Path: csiph.com!xmission!news.snarked.org!news.linkpendium.com!news.linkpendium.com!panix!usenet.stanford.edu!not-for-mail
From: "Franklin, Jason" <jason.franklin@quoininc.com>
Newsgroups: gnu.bash.bug
Subject: [bug] Segmentation fault in the "fc" builtin
Date: Tue, 5 May 2020 09:21:07 -0400
Organization: Quoin, Inc.
Lines: 110
Approved: bug-bash@gnu.org
Message-ID: <mailman.2131.1588684877.3066.bug-bash@gnu.org>
References: <06953bf8-5526-bb86-b878-2dcf9864acec@quoininc.com>
NNTP-Posting-Host: lists.gnu.org
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------D7D5310BFB441150946DC123"
Cc: brandon.pfeifer@quoininc.com
To: bug-bash@gnu.org
Envelope-to: bug-bash@gnu.org
Autocrypt: addr=jason.franklin@quoininc.com; keydata= mQGNBF0+/NIBDADgQkZ3EB0NAIDGfkAFDaep9VtVjYV6bfnkUtm4g2VAxMeplvjxAA69cV8h 2n7+HxUB3RnxxkTeKBZY/k/jt0HYAkuCpaYm3fpk8aNCmW8q6qZearU5CwyRgJQMwh2uzA98 otxtt5I2DGLs1vlYulSFgIEaSfv9zEnR8Ss4dNhre4nhiETbG4kA7mZAa7Ot7cc+1wMJDvTe 4ifQ8auIiebGkHUqDiIHZLMgSt0lDoBT653Ohg7+iCqzA/e5/Vzj5zzsCnlfM+bSIpLU5gSR Ea1v1WV9RoNC+DzJJ1kihb/90gtcsYLv6LVw8Orh3G8WNTfLb30Cd68kAPu7At14taw7QFHr 5FsY9jEF41yCl0bvNsGCypiH3qfgepGiP1sGy88jGQCERK5dkfnx6ai3F71fO71UfcGxL2QD fZHu/SeNkE8AaiDOcwIMh+ADXUTUhdMi2/vRblVJHi2vCjo7AsAzVIQOOfwk6QuH8rUSYNwM QK0rcu1yOGids2l8l3ILnrsAEQEAAYkBzgQfAQoAOBYhBLk34UUCiN2a1spDz4f0yAMbCQqR BQJdPwBdFwyAAdOB+DWiI6YMHCQGOWTbFOmj4rTMAgcAAAoJEIf0yAMbCQqRzmwMAIKEa4/a K6O0mcDCdBi/IhyfVdUrupzMDbDLzhHEWjLoXxPpnUlIDyUoktUyPmeODnqJXQ42w5KJCct4 y0R1ezw2EhxATqTVmBHZdkTMJ8pL607/LZz8jqqCoqoJe/BN6U7dxuiMXn5GGc30zDwAWcRI M5VZJPognOWqD1o9bG2rnDoacNtmvbsAd2ZhWOpXKIs+KDRqrx6z2oZtqAoiRXSHJ51VVCKR JwdREOzEF+W+DKueCxCXwrC+Lj40mO2H570MA7ByN/hc0Crcrvbn9mgJOIajG8rraaDv6agG hypugxGcssWe1Ea0l8/NNmKPjnKckCLL3EohYO0i3EijF3u0QE8BZJOS2zaf0XXoj8sbjaba X1KPT3Sw+E10TZtrEc5FKCNSUVuJko9pK80XhdRxGCFkT0+/x3MQwRo5rLvmEwFUsk239Faw N1dhgCuripC5a6aqDZCqX52Zb6K9iRQpukc9zUd50JZkHrRezCnph2iLxMNANgTtHKyQvaR3 K7kBjQRdPv5SAQwA7afFZpuE1kPNtZNI/UqvEHaDY4yTyPUHPzO33QeugNU7etgnI7ghXTg8 dePK/0NltFbmF4E64VgRwBvN3u1h2U5DaH4SPcWAzR84MP5lwmaqfKBkuMq7NBngjl2O9RBb H4r7ewTKYZ2tmAkfYY+tUmn1TcpiLiL95YmibbJuiZSHZOAt7J8yZHNXrqXGmzeD2N7UzaVD 6eB8IePphHLgEjCXUREi6j3p53VWEoNXC+q0Lk5m5BJl7G0+JO5PzjtW4ve1/X4bYIEvWF0q 0Asuuk+DIdI+tmHmdGXALdAMXprC2DPObiXIneBgxkhRdNDM5CpJ14AtYbg9ol+8K6d5T3pw tSYoN9Yx4Wlsq+Y+go5D5zf27ZZg8Gm7OXBXtxI3OjcT+J4ITemaj7ZsgQ6vN14K6F3KXzAp Q4xjZcuHsiOdZIPiFW0jZDW/LdjFXZQLO7GAz1a88KmyFYvaK9ayBsn9eZ72at09625rkC7P 9eS3eUGvIyGwLclEMwD8WXxLABEBAAGJA3IEGAEKACYWIQS5N+FFAojdmtbKQ8+H9MgDGwkK kQUCXT7+UgIbAgUJA8JnAAHACRCH9MgDGwkKkcD0IAQZAQoAHRYhBMI/x2WtxyycbFiDM+Vf dRMWo0OwBQJdPv5SAAoJEOVfdRMWo0OwFMIMANSsD05P8GmbJnv8ZzYoGCAQ8zP2TGPB5R3s W4Ra1eJO1Ao1AHMLmUTWlyehv+1Mq+tgnYE05J4W/Da48RLmt8aOotlR4sh6YFynOWksbrCD 