Skip to content

Comments

Updated repository urls#15

Closed
tecfu wants to merge 2 commits intoAetf:masterfrom
tecfu:master
Closed

Updated repository urls#15
tecfu wants to merge 2 commits intoAetf:masterfrom
tecfu:master

Conversation

@tecfu
Copy link

@tecfu tecfu commented Sep 6, 2018

No description provided.

@Aetf
Copy link
Owner

Aetf commented Sep 6, 2018

Copy from my comment in #14 (comment)

could you update to keep the original README, i.e., creating a new file README.md and mention the old one via a link, like what I've done in libtsm?

@plntyk
Copy link

plntyk commented Sep 7, 2018

Regarding the documentation about the default install location /usr/local and its usage:

A warning for users that compile software for the first time in the Readme about the default install location adding that one has to consult their distro documentation and/or change their environment like path.for /usr/local/bin and /usr/local/lib - see stackexchange link.
IIRC there should be a warning message at the end of the compilation regarding ldconfig that is responsible for managing loading of shared libraries like libtsm.

@Aetf
Copy link
Owner

Aetf commented Feb 4, 2022

I'm closing this for now since I don't want to merge this in as-is. I'll update the README when I find time to sit down and revamp the project.

@Aetf Aetf closed this Feb 4, 2022
kdj0c pushed a commit to kdj0c/kmscon that referenced this pull request Feb 3, 2026
bb->prev was only partially initialized.
prev.id was initialized to ID_DAMAGED, but prev.overflow can be set
to true. bbulk_draw() relied on the fact that the last cell of each
row can't have overflow=true.
But because memory is unitialized it might still be the case, and it can cause a
memory overflow as it uses offset + 1.

Fix both, by clearing the memory before using it, and also
checking that prev->overflow is valid only if it's not the last cell
of the row.

 ==11569==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7d50a1437f20 at pc 0x5614ce2b1f57 bp 0x7fff10fa22f0 sp 0x7fff10fa22e8
 WRITE of size 8 at 0x7d50a1437f20 thread T0
     #0 0x5614ce2b1f56 in bbulk_draw (/usr/libexec/kmscon/kmscon+0xaf56) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#1 0x7f50a2f4801e in tsm_screen_draw (/lib64/libtsm.so.4+0x201e) (BuildId: 5b178a420946ba2bfe708315fc3a15165481cdf3)
     Aetf#2 0x5614ce2cbc56 in do_redraw_screen.lto_priv.0 (/usr/libexec/kmscon/kmscon+0x24c56) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#3 0x5614ce2f90de in uterm_drm_display_pflip (/usr/libexec/kmscon/kmscon+0x520de) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#4 0x5614ce2fc2f8 in io_event (/usr/libexec/kmscon/kmscon+0x552f8) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#5 0x5614ce2dd384 in ev_eloop_dispatch (/usr/libexec/kmscon/kmscon+0x36384) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#6 0x5614ce2dec61 in ev_eloop_run (/usr/libexec/kmscon/kmscon+0x37c61) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#7 0x5614ce2ab00a in main (/usr/libexec/kmscon/kmscon+0x400a) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#8 0x7f50a258f680 in __libc_start_call_main (/lib64/libc.so.6+0x3680) (BuildId: 4f625349ee4779e87735749baa30339f0ded0348)
     Aetf#9 0x7f50a258f797 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3797) (BuildId: 4f625349ee4779e87735749baa30339f0ded0348)
     Aetf#10 0x5614ce2acdf4 in _start (/usr/libexec/kmscon/kmscon+0x5df4) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
 0x7d50a1437f20 is located 0 bytes after 3744-byte region [0x7d50a1437080,0x7d50a1437f20)
 allocated by thread T0 here:
     #0 0x7f50a28ef43f in malloc (/lib64/libasan.so.8+0xef43f) (BuildId: bcc44ebce5332cebdbad675fd59647503487ab0d)
     Aetf#1 0x5614ce2b5c16 in bbulk_set (/usr/libexec/kmscon/kmscon+0xec16) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#2 0x5614ce2b4861 in kmscon_text_set (/usr/libexec/kmscon/kmscon+0xd861) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#3 0x5614ce2ccc18 in font_set.lto_priv.0 (/usr/libexec/kmscon/kmscon+0x25c18) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#4 0x5614ce2ce073 in input_event.lto_priv.0 (/usr/libexec/kmscon/kmscon+0x27073) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#5 0x5614ce2f8c09 in timer_event (/usr/libexec/kmscon/kmscon+0x51c09) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#6 0x5614ce2e1b66 in timer_cb (/usr/libexec/kmscon/kmscon+0x3ab66) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#7 0x5614ce2dd384 in ev_eloop_dispatch (/usr/libexec/kmscon/kmscon+0x36384) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#8 0x5614ce2dec61 in ev_eloop_run (/usr/libexec/kmscon/kmscon+0x37c61) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#9 0x5614ce2ab00a in main (/usr/libexec/kmscon/kmscon+0x400a) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#10 0x7f50a258f680 in __libc_start_call_main (/lib64/libc.so.6+0x3680) (BuildId: 4f625349ee4779e87735749baa30339f0ded0348)
     Aetf#11 0x7f50a258f797 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3797) (BuildId: 4f625349ee4779e87735749baa30339f0ded0348)
     Aetf#12 0x5614ce2acdf4 in _start (/usr/libexec/kmscon/kmscon+0x5df4) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
 SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/libexec/kmscon/kmscon+0xaf56) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68) in bbulk_draw
 Shadow bytes around the buggy address:
   0x7d50a1437c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x7d50a1437d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x7d50a1437d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x7d50a1437e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x7d50a1437e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 =>0x7d50a1437f00: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
   0x7d50a1437f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x7d50a1438000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x7d50a1438080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   0x7d50a1438100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   0x7d50a1438180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable:           00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone:       fa
   Freed heap region:       fd
   Stack left redzone:      f1
   Stack mid redzone:       f2
   Stack right redzone:     f3
   Stack after return:      f5
   Stack use after scope:   f8
   Global redzone:          f9
   Global init order:       f6
   Poisoned by user:        f7
   Container overflow:      fc
   Array cookie:            ac
   Intra object redzone:    bb
   ASan internal:           fe
   Left alloca redzone:     ca
   Right alloca redzone:    cb
 ==11569==ABORTING

