Bug#972286: coreutils: Crash when using globs on a path with non-latin characters

[Bernhard Übelacker]

Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -g -O2 -fstack-protector-strong -Wformat 
-Werror=format-security -Wall
uname output: Linux debian 5.9.0-1-amd64 #1 SMP Debian 5.9.1-1 (2020-10-17) 
x86_64 GNU/Linux
Machine Type: x86_64-pc-linux-gnu

Bash Version: 5.1
Patch Level: 0
Release Status: rc1



Description:

Dear Maintainer,
I tried to collect some more information for the bug described in [1]
and could reproduce the crash just by repeating the given commands
in a minimal debian testing qemu VM. Backtrace in [2].
The last bash version where the crash did not manifest was bash_5.0-7.

In #972672 the last message mentions also wdequote_pathname and
wcsrtombs, therefore I guess this might be related.

As wcsrtombs[3] is specified to set under certain circumstances *src to 
NULL,
I assume in this line [4] wpathname should not get dereferenced, or
at least just after being checked for a non-NULL value.

Kind regards,
Bernhard


Repeat-By:
mkdir ~/ಇಳಿಕೆಗಳು
touch ~/ಇಳಿಕೆಗಳು/{a,b}.txt
ls ~/ಇಳಿಕೆಗಳು/*.txt


[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972286

[2]
(rr) bt
#0  0x5575f65a24fb in wdequote_pathname 
(pathname=pathname@entry=0x5575f798b870 "/home/benutzer/ಇಳಿಕೆಗಳು/") at 
../../.././lib/glob/glob.c:487
#1  0x5575f65a30eb in dequote_pathname (pathname=0x5575f798b870 
"/home/benutzer/ಇಳಿಕೆಗಳು/") at ../../.././lib/glob/glob.c:504
#2  glob_filename (pathname=pathname@entry=0x5575f7a733e0 
"/\\h\\o\\m\\e/\\b\\e\\n\\u\\t\\z\\e\\r/ಇಳಿಕೆಗಳು/*.txt", flags=0) at 
../../.././lib/glob/glob.c:1466
#3  0x5575f656dc2d in shell_glob_filename (pathname=, 
qflags=qflags@entry=8) at .././pathexp.c:470
#4  0x5575f655b3e6 in glob_expand_word_list (tlist=0x5575f7a62c20, 
eflags=31) at .././subst.c:11383
#5  0x5575f6568685 in expand_word_list_internal (eflags=31, 
list=) at .././subst.c:11983
#6  expand_words (list=) at .././subst.c:11331
#7  0x5575f653a5f3 in execute_simple_command 
(fds_to_close=0x5575f7a73280, async=0, pipe_out=-1, pipe_in=-1, 
simple_command=) at .././execute_cmd.c:4377
#8  execute_command_internal (command=0x5575f79af5c0, 
asynchronous=, pipe_in=-1, pipe_out=, 
fds_to_close=0x5575f7a73280) at .././execute_cmd.c:846
#9  0x5575f653b865 in execute_command (command=0x5575f79af5c0) at 
.././execute_cmd.c:395
#10 0x5575f65219db in reader_loop () at .././eval.c:170
#11 0x5575f6520668 in main (argc=1, argv=0x7ffc8d1bfda8, 
env=0x7ffc8d1bfdb8) at .././shell.c:811

[3] https://man7.org/linux/man-pages/man3/wcsrtombs.3.html

[4] https://sources.debian.org/src/bash/5.1%7Erc1-2/lib/glob/glob.c/#L487


# Bullseye/testing amd64 qemu VM 2020-10-30


apt update
apt dist-upgrade


apt install systemd-coredump mc htop psmisc net-tools gdb bash-dbgsym
apt build-dep bash

# for current rr
apt install systemd-coredump mc htop sshfs libcapnp-dev gdb
echo 1 > /proc/sys/kernel/perf_event_paranoid
mkdir -p /home/bernhard/data/entwicklung/2020/rr
sshfs -o allow_other,uid=1000,gid=1000 
bernhard@192.168.178.25:/home/bernhard/data/entwicklung/2020/rr 
/home/bernhard/data/entwicklung/2020/rr




mkdir /home/benutzer/source/bash/orig -p
cd/home/benutzer/source/bash/orig
apt source bash
cd

mkdir /home/benutzer/source/libc6/orig -p
cd/home/benutzer/source/libc6/orig
apt source libc6
cd



dpkg-reconfigure locales
# add kn_IN.UTF-8


export LANG=kn_IN.UTF-8

mkdir ~/ಇಳಿಕೆಗಳು
touch ~/ಇಳಿಕೆಗಳು/{a,b}.txt
ls ~/ಇಳಿಕೆಗಳು/*.txt

benutzer@debian:~$ mkdir ~/ಇಳಿಕೆಗಳು
benutzer@debian:~$ touch ~/ಇಳಿಕೆಗಳು/{a,b}.txt
benutzer@debian:~$ ls ~/ಇಳಿಕೆಗಳು/*.txt
Connection to 127.0.254.89 closed.




journalctl -e
Okt 30 16:57:24 debian systemd[1]: Started Process Core Dump (PID 3129/UID 0).
Okt 30 16:57:24 debian sshd[2240]: Received disconnect from 10.0.2.2 port 
41368:11: disconnected by user
Okt 30 16:57:24 debian sshd[2240]: Disconnected from user benutzer 10.0.2.2 
port 41368
Okt 30 16:57:24 debian systemd[1]: session-3.scope: Succeeded.
Okt 30 16:57:24 debian sshd[2234]: pam_unix(sshd:session): session closed for 
user benutzer
Okt 30 16:57:24 debian systemd-logind[417]: Session 3 logged out. Waiting for 
processes to exit.
Okt 30 16:57:24 debian systemd-logind[417]: Removed session 3.
Okt 30 16:57:24 debian systemd-coredump[3130]: Process 2241 (bash) of user 1000 
dumped core.
   