7lSz81/GtO8Bw1ToYkO+fFHRjHcDdoiu1mYv8iFPfaZKoCFIettu6ZZFA9xt90xsKnMw9qoZ 55KKGHhyiebuTDcAIBW8bLI/S/nBmN7x+xO0DAMKz8qwIe9lLW+A8Y4mUcSCUxLFKKmic1nj pi/4uE2EsN10n8euReIh09pMIuGVNjJewBvALN+Z3mNDSdrttjE0/31m+h0Oxh3WYNd9cbGG FjIf2GCqkxxRX4PYxiW/90B3Wtv+vco3yhbForWggXxZ4m0QwsG1F/8DiydWVgmH1G+W3xgv Kj1LUSSPzGjmanVdHI2Hpn1HZZ6MAYTZvnv05bqZ1c4nlL0DbqW4F8mKAgp40hfcXUuMuaEt km/iZfn2IvwqeL54cOyX5FmzoffAphoSwrE3eB0vtk9XMrZvDACYucq8yNMSUw8XvExdYpTI IgDxNbNo4e4XrwzAkgFNhTplUKN4Ul1XctE9GkppplqVehzh7PvoBOYPGn/eHncid2mcXjgh yBw5cNvZKbt11ahBpjpKNN3LLPZVTQ10u8NPQQBSPX8kPQE/909Qe17yeMsX9HZgQ5x+Eumi XymeJGkCtlWvWj93COVxrO0+LmZRj1LHxWiyTsBx0iR8fwN6igvEvKZXbZikXCfBtJa6sXTp kcF2KjicPB83Xmmf0HLJhDNirfql2D/CpnfeJrzb+Pc8EEtahK/ylCmXmqhIlo12NHScIvzR M/+O15fNKHtn51FVGLpoQwC94/j60/Bjkg72pReQRg4498QMuwh2L0de45qr30KnepTUAQD/ 19wPkBaIX7Q7Ar0Qitta/s3kZtF/yzewstEDc752RLhzBKplnbVqspioP5AT6YvNJW+0pylm RZ375vh+YeS/U3LFg1Ldi21oXkDSyc5tMCS03o2lvTf1cRFLkP+VlfYz1yi5AY0EXT7+ggEM AM0WCBqJF5UMLMJzHBbvDj3P3/TILSJ2FdBv5XB5uociwrYJfKi3iRNf5KehVl964RvhH+qO 7lruTcDiI5WJqxvFcJVNuJ//JJ6e4JUfi3yMy9LrF7W6C8w0I32pStvPPkBQt0GXUNrehlkW KBJTxN/IS33SDFYeRl+Izbhg9muQUg2VweKo13ChYVuLsJhyz4a4zWwrZWrPY6WSDh+q8edT txDl+MIh0hO1Xgp6IxdjRuIrZH8CHfq0bX5hErZz1aJg6eGo4TvE4l2mSJhMgoM0NAYJc0W2 uE++362eADCa+NpkQwwYOd90fbDDkyDgnIQRHCGO0oWacyJhKpmdp/8oa7u1IZQbLIhaY7PP //284cg+Au/5IjgQXNJIXpXtmRrmNTOyvYx8vw7qr/0JMwjj/xW10vbfuhT8QPQKSOiW55Hw Sp2VJLXj6N1K2LvX3AQ1+eJEbrKNLOiN+2GKf56mocAcHvhk5gapa90WnXuihPR/ePZC5d0q 70r69QuoIwARAQABiQG8BBgBCgAmFiEEuTfhRQKI3ZrWykPPh/TIAxsJCpEFAl0+/oICGwwF CQPCZwAACgkQh/TIAxsJCpGNxQv+IrK6w/exEwK1xD33w+X10J9S1BFvTulYKPIkAGhYgG9v varxirevTx2Tq5KdV4cGW28u69gJtQBSXSK0gzdti/JSkVNXQWNAibI72UVP8QPF8FXe5V8M caaz1h9ZjUTOvJpabYqXd7jb6Je/q0f3HrDJdXKEBPVnGWv4IbLI0wZJXU1NlSODLqwiGA33 s9BN22phU1tBRUsJhXnhmVYWvHhRaNq/hsbj8GQbQym25LONHlcChe45ptWkrtnaR0New3L6 4CRwZHCs/3EkTA9qbeeXxM3f6zCtSN7Gk2VJyGaRiOOlaRNPcjrQa9YQAIiJ/mPxLTZ7nUiD NDIlzys55GT7NcKP98uTmB4YOqmnpDGuPJVy1+yglj6Li3TfQ4lw8xtcHsyKh32hCqaTB/NZ 5b/7GrmWSzVDdU+VS2dqHbgbMUp4zLTxmMrXJX1qzqW/6OeblfosRZLt2uWV7X+mDidg7ucd AdlsPF403hhWS8JgqXXkPCftW5sFQ72DY2Re
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
Content-Language: en-US
Received-SPF: permerror client-ip=2607:f8b0:4864:20::729; envelope-from=jason.franklin@quoininc.com; helo=mail-qk1-x729.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN
X-Spam_action: no action
X-BeenThere: bug-bash@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-bash>
List-Post: <mailto:bug-bash@gnu.org>
List-Help: <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
X-Mailman-Original-Message-ID: <06953bf8-5526-bb86-b878-2dcf9864acec@quoininc.com>
Xref: csiph.com gnu.bash.bug:16281

