Closed
Conversation
tecfu
force-pushed
the
master
branch
7 times, most recently
from
0c1dbbe to
31fcb49
Compare
Owner
|
Copy from my comment in #14 (comment)
|
|
Regarding the documentation about the default install location /usr/local and its usage:
A warning for users that compile software for the first time in the Readme about the default install location adding that one has to consult their distro documentation and/or change their environment like path.for /usr/local/bin and /usr/local/lib - see stackexchange link. |
Owner
|
I'm closing this for now since I don't want to merge this in as-is. I'll update the README when I find time to sit down and revamp the project. |
kdj0c
pushed a commit
to kdj0c/kmscon
that referenced
this pull request
Feb 3, 2026
bb->prev was only partially initialized.
prev.id was initialized to ID_DAMAGED, but prev.overflow can be set
to true. bbulk_draw() relied on the fact that the last cell of each
row can't have overflow=true.
But because memory is unitialized it might still be the case, and it can cause a
memory overflow as it uses offset + 1.
Fix both, by clearing the memory before using it, and also
checking that prev->overflow is valid only if it's not the last cell
of the row.
==11569==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7d50a1437f20 at pc 0x5614ce2b1f57 bp 0x7fff10fa22f0 sp 0x7fff10fa22e8
WRITE of size 8 at 0x7d50a1437f20 thread T0
#0 0x5614ce2b1f56 in bbulk_draw (/usr/libexec/kmscon/kmscon+0xaf56) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#1 0x7f50a2f4801e in tsm_screen_draw (/lib64/libtsm.so.4+0x201e) (BuildId: 5b178a420946ba2bfe708315fc3a15165481cdf3)
Aetf#2 0x5614ce2cbc56 in do_redraw_screen.lto_priv.0 (/usr/libexec/kmscon/kmscon+0x24c56) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#3 0x5614ce2f90de in uterm_drm_display_pflip (/usr/libexec/kmscon/kmscon+0x520de) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#4 0x5614ce2fc2f8 in io_event (/usr/libexec/kmscon/kmscon+0x552f8) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#5 0x5614ce2dd384 in ev_eloop_dispatch (/usr/libexec/kmscon/kmscon+0x36384) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#6 0x5614ce2dec61 in ev_eloop_run (/usr/libexec/kmscon/kmscon+0x37c61) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#7 0x5614ce2ab00a in main (/usr/libexec/kmscon/kmscon+0x400a) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#8 0x7f50a258f680 in __libc_start_call_main (/lib64/libc.so.6+0x3680) (BuildId: 4f625349ee4779e87735749baa30339f0ded0348)
Aetf#9 0x7f50a258f797 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3797) (BuildId: 4f625349ee4779e87735749baa30339f0ded0348)
Aetf#10 0x5614ce2acdf4 in _start (/usr/libexec/kmscon/kmscon+0x5df4) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
0x7d50a1437f20 is located 0 bytes after 3744-byte region [0x7d50a1437080,0x7d50a1437f20)
allocated by thread T0 here:
#0 0x7f50a28ef43f in malloc (/lib64/libasan.so.8+0xef43f) (BuildId: bcc44ebce5332cebdbad675fd59647503487ab0d)
Aetf#1 0x5614ce2b5c16 in bbulk_set (/usr/libexec/kmscon/kmscon+0xec16) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#2 0x5614ce2b4861 in kmscon_text_set (/usr/libexec/kmscon/kmscon+0xd861) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#3 0x5614ce2ccc18 in font_set.lto_priv.0 (/usr/libexec/kmscon/kmscon+0x25c18) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#4 0x5614ce2ce073 in input_event.lto_priv.0 (/usr/libexec/kmscon/kmscon+0x27073) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#5 0x5614ce2f8c09 in timer_event (/usr/libexec/kmscon/kmscon+0x51c09) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#6 0x5614ce2e1b66 in timer_cb (/usr/libexec/kmscon/kmscon+0x3ab66) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#7 0x5614ce2dd384 in ev_eloop_dispatch (/usr/libexec/kmscon/kmscon+0x36384) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#8 0x5614ce2dec61 in ev_eloop_run (/usr/libexec/kmscon/kmscon+0x37c61) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#9 0x5614ce2ab00a in main (/usr/libexec/kmscon/kmscon+0x400a) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#10 0x7f50a258f680 in __libc_start_call_main (/lib64/libc.so.6+0x3680) (BuildId: 4f625349ee4779e87735749baa30339f0ded0348)
Aetf#11 0x7f50a258f797 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3797) (BuildId: 4f625349ee4779e87735749baa30339f0ded0348)
Aetf#12 0x5614ce2acdf4 in _start (/usr/libexec/kmscon/kmscon+0x5df4) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/libexec/kmscon/kmscon+0xaf56) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68) in bbulk_draw
Shadow bytes around the buggy address:
0x7d50a1437c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7d50a1437d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7d50a1437d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7d50a1437e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7d50a1437e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7d50a1437f00: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
0x7d50a1437f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7d50a1438000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7d50a1438080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7d50a1438100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7d50a1438180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==11569==ABORTING
Without AddressSanitize, it can trigger a segfault in bbukl_unset()
fedora kmscon[8857]: free(): invalid next size (normal)
fedora systemd-coredump[8938]: Process 8857 (kmscon) of user 0 terminated abnormally with signal 6/ABRT, processing...
fedora systemd[1]: Started systemd-coredump@3-12289-8938_8939-0.service - Process Core Dump (PID 8938/UID 0).
fedora systemd-coredump[8939]: Process 8857 (kmscon) of user 0 dumped core.
