Ticket #3582 (closed defect: fixed)

Opened 4 years ago

Last modified 4 years ago

[PATCH] fix infopanel buffer overflow

Reported by: and Owned by: andrew_b
Priority: major Milestone: 4.8.16
Component: mc-core Version: master
Keywords: Cc:
Blocked By: Blocking:
Branch state: merged Votes for changeset: committed-master

Description

when using infopanel (C-x i) on a file that got deleted right now
buffer overflow occurs.

==13429==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000031c48 at pc 0x0000005fd41b bp 0x7ffca3f466c0 sp 0x7ffca3f466b8
WRITE of size 4 at 0x607000031c48 thread T0
    #0 0x5fd41a in dirsize_status_deinit_cb /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/file.c:2557:24
    #1 0x7f333f2bda2f in status_msg_deinit /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/wtools.c:619:9
    #2 0x602fe3 in panel_operate_init_totals /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/file.c:1352:9
    #3 0x5fe784 in panel_operate /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/file.c:2840:13
    #4 0x528328 in copy_cmd /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/cmd.c:797:9
    #5 0x528328 in midnight_execute_cmd /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/midnight.c:1139
    #6 0x7f333f291949 in buttonbar_callback /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/buttonbar.c:172:42
    #7 0x7f333f296245 in send_message /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/../../lib/widget/widget-common.h:167:15
    #8 0x7f333f296245 in dlg_try_hotkey /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:464
    #9 0x7f333f296245 in dlg_key_event /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:509
    #10 0x7f333f296245 in dlg_process_event /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:1236
    #11 0x7f333f2979c7 in frontend_dlg_run /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:570:9
    #12 0x7f333f296565 in dlg_run /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:1267:5
    #13 0x4fc7b8 in create_panels_and_run_mc /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/midnight.c:954:5
    #14 0x4fc7b8 in do_nc /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/midnight.c:1757
    #15 0x4fc7b8 in main /tmp/portage/app-misc/mc-9999/work/mc-9999/src/main.c:401
    #16 0x7f333d7fc953 in __libc_start_main (/lib64/libc.so.6+0x20953)
    #17 0x4270e8 in _start (/tmp/portage/app-misc/mc-9999/work/mc-9999/src/.libs/mc+0x4270e8)

attached patch works for me (TM) but I don't know why WPanel is invalid in this case.
Maybe it is only a workaround for a hidden root cause.

Attachments

mc-3582-fix-infopanel-overflow.patch (2.9 KB) - added by and 4 years ago.

Change History

Changed 4 years ago by and

comment:1 in reply to: ↑ description Changed 4 years ago by andrew_b

Replying to and:

when using infopanel (C-x i) on a file that got deleted right now

    #4 0x528328 in copy_cmd /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/cmd.c:797:9

How delete and copy are related?

comment:2 Changed 4 years ago by and

it was from a not so simple testcase,
here the right dump from delete action when infopanel enabled

==22509==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700001e928 at pc 0x0000005feeaf bp 0x7ffc82225f40 sp 0x7ffc82225f38
WRITE of size 4 at 0x60700001e928 thread T0
    #0 0x5feeae in dirsize_status_deinit_cb /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/file.c:2557:24
    #1 0x7f1bf22317ff in status_msg_deinit /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/wtools.c:619:9
    #2 0x601e0d in panel_operate_init_totals /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/file.c:1352:9
    #3 0x600b3c in panel_operate /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/file.c:2840:13
    #4 0x5ee53e in delete_cmd /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/cmd.c:904:9
    #5 0x52807f in midnight_execute_cmd /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/midnight.c:1161:9
    #6 0x7f1bf2205309 in buttonbar_callback /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/buttonbar.c:172:42
    #7 0x7f1bf220b47c in dlg_try_hotkey /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:464:23
    #8 0x7f1bf220a770 in dlg_key_event /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:509:19
    #9 0x7f1bf220ac32 in frontend_dlg_run /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:570:9
    #10 0x7f1bf220a935 in dlg_run /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:1267:5
    #11 0x52652d in do_nc /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/midnight.c:1757:9
    #12 0x4f7d3a in main /tmp/portage/app-misc/mc-9999/work/mc-9999/src/main.c:401:21
    #13 0x7f1bf0776953 in __libc_start_main (/lib64/libc.so.6+0x20953)
    #14 0x427318 in _start (/tmp/portage/app-misc/mc-9999/work/mc-9999/src/.libs/mc+0x427318)

comment:3 in reply to: ↑ description Changed 4 years ago by andrew_b

  • Owner set to andrew_b
  • Status changed from new to accepted
  • Branch state changed from no branch to on review

Replying to and:

attached patch works for me (TM) but I don't know why WPanel is invalid in this case.

Patch is ok because only file list panel has dirty flag.

Branch: 3582_info_panel_buffer_overflow
changeset:30b6888fcc7e92793c5f831e81ea98cfd8187d7a

comment:4 Changed 4 years ago by andrew_b

  • Votes for changeset set to andrew_b
  • Branch state changed from on review to approved

comment:5 Changed 4 years ago by andrew_b

  • Status changed from accepted to testing
  • Votes for changeset changed from andrew_b to committed-master
  • Resolution set to fixed
  • Branch state changed from approved to merged

comment:6 Changed 4 years ago by andrew_b

  • Status changed from testing to closed
Note: See TracTickets for help on using tickets.