cygwin 2.3.1: '/bin/kill -l 0' dumps core
mkwasigr@web.de
mkwasigr@web.de
Thu Nov 26 16:29:00 GMT 2015
Hi all,
I have just discovered that the command '/bin/kill -l 0' dumps core where
bash's built in does not (well, it just displays 'T'...).
NOTE: the signal spec after dash-ell is the number zero.
Pls. find the output of cygcheck and the callstack attached to this mail.
Short analysis: kill.cc: main() calls listsig() with arg "0". getsig()
gets called with same arg. getsig() build string "SIG0" in local buf
and gives that to strtosigno() which returns 0.
Then I suspect the bug in line 96 of kill.cc, the end of getsig():
if (!intsig && (strcmp (buf, "SIG0") != 0 && (strtol (in_sig, &p, 10) != 0
|| *p)))
intsig = -1;
return intsig;
intsig should be set to -1 either if intsig == 0 or if buf is not "SIG0"
and strtol() returns 0 or fails, so line 96 should read
if (!intsig || (strcmp (buf, "SIG0") != 0 && (strtol (in_sig, &p, 10) != 0
|| *p)))
This sets intsig to -1 and returns from getsig().
Without that change intsig would remain zero causing the SEGV in listsig()
in line 125 where puts() is called, so another security fix in strsigno()
appears to be necessary to avoid calling puts(sys_sigabbrev[0]+3); which
is most likely the cause of the SEGV (I could not find the array's
definition so I could not verify this).
So line 125
if (signo >= 0 && signo < NSIG)
should rather read
if (signo > 0 && signo < NSIG)
Sorry but all I can provide this a simple patch (attached) but I'm unable
to test it myself.
Thanks and best regards,
- Michael Kwasigroch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cygcheck.out
Type: application/octet-stream
Size: 63704 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20151126/84acf8d4/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kill.exe.stackdump
Type: application/octet-stream
Size: 495 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20151126/84acf8d4/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kill.patch
Type: application/octet-stream
Size: 1028 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20151126/84acf8d4/attachment-0002.obj>
-------------- next part --------------
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
More information about the Cygwin
mailing list