Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ncurses: *** buffer overflow detected ***: terminated with -D_FORTIFY_SOURCE=3 #91344

Closed
marxin mannequin opened this issue Apr 1, 2022 · 2 comments
Closed

ncurses: *** buffer overflow detected ***: terminated with -D_FORTIFY_SOURCE=3 #91344

marxin mannequin opened this issue Apr 1, 2022 · 2 comments

Comments

@marxin
Copy link
Mannequin

marxin mannequin commented Apr 1, 2022

BPO 47188
Nosy @siddhesh, @marxin

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2022-04-06.08:13:27.456>
created_at = <Date 2022-04-01.15:25:59.003>
labels = []
title = 'ncurses: *** buffer overflow detected ***: terminated with -D_FORTIFY_SOURCE=3'
updated_at = <Date 2022-04-06.08:13:27.456>
user = 'https://github.com/marxin'

bugs.python.org fields:

activity = <Date 2022-04-06.08:13:27.456>
actor = 'Martin Li\xc5\xa1ka'
assignee = 'none'
closed = True
closed_date = <Date 2022-04-06.08:13:27.456>
closer = 'Martin Li\xc5\xa1ka'
components = []
creation = <Date 2022-04-01.15:25:59.003>
creator = 'Martin Li\xc5\xa1ka'
dependencies = []
files = []
hgrepos = []
issue_num = 47188
keywords = []
message_count = 2.0
messages = ['416495', '416844']
nosy_count = 2.0
nosy_names = ['siddhesh', 'Martin Li\xc5\xa1ka']
pr_nums = []
priority = 'normal'
resolution = None
stage = 'resolved'
status = 'closed'
superseder = None
type = None
url = 'https://bugs.python.org/issue47188'
versions = []
@marxin
Copy link
Mannequin Author

marxin mannequin commented Apr 1, 2022

Note -D_FORTIFY_SOURCE=3 will come newly with GCC12. So I noticed the following error:

demo.py:

import curses

curses.initscr()
curses.unget_wch('a')

Error message:
*** buffer overflow detected ***: terminated

Backtrace:
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1 0x00007ffff7d1e1e3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2 0x00007ffff7cce306 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3 0x00007ffff7cb7813 in __GI_abort () at abort.c:79
#4 0x00007ffff7d111b7 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7e573cf "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155
#5 0x00007ffff7db630a in __GI___fortify_fail (msg=msg@entry=0x7ffff7e57375 "buffer overflow detected") at fortify_fail.c:26
#6 0x00007ffff7db48b6 in __GI___chk_fail () at chk_fail.c:28
#7 0x00007ffff7db5be8 in __wcrtomb_chk (s=s@entry=0xaae440 "\376\271\255", wchar=wchar@entry=97 L'a', ps=ps@entry=0x7fffffffd4f0, buflen=buflen@entry=1) at wcrtomb_chk.c:31
#8 0x00007ffff7a18b31 in wcrtomb (__ps=<optimized out>, __wchar=<optimized out>, __s=<optimized out>, __s=<optimized out>, __wchar=<optimized out>, __ps=<optimized out>) at /usr/include/bits/wchar2.h:402
#9 unget_wch_sp (sp=0xab0920, wch=97 L'a') at ../ncurses/./widechar/lib_unget_wch.c:89
#10 0x00007ffff7a18b61 in unget_wch (wch=<optimized out>) at ../ncurses/./widechar/lib_unget_wch.c:113
#11 0x00007ffff7a55be5 in _curses_unget_wch (module=<optimized out>, ch='a') at /home/marxin/Programming/cpython/Modules/_cursesmodule.c:4497
#12 0x00000000006f6669 in cfunction_vectorcall_O (func=<built-in method unget_wch of module object at remote 0x7ffff7a8f4a0>, args=0x7ffff7b355b0, nargsf=<optimized out>, kwnames=0x0) at Objects/methodobject.c:512
#13 0x000000000042d0e8 in _PyObject_VectorcallTstate (kwnames=0x0, nargsf=<optimized out>, args=<optimized out>, callable=<built-in method unget_wch of module object at remote 0x7ffff7a8f4a0>, tstate=<optimized out>) at ./Include/cpython/abstract.h:114
#14 PyObject_Vectorcall (kwnames=0x0, nargsf=<optimized out>, args=<optimized out>, callable=<built-in method unget_wch of module object at remote 0x7ffff7a8f4a0>) at ./Include/cpython/abstract.h:123
#15 call_function (kwnames=0x0, oparg=<optimized out>, pp_stack=<synthetic pointer>, bounds=0x7fffffffd640, tstate=0xa70520) at Python/ceval.c:5379
#16 _PyEval_EvalFrameDefault (tstate=<optimized out>, f=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:3772

So as seen __wcrtomb_chk is called with buflen == 1 and the function aborts if:

size_t
__wcrtomb_chk (char *s, wchar_t wchar, mbstate_t *ps, size_t buflen)
{
/* We do not have to implement the full wctomb semantics since we
know that S cannot be NULL when we come here. */
if (buflen < MB_CUR_MAX)
__chk_fail ();

return __wcrtomb (s, wchar, ps);
}

Where MB_CUR_MAX == 6.

So the question is if the issue is in libcurses library (that is compiler with -D_FORTIFY_SOURCE=3), or in Modules/_cursesmodule.c?

@marxin
Copy link
Mannequin Author

marxin mannequin commented Apr 6, 2022

So the issue is ncurses, closing here.

@marxin marxin mannequin closed this as completed Apr 6, 2022
@marxin marxin mannequin closed this as completed Apr 6, 2022
@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants