix to use when generating the filename of the shared
		library.  The default is `lib'; Cygwin uses `cyg'.

SHLIB_LIBSUFF	The suffix to add to `libreadline' and `libhistory' when
		generating the filename of the shared library.  Many systems
		use `so'; HP-UX uses `sl'.

SHLIB_LIBVERSION The string to append to the filename to indicate the version
		of the shared library.  It should begin with $(SHLIB_LIBSUFF),
		and possibly include version information that allows the
		run-time loader to load the version of the shared library
		appropriate for a particular program.  Systems using shared
		libraries similar to SunOS 4.x use major and minor library
		version numbers; for those systems a value of
		`$(SHLIB_LIBSUFF).$(SHLIB_MAJOR)$(SHLIB_MINOR)' is appropriate.
		Systems based on System V Release 4 don't use minor version
		numbers; use `$(SHLIB_LIBSUFF).$(SHLIB_MAJOR)' on those systems.
		Other Unix versions use different schemes.

SHLIB_DLLVERSION The version number for shared libraries that determines API
		compatibility between readline versions and the underlying
		system.  Used only on Cygwin.  Defaults to $SHLIB_MAJOR, but
		can be overridden at configuration time by defining DLLVERSION
		in the environment.

SHLIB_DOT	The character used to separate the name of the shared library
		from the suffix and version information.  The default is `.';
		systems like Cygwin which don't separate version information
		from the library name should set this to the empty string.

SHLIB_STATUS	Set this to `supported' when you have defined the other
		necessary variables.  Make uses this to determine whether
		or not shared library creation should be attempted.

You should look at the existing stanzas in support/shobj-conf for ideas.

Once you have updated support/shobj-conf, re-run configure and type
`make shared'.  The shared libraries will be created in the shlib
subdirectory.

If shared libraries are created, `make install' will install them. 
You may install only the shared libraries by running `make
install-shared' from the top-level build directory.  Running `make
install' in the shlib subdirectory will also work.  If you don't want
to install any created shared libraries, run `make install-static'. 

Documentation
=============

The documentation for the Readline and History libraries appears in
the `doc' subdirectory.  There are three texinfo files and a
Unix-style manual page describing the facilities available in the
Readline library.  The texinfo files include both user and
programmer's manuals.  HTML versions of the manuals appear in the
`doc' subdirectory as well. 

Reporting Bugs
==============

Bug reports for Readline should be sent to:

        bug-readline@gnu.org

When reporting a bug, please include the following information:

        * the version number and release status of Readline (e.g., 4.2-release)
        * the machine and OS that it is running on
        * a list of the compilation flags or the contents of `config.h', if
          appropriate
        * a description of the bug
        * a recipe for recreating the bug reliably
        * a fix for the bug if you have one!

If you would like to contact the Readline maintainer directly, send mail
to bash-maintainers@gnu.org.

Since Readline is developed along with bash, the bug-bash@gnu.org mailing
list (mirrored to the Usenet newsgroup gnu.bash.bug) often contains
Readline bug reports and fixes. 

Chet Ramey
chet.ramey@case.edu