Stack trace of thread 8857:
#0 0x00007f4942f4c98c __pthread_kill_implementation (libc.so.6 + 0x7598c)
Aetf#1 0x00007f4942ef134e raise (libc.so.6 + 0x1a34e)
Aetf#2 0x00007f4942ed87b3 abort (libc.so.6 + 0x17b3)
Aetf#3 0x00007f4942ed9804 __libc_message_impl.cold (libc.so.6 + 0x2804)
Aetf#4 0x00007f4942f56d0c malloc_printerr (libc.so.6 + 0x7fd0c)
Aetf#5 0x00007f4942f586dc _int_free_merge_chunk (libc.so.6 + 0x816dc)
Aetf#6 0x00007f4942f58814 _int_free_chunk (libc.so.6 + 0x81814)
Aetf#7 0x0000564572db28a4 bbulk_unset (/usr/libexec/kmscon/kmscon + 0x38a4)
Aetf#8 0x0000564572db2c9c kmscon_text_unset (/usr/libexec/kmscon/kmscon + 0x3c9c)
Aetf#9 0x0000564572db2e72 kmscon_text_set (/usr/libexec/kmscon/kmscon + 0x3e72)
Aetf#10 0x0000564572dba7d3 font_set (/usr/libexec/kmscon/kmscon + 0xb7d3)
Aetf#11 0x0000564572dbaffd input_event (/usr/libexec/kmscon/kmscon + 0xbffd)
Aetf#12 0x0000564572dbf0dd timer_event (/usr/libexec/kmscon/kmscon + 0x100dd)
Aetf#13 0x0000564572dc2a77 ev_eloop_dispatch (/usr/libexec/kmscon/kmscon + 0x13a77)
Aetf#14 0x0000564572dc3143 ev_eloop_run (/usr/libexec/kmscon/kmscon + 0x14143)
Aetf#15 0x0000564572db1623 main (/usr/libexec/kmscon/kmscon + 0x2623)
Aetf#16 0x00007f4942eda681 __libc_start_call_main (libc.so.6 + 0x3681)
Aetf#17 0x00007f4942eda798 __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x3798)
Aetf#18 0x0000564572db2335 _start (/usr/libexec/kmscon/kmscon + 0x3335)
Signed-off-by: Jocelyn Falempe <[email protected]>
kdj0c
pushed a commit
to kdj0c/kmscon
that referenced
this pull request
Feb 5, 2026
bb->prev was only partially initialized.
prev.id was initialized to ID_DAMAGED, but prev.overflow can be set
to true. bbulk_draw() relied on the fact that the last cell of each
row can't have overflow=true.
But because memory is unitialized it might still be the case, and it can cause a
memory overflow as it uses offset + 1.
Fix both, by clearing the memory before using it, and also
checking that prev->overflow is valid only if it's not the last cell
of the row.
==11569==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7d50a1437f20 at pc 0x5614ce2b1f57 bp 0x7fff10fa22f0 sp 0x7fff10fa22e8
WRITE of size 8 at 0x7d50a1437f20 thread T0
#0 0x5614ce2b1f56 in bbulk_draw (/usr/libexec/kmscon/kmscon+0xaf56) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#1 0x7f50a2f4801e in tsm_screen_draw (/lib64/libtsm.so.4+0x201e) (BuildId: 5b178a420946ba2bfe708315fc3a15165481cdf3)
Aetf#2 0x5614ce2cbc56 in do_redraw_screen.lto_priv.0 (/usr/libexec/kmscon/kmscon+0x24c56) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#3 0x5614ce2f90de in uterm_drm_display_pflip (/usr/libexec/kmscon/kmscon+0x520de) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#4 0x5614ce2fc2f8 in io_event (/usr/libexec/kmscon/kmscon+0x552f8) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#5 0x5614ce2dd384 in ev_eloop_dispatch (/usr/libexec/kmscon/kmscon+0x36384) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#6 0x5614ce2dec61 in ev_eloop_run (/usr/libexec/kmscon/kmscon+0x37c61) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#7 0x5614ce2ab00a in main (/usr/libexec/kmscon/kmscon+0x400a) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#8 0x7f50a258f680 in __libc_start_call_main (/lib64/libc.so.6+0x3680) (BuildId: 4f625349ee4779e87735749baa30339f0ded0348)
Aetf#9 0x7f50a258f797 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3797) (BuildId: 4f625349ee4779e87735749baa30339f0ded0348)
Aetf#10 0x5614ce2acdf4 in _start (/usr/libexec/kmscon/kmscon+0x5df4) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
0x7d50a1437f20 is located 0 bytes after 3744-byte region [0x7d50a1437080,0x7d50a1437f20)
allocated by thread T0 here:
#0 0x7f50a28ef43f in malloc (/lib64/libasan.so.8+0xef43f) (BuildId: bcc44ebce5332cebdbad675fd59647503487ab0d)
