[Toybox] Two bugs in tail toy

luckboy at vp.pl luckboy at vp.pl
Tue Oct 28 16:36:42 PDT 2014 

W dniu 28.10.2014 o 22:50, Rob Landley pisze:
> On 10/28/14 14:54, luckboy at vp.pl wrote:
>> W dniu 28.10.2014 o 01:22, Rob Landley pisze:
>>> On 10/27/14 05:21, luckboy at vp.pl wrote:
>>>> I again write mail to you because I found two bugs in tail toy and wrote
>>>> about these bugs to you and you didn't reply me.
>>> Sorry, a little overwhelmed with todo item backlog. (And spent the whole
>>> weekend working on sed...)
>> I understand it.
>>>> These bugs:
>>>> First bug is that tail added random character to stdout end when it read
>>>> from stdin.
>>> It's a little non-obvious from staring at it which change fixes which
>>> bug, and I got distracted actually testing the result because in commit
>>> 1523 (back on the 14th) I broke loopfiles subtly (the test for "are we
>>> in read only mode" was confused by O_CLOEXEC so it was using stdout
>>> instead of stdin, which broke simple stuff like _cat_ and I didn't
>>> notice for a bit. My bad. I'd wondered why aboriginal stopped building
>>> but hadn't had time to track it down this weekend due to banging on sed.)
>>>
>>>> Second bug is segmentation fault for 'tail -c 10' for big data from
>>>> stdin.
>>> Indeed, a use after free error looks like. Good catch, thanks.
>>>
>>> That part I understand. It's the added random character I'm not seeing,
>>> and I don't understand what the orig_len change is doing?
> ...
>> I found perfect way to reproduce this bug:
>>
>> seq 1 4096 | ./toybox tail
>>
>> Exemplary output:
>>
>> 4087
>> 4088
>> 4089
>> 4090
>> 4091
>> 4092
>> 4093
>> 4094
>> 4095
>> 4096
>> 8
>>
>> Last character is printed without new line.
> $ ./toybox seq 1 4096 | ./toybox tail | ./toybox od -t x1
> 0000000 34 30 38 37 0a 34 30 38 38 0a 34 30 38 39 0a 34
> 0000020 30 39 30 0a 34 30 39 31 0a 34 30 39 32 0a 34 30
> 0000040 39 33 0a 34 30 39 34 0a 34 30 39 35 0a 34 30 39
> 0000060 36 0a
> 0000062
>
> I'm still not seeing it. That's make defconfig against a clean checkout.
>
> What build environment are you using?
I see that this bug is fixed by commit 
http://www.landley.net/hg/toybox/rev/1d996b0a11c0.

May be you don't reproduce this bug by fixed this bug.

>
> Rob
> _______________________________________________
> Toybox mailing list
> Toybox at lists.landley.net
> http://lists.landley.net/listinfo.cgi/toybox-landley.net
>


 1414539402.0

More information about the Toybox mailing list