Hi, thanks for the report. The issue has always been there and had to do with the width of minicom's window (over 256 columns). I have addressed this.
Martin, I have pushed this on the 2.8.x branch (8deebed). Please pick both changes there for the next upload. Thanks, Adam On Fri Jun 11, 2021 at 15:29:55 +0100, Mike Crowe wrote: > Package: minicom > Version: 2.8-1 > Severity: important > > Steps to reproduce: > > 1. Start Minicom connected to a serial port with MINICOM="-m -c on -8" > (although I was also able to reproduce the problem with MINICOM="" if the > keystrokes below are changed appropriately.) > > 2. Cause whatever is connected to emit more than a screenful of text. > (Without this, Minicom won't let you enter history mode.) > > 3. Press Alt-B to enter history mode. Press / to search, type something > short that doesn't exist in the history and press Enter. > > Expected result: > > Minicom searches for the specified text in the buffer as it always did > successfully in the Buster version of Minicom. > > Actual result: > > *** stack smashing detected ***: terminated > > and Minicom exits. > > I tried compiling Minicom from the Debian package source with CC="gcc > -fsanitize=address" and got: > > ================================================================= > ==3332560==ERROR: AddressSanitizer: stack-buffer-overflow on address > 0x7ffc81d544e0 at pc 0x556347a102d8 bp 0x7ffc81d54080 sp 0x7ffc81d54078 > WRITE of size 4 at 0x7ffc81d544e0 thread T0 > #0 0x556347a102d7 in mc_wdrawelm_var ../../src/window.c:1055 > #1 0x5563479efb65 in find_next ../../src/minicom.c:336 > #2 0x5563479ec687 in scrollback ../../src/minicom.c:533 > #3 0x5563479ec687 in main ../../src/minicom.c:1646 > #4 0x7f0b62d83d09 in __libc_start_main ../csu/libc-start.c:308 > #5 0x5563479ee6c9 in _start > (/overflow/mac/Debian/minicom-2.8/build/src/minicom+0x236c9) > > Address 0x7ffc81d544e0 is located in stack of thread T0 at offset 1056 in > frame > #0 0x5563479efa0f in find_next ../../src/minicom.c:309 > > This frame has 1 object(s): > [32, 1056) 'tmp_line' (line 312) <== Memory access at offset 1056 > overflows this variable > HINT: this may be a false positive if your program uses some custom stack > unwind mechanism, swapcontext or vfork > (longjmp and C++ exceptions *are* supported) > SUMMARY: AddressSanitizer: stack-buffer-overflow ../../src/window.c:1055 in > mc_wdrawelm_var > Shadow bytes around the buggy address: > 0x1000103a2840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x1000103a2850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x1000103a2860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x1000103a2870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x1000103a2880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > =>0x1000103a2890: 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3 > 0x1000103a28a0: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 > 0x1000103a28b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x1000103a28c0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 > 0x1000103a28d0: 00 f2 00 00 00 f2 f2 f2 00 00 f2 f2 f8 f8 f8 f2 > 0x1000103a28e0: f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > Shadow gap: cc > ==3332560==ABORTING > > find_next has: > wchar_t tmp_line[MAXCOLS]; > > According to gdb inside mc_wdrawelm_var: > > (gdb) p w->x1 > $5 = 0 > (gdb) p w->x2 > $6 = 263 > > (other useful stuff like "c" was optimised out.) > > If I add: > > if (c >= MAXCOLS) > abort(); > > inside the loop in mc_wdrawelm_var then the process aborts as would be > expected rather than the sanitizer complaining. > > -- System Information: > Debian Release: 11.0 > APT prefers testing-security > APT policy: (500, 'testing-security'), (500, 'testing-debug'), (500, > 'testing') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 5.10.0-6-amd64 (SMP w/32 CPU threads) > Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), > LANGUAGE=en_GB:en > Shell: /bin/sh linked to /bin/bash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages minicom depends on: > ii libc6 2.31-12 > ii libtinfo6 6.2+20201114-2 > > Versions of packages minicom recommends: > ii lrzsz 0.12.21-10+b1 > > minicom suggests no packages. > > -- no debconf information >