Aetf#1 0x5614ce2b5c16 in bbulk_set (/usr/libexec/kmscon/kmscon+0xec16) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#2 0x5614ce2b4861 in kmscon_text_set (/usr/libexec/kmscon/kmscon+0xd861) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#3 0x5614ce2ccc18 in font_set.lto_priv.0 (/usr/libexec/kmscon/kmscon+0x25c18) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#4 0x5614ce2ce073 in input_event.lto_priv.0 (/usr/libexec/kmscon/kmscon+0x27073) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#5 0x5614ce2f8c09 in timer_event (/usr/libexec/kmscon/kmscon+0x51c09) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#6 0x5614ce2e1b66 in timer_cb (/usr/libexec/kmscon/kmscon+0x3ab66) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#7 0x5614ce2dd384 in ev_eloop_dispatch (/usr/libexec/kmscon/kmscon+0x36384) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#8 0x5614ce2dec61 in ev_eloop_run (/usr/libexec/kmscon/kmscon+0x37c61) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#9 0x5614ce2ab00a in main (/usr/libexec/kmscon/kmscon+0x400a) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
Aetf#10 0x7f50a258f680 in __libc_start_call_main (/lib64/libc.so.6+0x3680) (BuildId: 4f625349ee4779e87735749baa30339f0ded0348)
Aetf#11 0x7f50a258f797 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3797) (BuildId: 4f625349ee4779e87735749baa30339f0ded0348)
Aetf#12 0x5614ce2acdf4 in _start (/usr/libexec/kmscon/kmscon+0x5df4) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/libexec/kmscon/kmscon+0xaf56) (BuildId: f7f22b7bf76be2c4010a8b5f29f5f84bf3863d68) in bbulk_draw
Shadow bytes around the buggy address:
0x7d50a1437c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7d50a1437d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7d50a1437d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7d50a1437e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7d50a1437e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7d50a1437f00: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
0x7d50a1437f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7d50a1438000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7d50a1438080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7d50a1438100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x7d50a1438180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==11569==ABORTING
Without AddressSanitize, it can trigger a segfault in bbukl_unset()
fedora kmscon[8857]: free(): invalid next size (normal)
fedora systemd-coredump[8938]: Process 8857 (kmscon) of user 0 terminated abnormally with signal 6/ABRT, processing...
fedora systemd[1]: Started systemd-coredump@3-12289-8938_8939-0.service - Process Core Dump (PID 8938/UID 0).
fedora systemd-coredump[8939]: Process 8857 (kmscon) of user 0 dumped core.
Stack trace of thread 8857:
#0 0x00007f4942f4c98c __pthread_kill_implementation (libc.so.6 + 0x7598c)
Aetf#1 0x00007f4942ef134e raise (libc.so.6 + 0x1a34e)
Aetf#2 0x00007f4942ed87b3 abort (libc.so.6 + 0x17b3)
Aetf#3 0x00007f4942ed9804 __libc_message_impl.cold (libc.so.6 + 0x2804)
Aetf#4 0x00007f4942f56d0c malloc_printerr (libc.so.6 + 0x7fd0c)
Aetf#5 0x00007f4942f586dc _int_free_merge_chunk (libc.so.6 + 0x816dc)
Aetf#6 0x00007f4942f58814 _int_free_chunk (libc.so.6 + 0x81814)
Aetf#7 0x0000564572db28a4 bbulk_unset (/usr/libexec/kmscon/kmscon + 0x38a4)
Aetf#8 0x0000564572db2c9c kmscon_text_unset (/usr/libexec/kmscon/kmscon + 0x3c9c)
Aetf#9 0x0000564572db2e72 kmscon_text_set (/usr/libexec/kmscon/kmscon + 0x3e72)
Aetf#10 0x0000564572dba7d3 font_set (/usr/libexec/kmscon/kmscon + 0xb7d3)
Aetf#11 0x0000564572dbaffd input_event (/usr/libexec/kmscon/kmscon + 0xbffd)
Aetf#12 0x0000564572dbf0dd timer_event (/usr/libexec/kmscon/kmscon + 0x100dd)
Aetf#13 0x0000564572dc2a77 ev_eloop_dispatch (/usr/libexec/kmscon/kmscon + 0x13a77)
Aetf#14 0x0000564572dc3143 ev_eloop_run (/usr/libexec/kmscon/kmscon + 0x14143)
Aetf#15 0x0000564572db1623 main (/usr/libexec/kmscon/kmscon + 0x2623)
Aetf#16 0x00007f4942eda681 __libc_start_call_main (libc.so.6 + 0x3681)
Aetf#17 0x00007f4942eda798 __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x3798)
Aetf#18 0x0000564572db2335 _start (/usr/libexec/kmscon/kmscon + 0x3335)
Signed-off-by: Jocelyn Falempe <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.