Without AddressSanitize, it can trigger a segfault in bbukl_unset()

 fedora kmscon[8857]: free(): invalid next size (normal)
 fedora systemd-coredump[8938]: Process 8857 (kmscon) of user 0 terminated abnormally with signal 6/ABRT, processing...
 fedora systemd[1]: Started systemd-coredump@3-12289-8938_8939-0.service - Process Core Dump (PID 8938/UID 0).
 fedora systemd-coredump[8939]: Process 8857 (kmscon) of user 0 dumped core.

       Stack trace of thread 8857:
       #0  0x00007f4942f4c98c __pthread_kill_implementation (libc.so.6 + 0x7598c)
       Aetf#1  0x00007f4942ef134e raise (libc.so.6 + 0x1a34e)
       Aetf#2  0x00007f4942ed87b3 abort (libc.so.6 + 0x17b3)
       Aetf#3  0x00007f4942ed9804 __libc_message_impl.cold (libc.so.6 + 0x2804)
       Aetf#4  0x00007f4942f56d0c malloc_printerr (libc.so.6 + 0x7fd0c)
       Aetf#5  0x00007f4942f586dc _int_free_merge_chunk (libc.so.6 + 0x816dc)
       Aetf#6  0x00007f4942f58814 _int_free_chunk (libc.so.6 + 0x81814)
       Aetf#7  0x0000564572db28a4 bbulk_unset (/usr/libexec/kmscon/kmscon + 0x38a4)
       Aetf#8  0x0000564572db2c9c kmscon_text_unset (/usr/libexec/kmscon/kmscon + 0x3c9c)
       Aetf#9  0x0000564572db2e72 kmscon_text_set (/usr/libexec/kmscon/kmscon + 0x3e72)
       Aetf#10 0x0000564572dba7d3 font_set (/usr/libexec/kmscon/kmscon + 0xb7d3)
       Aetf#11 0x0000564572dbaffd input_event (/usr/libexec/kmscon/kmscon + 0xbffd)
       Aetf#12 0x0000564572dbf0dd timer_event (/usr/libexec/kmscon/kmscon + 0x100dd)
       Aetf#13 0x0000564572dc2a77 ev_eloop_dispatch (/usr/libexec/kmscon/kmscon + 0x13a77)
       Aetf#14 0x0000564572dc3143 ev_eloop_run (/usr/libexec/kmscon/kmscon + 0x14143)
       Aetf#15 0x0000564572db1623 main (/usr/libexec/kmscon/kmscon + 0x2623)
       Aetf#16 0x00007f4942eda681 __libc_start_call_main (libc.so.6 + 0x3681)
       Aetf#17 0x00007f4942eda798 __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x3798)
       Aetf#18 0x0000564572db2335 _start (/usr/libexec/kmscon/kmscon + 0x3335)

