search

oracle / oraclesolaris-contrib

oraclesolaris-contrib is a repository focussed on the Oracle Solaris 11.4 StatsStore, using methodologies like REST to connect to Oracle Solaris 11.4 and the new features being introduced in Oracle Solaris 11.4 OS.
https://www.oracle.com/solaris/solaris11/
Other
47 stars 15 forks source link

Mutt dumps core #7

Open pfuetz opened 2 years ago

pfuetz commented 2 years ago

On Solaris-cbe, mutt dumps core, when one wants to save a message (s-key, followed by =filena) using tab-expansion, and that tab-expansion leads to more than one possible file..

It works, when there is only one file which matches the pattern…

batrla commented 2 years ago

Thanks for report, it's easy to duplicate the problem.

mutt:core> ::status
...
process terminated by SIGSEGV (Segmentation Fault) code=1 (SEGV_MAPERR), addr=78

mutt:core> <rip=p
                mutt_complete+0x506
mutt:core> <rip::dis -n1
mutt_complete+0x503:            movsbl (%rbx),%esi
mutt_complete+0x506:            movl   (%rsi),%eax
mutt_complete+0x508:            movsbl %cl,%r11d
mutt:core> <rsi=p
                0x78

The disassembly of mutt_complete() shows obvious issue at offset 0x503 and 0x506. Loading 8 bits from memory to %esi, sign extending the result and then de-referencing %rsi value as a 64 bit pointer is usually bad idea [1]. No wonder that mutt made a SIGSEGV when it executed instruction at offset 0x506 trying to do memory load from address 0x78.

Good news is that the fix to this issue is known.

[1] instruction at offset 503 is not a branch target, we could not skip it before executing next one

batrla commented 2 years ago

Fixed as 33934252