   Stack trace of thread 2241:
   #0  0x7fdfef00afe7 kill 
(libc.so.6 + 0x3bfe7)
   #1  0x560e12312776 n/a (bash 
+ 0x7f776)
   #2  0x560e12312961 
termsig_sighandler (bash + 0x7f961)
   #3  0x7fdfef00acc0 n/a 
(libc.so.6 + 0x3bcc0)
   

Bug#972286: coreutils: Crash when using globs on a path with non-latin characters

[Chet Ramey]

On 10/30/20 1:41 PM, Bernhard Übelacker wrote:

> Bash Version: 5.1
> Patch Level: 0
> Release Status: rc1
> 
> 
> 
> Description:
> 
> Dear Maintainer,
> I tried to collect some more information for the bug described in [1]
> and could reproduce the crash just by repeating the given commands
> in a minimal debian testing qemu VM. Backtrace in [2].
> The last bash version where the crash did not manifest was bash_5.0-7.
> 
> In #972672 the last message mentions also wdequote_pathname and
> wcsrtombs, therefore I guess this might be related.
> 
> As wcsrtombs[3] is specified to set under certain circumstances *src to 
> NULL,
> I assume in this line [4] wpathname should not get dereferenced, or
> at least just after being checked for a non-NULL value.

Thanks for the report and the pointer to a fix.

Chet

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRUc...@case.eduhttp://tiswww.cwru.edu/~chet/

Bug#972286: coreutils: Crash when using globs on a path with non-latin characters

[ಚಿರಾಗ್ ನಟರಾಜ್]

15/10/20 17:29 ನಲ್ಲಿ, Michael Stone  ಬರೆದರು:
> 
> On Thu, Oct 15, 2020 at 04:28:35PM -0400, you wrote:
> >Steps to reproduce:
> >
> >1. mkdir ~/ಇಳಿಕೆಗಳು
> >2. touch ~/ಇಳಿಕೆಗಳು/{a,b}.txt
> >3. ls ~/ಇಳಿಕೆಗಳು/*.txt crashes immediately
> >
> >By contrast:
> >
> >1. cd ~/ಇಳಿಕೆಗಳು/ && ls *.txt succeeds
> >2. ls ಇಳಿಕೆಗಳು/*.txt succeeds
> >
> >Similarly, `cp ~/ಇಳಿಕೆಗಳು/*.txt .` crashes, but `cp ಇಳಿಕೆಗಳು/*.txt .` works, 
> >as does `cd ಇಳಿಕೆಗಳು && cp *.txt ~`.
> >
> >Please let me know if you need more information.
> 
> coreutils doesn't have anything to do with expanding a shell wildcard,
> the bug needs to be assigned to whatever shell you're using.

Got it, I'll submit this to bash (verified that it's a shell problem by testing 
with a different shell).


publickey - debbugs@chiraag.me.asc.pgp
Description: application/pgp-key


signature.asc
Description: OpenPGP digital signature

Bug#972286: coreutils: Crash when using globs on a path with non-latin characters

[Michael Stone]

On Thu, Oct 15, 2020 at 04:28:35PM -0400, you wrote:

Steps to reproduce:

1. mkdir ~/ಇಳಿಕೆಗಳು
2. touch ~/ಇಳಿಕೆಗಳು/{a,b}.txt
3. ls ~/ಇಳಿಕೆಗಳು/*.txt crashes immediately

By contrast:

1. cd ~/ಇಳಿಕೆಗಳು/ && ls *.txt succeeds
2. ls ಇಳಿಕೆಗಳು/*.txt succeeds

Similarly, `cp ~/ಇಳಿಕೆಗಳು/*.txt .` crashes, but `cp ಇಳಿಕೆಗಳು/*.txt .` works, as does 
`cd ಇಳಿಕೆಗಳು && cp *.txt ~`.

Please let me know if you need more information.


coreutils doesn't have anything to do with expanding a shell wildcard, 
the bug needs to be assigned to whatever shell you're using.

Bug#972286: coreutils: Crash when using globs on a path with non-latin characters

[ಚಿರಾಗ್ ನಟರಾಜ್]

Package: coreutils
Version: 8.32-4+b1
Severity: important
Tags: l10n
X-Debbugs-Cc: debb...@chiraag.me

Dear Maintainer,

Steps to reproduce:

1. mkdir ~/ಇಳಿಕೆಗಳು
2. touch ~/ಇಳಿಕೆಗಳು/{a,b}.txt
3. ls ~/ಇಳಿಕೆಗಳು/*.txt crashes immediately

By contrast:

1. cd ~/ಇಳಿಕೆಗಳು/ && ls *.txt succeeds
2. ls ಇಳಿಕೆಗಳು/*.txt succeeds

Similarly, `cp ~/ಇಳಿಕೆಗಳು/*.txt .` crashes, but `cp ಇಳಿಕೆಗಳು/*.txt .` works, as 
does `cd ಇಳಿಕೆಗಳು && cp *.txt ~`.

Please let me know if you need more information.

- Chiraag

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.8.0-1-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=kn_IN.UTF-8, LC_CTYPE=kn_IN.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages coreutils depends on:
ii  libacl1  2.2.53-8
ii  libattr1 1:2.4.48-5
ii  libc62.31-4
ii  libgmp10 2:6.2.0+dfsg-6
ii  libselinux1  3.1-2+b1

coreutils recommends no packages.

coreutils suggests no packages.

-- no debconf information