Signed-off-by: Jocelyn Falempe <[email protected]>
kdj0c pushed a commit to kdj0c/kmscon that referenced this pull request Feb 5, 2026
bb->prev was only partially initialized.
prev.id was initialized to ID_DAMAGED, but prev.overflow can be set
to true. bbulk_draw() relied on the fact that the last cell of each
row can't have overflow=true.
But because memory is unitialized it might still be the case, and it can cause a
memory overflow as it uses offset + 1.

Fix both, by clearing the memory before using it, and also
checking that prev->overflow is valid only if it's not the last cell
of the row.

 ==11569==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7d50a1437f20 at pc 0x5614ce2b1f57 bp 0x7fff10fa22f0 sp 0x7fff10fa22e8
 WRITE of size 8 at 0x7d50a1437f20 thread T0
     #0 0x5614ce2b1f56 in bbulk_draw (/usr/libexec/kmscon/kmscon+0xaf56) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#1 0x7f50a2f4801e in tsm_screen_draw (/lib64/libtsm.so.4+0x201e) (BuildId: 5b178a420946ba2bfe708315fc3a15165481cdf3)
     Aetf#2 0x5614ce2cbc56 in do_redraw_screen.lto_priv.0 (/usr/libexec/kmscon/kmscon+0x24c56) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#3 0x5614ce2f90de in uterm_drm_display_pflip (/usr/libexec/kmscon/kmscon+0x520de) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#4 0x5614ce2fc2f8 in io_event (/usr/libexec/kmscon/kmscon+0x552f8) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#5 0x5614ce2dd384 in ev_eloop_dispatch (/usr/libexec/kmscon/kmscon+0x36384) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#6 0x5614ce2dec61 in ev_eloop_run (/usr/libexec/kmscon/kmscon+0x37c61) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#7 0x5614ce2ab00a in main (/usr/libexec/kmscon/kmscon+0x400a) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#8 0x7f50a258f680 in __libc_start_call_main (/lib64/libc.so.6+0x3680) (BuildId: 4f625349ee4779e87735749baa30339f0ded0348)
     Aetf#9 0x7f50a258f797 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3797) (BuildId: 4f625349ee4779e87735749baa30339f0ded0348)
     Aetf#10 0x5614ce2acdf4 in _start (/usr/libexec/kmscon/kmscon+0x5df4) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
 0x7d50a1437f20 is located 0 bytes after 3744-byte region [0x7d50a1437080,0x7d50a1437f20)
 allocated by thread T0 here:
     #0 0x7f50a28ef43f in malloc (/lib64/libasan.so.8+0xef43f) (BuildId: bcc44ebce5332cebdbad675fd59647503487ab0d)
     Aetf#1 0x5614ce2b5c16 in bbulk_set (/usr/libexec/kmscon/kmscon+0xec16) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#2 0x5614ce2b4861 in kmscon_text_set (/usr/libexec/kmscon/kmscon+0xd861) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#3 0x5614ce2ccc18 in font_set.lto_priv.0 (/usr/libexec/kmscon/kmscon+0x25c18) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#4 0x5614ce2ce073 in input_event.lto_priv.0 (/usr/libexec/kmscon/kmscon+0x27073) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#5 0x5614ce2f8c09 in timer_event (/usr/libexec/kmscon/kmscon+0x51c09) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#6 0x5614ce2e1b66 in timer_cb (/usr/libexec/kmscon/kmscon+0x3ab66) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#7 0x5614ce2dd384 in ev_eloop_dispatch (/usr/libexec/kmscon/kmscon+0x36384) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#8 0x5614ce2dec61 in ev_eloop_run (/usr/libexec/kmscon/kmscon+0x37c61) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#9 0x5614ce2ab00a in main (/usr/libexec/kmscon/kmscon+0x400a) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
     Aetf#10 0x7f50a258f680 in __libc_start_call_main (/lib64/libc.so.6+0x3680) (BuildId: 4f625349ee4779e87735749baa30339f0ded0348)
     Aetf#11 0x7f50a258f797 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3797) (BuildId: 4f625349ee4779e87735749baa30339f0ded0348)
     Aetf#12 0x5614ce2acdf4 in _start (/usr/libexec/kmscon/kmscon+0x5df4) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
 SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/libexec/kmscon/kmscon+0xaf56) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68) in bbulk_draw
 Shadow bytes around the buggy address:
   0x7d50a1437c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x7d50a1437d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x7d50a1437d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x7d50a1437e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x7d50a1437e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 =>0x7d50a1437f00: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
   0x7d50a1437f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x7d50a1438000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x7d50a1438080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   0x7d50a1438100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   0x7d50a1438180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable:           00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone:       fa
   Freed heap region:       fd
   Stack left redzone:      f1
   Stack mid redzone:       f2
   Stack right redzone:     f3
   Stack after return:      f5
   Stack use after scope:   f8
   Global redzone:          f9
   Global init order:       f6
   Poisoned by user:        f7
   Container overflow:      fc
   Array cookie:            ac
   Intra object redzone:    bb
   ASan internal:           fe
   Left alloca redzone:     ca
   Right alloca redzone:    cb
 ==11569==ABORTING

