raveit65
commented
1 year ago Seems the issue is still landed in next fedora release (38).
Program terminated with signal SIGABRT, Aborted.
warning: Section `.reg-xstate/2186' in core file too small.
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
44 return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;
[Current thread is 1 (Thread 0x7ff2cff3fac0 (LWP 2186))]
Thread 1 (Thread 0x7ff2cff3fac0 (LWP 2186)):
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
tid = <optimized out>
ret = 0
pd = <optimized out>
old_mask = {__val = {13}}
ret = <optimized out>
#1 0x00007ff2d1037c03 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
No locals.
#2 0x00007ff2d0fe6aee in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
ret = <optimized out>
#3 0x00007ff2d0fcf87f in __GI_abort () at abort.c:79
save_stage = 1
act = {__sigaction_handler = {sa_handler = 0x20, sa_sigaction = 0x20}, sa_mask = {__val = {93896012798768, 24, 140722627469632, 140722627469440, 140680867245573, 140722627469632, 93896012798768, 140722627469472, 140680867379691, 93896012798768, 15138960226847091968, 140722627469616, 18446744073709551496, 11, 15138960226847091968, 93896004860144}}, sa_flags = -120, sa_restorer = 0xb}
#4 0x00007ff2d0fd060f in __libc_message (fmt=fmt@entry=0x7ff2d114b2e6 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:150
ap = {{gp_offset = 16, fp_offset = 21861, overflow_arg_area = 0x7ffc8a38e230, reg_save_area = 0x7ffc8a38e1c0}}
fd = 2
list = <optimized out>
nlist = <optimized out>
cp = <optimized out>
#5 0x00007ff2d10cbb29 in __GI___fortify_fail (msg=msg@entry=0x7ff2d114b28c "buffer overflow detected") at fortify_fail.c:24
No locals.
#6 0x00007ff2d10ca364 in __GI___chk_fail () at chk_fail.c:28
No locals.
#7 0x00005565dd7e7c62 in strcpy (__src=0x5565de7d1b30 "Monospace 12", __dest=0x7ffc8a38e250 "\320\342\070\212\374\177") at /usr/include/bits/string_fortified.h:79
No locals.
#8 pluma_window_key_press_event (widget=0x5565de03f8f0, event=event@entry=0x5565de7b3960) at /usr/src/debug/pluma-1.26.0-6.fc38.x86_64/pluma/pluma-window.c:322
nsize = 21861
tmp = <optimized out>
tmp = <optimized out>
font = <optimized out>
tempsize = 0x5565de7d1c70 "12"
tempfont = "\320\342\070\212\374\177\000\000\004|~\335"
window = 0x5565de03f8f0
handled = 0
settings = 0x5565de7d0d80
grand_parent_class = 0x5565ddf3f9e0
#9 0x00007ff2d189c967 in _gtk_marshal_BOOLEAN__BOXEDv (closure=0x5565ddf32ed0, return_value=0x7ffc8a38e430, instance=<optimized out>, args=<optimized out>, marshal_data=<optimized out>, n_params=<optimized out>, param_types=0x5565ddf32f00) at gtk/gtkmarshalers.c:130
cc = <optimized out>
data1 = <optimized out>
data2 = 0x5565ddf2b1f0
callback = 0x5565dd7e7ae0 <pluma_window_key_press_event>
v_return = <optimized out>
arg0 = 0x5565de7b3960
args_copy = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7ffc8a38e5c0, reg_save_area = 0x7ffc8a38e500}}
__func__ = "_gtk_marshal_BOOLEAN__BOXEDv"I will test if this commit helps.
Closes #664
The size of tempfont was one byte too short, so strcpy performed an out-of-bounds write when writing the terminating 0. This lead to segfault when D_FORTIFY_SOURCE=3 compiler flag was turned on.
Fix tested on openSUSE Tumbleweed.