This is a multi-part message in MIME format.
--------------D7D5310BFB441150946DC123
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

Greetings:

Yesterday, I encountered a segmentation fault when using the "fc"
builtin command.  I cloned the Bash source code from GNU Savannah, and I
verified that the bug is still present in the latest commits to the
master and devel branches (the work below applies to "devel").

To reproduce...

  $ bash --norc
  $ fc -0
  Segmentation fault (core dumped)

I worked with a colleague during our lunch break to track down the issue
with GDB.  We created a minimal patch (attached) that fixes the problem.

Allow me to explain the reasoning behind the patch...

>From the CHANGES file, we see this note concerning the "fc" builtin:

  b.  The fc builtin now interprets -0 as the current command line.

This tells us the intention of the "-0" option, and, indeed, we can see
in the fc_gethnum() function that this intention is programmed in as we
would expect.  See the excerpt below.

   566	      if (n < 0)
   567		{
   568		  n += i + 1;
   569		  return (n < 0 ? 0 : n);
   570		}
   571	      else if (n == 0)
   572		return ((sign == -1) ? real_last : i);
   573	      else
   574		{
   575		  n -= history_base;
   576		  return (i < n ? i : n);
   577		}

So, fc_gethnum() returns real_last when "-0" is passed in.  This is a
problem (solved in the patch) because the last history item (the current
command) is removed when editing so that hlist[real_last] is NULL.  The
segfault occurs at this call

   420	      fprintf (stream, "%s\n", histline (i));

because "i" is real_last, which has been removed.

Our solution does not remove the last history item when the user passes
"-0" to tell "fc" to include it in the history and the list to edit.

Note that we don't make any sweeping changes to the code, we simply
avoid the segfault.  This is because the intent of this option isn't
documented officially in the "help" output, so we don't want to make any
assumptions beyond what is already in the code.

There are some edge cases that could be addressed and some regions of
code that could be refactored to improve the robustness of "fc", but the
main priority in our eyes was fixing the segfault.  It would for
example, be nice to add a test to prove that the problem remains fixed
into the future.

I worked in tandem with my colleague, Brandon Pfeifer, to track down and
fix this issue.  He deserves equal credit.  If you decide to include the
patch, please credit us in your changelog as report and patch by Jason
Franklin <jason.franklin@quoininc.com> and Brandon Pfeifer
<brandon.pfeifer@quoininc.com>.

Thanks in advance for considering this change!

-- 
Jason Franklin



--------------D7D5310BFB441150946DC123
Content-Type: text/x-patch; charset=UTF-8;
 name="fc_fix.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
 filename="fc_fix.patch"

diff --git a/builtins/fc.def b/builtins/fc.def
index 6951a687..ba7c47bf 100644
--- a/builtins/fc.def
+++ b/builtins/fc.def
@@ -354,8 +354,10 @@ fc_builtin (list)
     }
=20
   /* "When not listing, the fc command that caused the editing shall not=
 be
-     entered into the history list." */
-  if (listing =3D=3D 0 && hist_last_line_added)
+     entered into the history list."  However, if the user passed "-0", =
then
+     histend will have been set to real_last above.  This means the user=
 wants
+     to include the current command, so we do not remove it here. */
+  if (listing =3D=3D 0 && hist_last_line_added && histend < real_last)
     {
       bash_delete_last_history ();
       /* If we're editing a single command -- the last command in the

--------------D7D5310BFB441150946DC123--