[opensuse-commit] commit rxvt-unicode for openSUSE:Factory

User for buildservice source handling Sun, 29 Nov 2020 03:27:59 -0800

Hello community,

here is the log from the commit of package rxvt-unicode for openSUSE:Factory 
checked in at 2020-11-29 12:27:47
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rxvt-unicode (Old)
 and      /work/SRC/openSUSE:Factory/.rxvt-unicode.new.5913 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "rxvt-unicode"

Sun Nov 29 12:27:47 2020 rev:36 rq:851138 version:9.22

Changes:
--------
--- /work/SRC/openSUSE:Factory/rxvt-unicode/rxvt-unicode.changes        
2018-04-13 12:50:25.178140643 +0200
+++ /work/SRC/openSUSE:Factory/.rxvt-unicode.new.5913/rxvt-unicode.changes      
2020-11-29 12:27:49.885965958 +0100
@@ -1,0 +2,6 @@
+Thu Nov 26 14:25:58 UTC 2020 - Marcus Hüwe <suse-...@gmx.de>
+
+- add rxvt-unicode-9.22-perl_environ_segfault.patch to avoid a
+  segfault when closing urxvt
+
+-------------------------------------------------------------------

New:
----
  rxvt-unicode-9.22-perl_environ_segfault.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ rxvt-unicode.spec ++++++
--- /var/tmp/diff_new_pack.WsK5NA/_old  2020-11-29 12:27:50.517966598 +0100
+++ /var/tmp/diff_new_pack.WsK5NA/_new  2020-11-29 12:27:50.521966602 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package rxvt-unicode
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -40,6 +40,7 @@
 Patch3:         rxvt-unicode-0001-Prefer-XDG_RUNTIME_DIR-over-the-HOME.patch
 Patch4:         rxvt-unicode-hardening.patch
 Patch5:         rxvt-unicode-secondarywheel.patch
+Patch6:         rxvt-unicode-9.22-perl_environ_segfault.patch
 BuildRequires:  gcc-c++
 BuildRequires:  ncurses-devel
 BuildRequires:  perl
@@ -72,6 +73,7 @@
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6
 find -type d -name CVS -print0 | xargs -r0 rm -r
 install -m 0644 %{SOURCE2} README.SUSE
 

++++++ rxvt-unicode-9.22-perl_environ_segfault.patch ++++++
Do not segfault when calling perl_destruct from the rxvt_perl_interp dtor

When closing urxvt, a segfault happens:

(gdb) run 
Starting program: /usr/bin/urxvt 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[Detaching after fork from child process 12209]

Program received signal SIGSEGV, Segmentation fault.
__GI_getenv (name=0x7ffff7a6daf8 "RL_DESTRUCT_LEVEL", name@entry=0x7ffff7a6daf6 
"PERL_DESTRUCT_LEVEL") at getenv.c:84
84                if (name_start == ep_start && !strncmp (*ep + 2, name, len)
(gdb) bt
#0  __GI_getenv (name=0x7ffff7a6daf8 "RL_DESTRUCT_LEVEL", 
name@entry=0x7ffff7a6daf6 "PERL_DESTRUCT_LEVEL") at getenv.c:84
#1  0x00007ffff7912523 in Perl_mortal_getenv (str=0x7ffff7a6daf6 
"PERL_DESTRUCT_LEVEL") at inline.h:2621
#2  perl_destruct (my_perl=0x5555556d1d60) at perl.c:616
#3  0x00005555555a7065 in rxvt_perl_interp::~rxvt_perl_interp (this=<optimized 
out>, this=<optimized out>) at ./rxvtperl.xs:379
#4  0x00007ffff76cf2c7 in __run_exit_handlers (status=0, listp=0x7ffff7853598 
<__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, 
    run_dtors=run_dtors@entry=true) at exit.c:108
#5  0x00007ffff76cf470 in __GI_exit (status=<optimized out>) at exit.c:139
#6  0x00007ffff76b7159 in __libc_start_main (main=0x555555581f00 <main(int, 
char**)>, argc=1, argv=0x7fffffffe138, init=<optimized out>, 
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe128) 
at ../csu/libc-start.c:348
#7  0x000055555558624e in _start () at ../sysdeps/x86_64/start.S:120
(gdb)

When closing urxvt, the rxvt_term::destroy_cb method is eventually called,
which calls make_current() and afterwards destroys itself ("delete this;").
make_current indirectly assigns "env", which is a member of the rxvt_term
struct, to "environ". When calling the rxvt_term::~rxvt_term destructor,
the "env" member is explicitly destroyed ("delete [] env;"). Consequently,
"environ" points to freed memory.
Eventually, the rxvt_perl_interp::~rxvt_perl_interp dtor is called, which
calls perl_destruct(...), which eventually calls getenv(...) (see the
backtrace above). Since getenv dereferences "__environ"/"environ", a use
after free happens.
In order to fix this, we have to ensure that "environ" is not dangling.
From a quick glance at the code, setting "environ" to the "perl_environ"
seems to be a reasonable choice (that's what the other code in rxvtperl.xs
also does).

Version information:
rxvt-unicode-9.22
perl-5.32.0

Signed-off-by: Marcus Huewe <suse-...@gmx.de>
Index: src/rxvtperl.xs
===================================================================
--- src/rxvtperl.xs.orig
+++ src/rxvtperl.xs
@@ -376,6 +376,7 @@ rxvt_perl_interp::~rxvt_perl_interp ()
 {
   if (perl)
     {
+      localise_env set_environ (perl_environ);
       perl_destruct (perl);
       perl_free (perl);
       PERL_SYS_TERM ();
_______________________________________________
openSUSE Commits mailing list -- commit@lists.opensuse.org
To unsubscribe, email commit-le...@lists.opensuse.org
List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette
List Archives: 
https://lists.opensuse.org/archives/list/commit@lists.opensuse.org

[opensuse-commit] commit rxvt-unicode for openSUSE:Factory

Reply via email to