Without AddressSanitize, it can trigger a segfault in bbukl_unset()

 fedora kmscon[8857]: free(): invalid next size (normal)
 fedora systemd-coredump[8938]: Process 8857 (kmscon) of user 0 terminated abnormally with signal 6/ABRT, processing...
 fedora systemd[1]: Started systemd-coredump@3-12289-8938_8939-0.service - Process Core Dump (PID 8938/UID 0).
 fedora systemd-coredump[8939]: Process 8857 (kmscon) of user 0 dumped core.

       Stack trace of thread 8857:
       #0  0x00007f4942f4c98c __pthread_kill_implementation (libc.so.6 + 0x7598c)
       Aetf#1  0x00007f4942ef134e raise (libc.so.6 + 0x1a34e)
       Aetf#2  0x00007f4942ed87b3 abort (libc.so.6 + 0x17b3)
       Aetf#3  0x00007f4942ed9804 __libc_message_impl.cold (libc.so.6 + 0x2804)
       Aetf#4  0x00007f4942f56d0c malloc_printerr (libc.so.6 + 0x7fd0c)
       Aetf#5  0x00007f4942f586dc _int_free_merge_chunk (libc.so.6 + 0x816dc)
       Aetf#6  0x00007f4942f58814 _int_free_chunk (libc.so.6 + 0x81814)
       Aetf#7  0x0000564572db28a4 bbulk_unset (/usr/libexec/kmscon/kmscon + 0x38a4)
       Aetf#8  0x0000564572db2c9c kmscon_text_unset (/usr/libexec/kmscon/kmscon + 0x3c9c)
       Aetf#9  0x0000564572db2e72 kmscon_text_set (/usr/libexec/kmscon/kmscon + 0x3e72)
       Aetf#10 0x0000564572dba7d3 font_set (/usr/libexec/kmscon/kmscon + 0xb7d3)
       Aetf#11 0x0000564572dbaffd input_event (/usr/libexec/kmscon/kmscon + 0xbffd)
       Aetf#12 0x0000564572dbf0dd timer_event (/usr/libexec/kmscon/kmscon + 0x100dd)
       Aetf#13 0x0000564572dc2a77 ev_eloop_dispatch (/usr/libexec/kmscon/kmscon + 0x13a77)
       Aetf#14 0x0000564572dc3143 ev_eloop_run (/usr/libexec/kmscon/kmscon + 0x14143)
       Aetf#15 0x0000564572db1623 main (/usr/libexec/kmscon/kmscon + 0x2623)
       Aetf#16 0x00007f4942eda681 __libc_start_call_main (libc.so.6 + 0x3681)
       Aetf#17 0x00007f4942eda798 __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x3798)
       Aetf#18 0x0000564572db2335 _start (/usr/libexec/kmscon/kmscon + 0x3335)

Signed-off-by: Jocelyn Falempe <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants