Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Runtime Error Bug in the unnethack Nixpkgs #292113

Closed
naidneelttil opened this issue Feb 28, 2024 · 3 comments · Fixed by #292170
Closed

Runtime Error Bug in the unnethack Nixpkgs #292113

naidneelttil opened this issue Feb 28, 2024 · 3 comments · Fixed by #292170
Labels
0.kind: bug Something is broken

Comments

@naidneelttil
Copy link

naidneelttil commented Feb 28, 2024

Describe the bug

when attempting to run this program it immediately gives a buffer overflow detected error
the stacktrace seems to indicate the issue originated on line 15 of .wrapped_unnethack in the nix store.
after getting the error it also alters the terminal. making nothing typed in visible.

Steps To Reproduce

Steps to reproduce the behavior:

  1. run the command nix run "nixpkgs#unnethack"

Expected behavior

I expect the program to run without a buffer overflow detected and the terminal not to be effected.

Screenshots

If applicable, add screenshots to help explain your problem.
this is what it looks like when the program is run:
image

Additional context

N/A

Notify maintainers

@trofi
@Profpatsch

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
- system: `"x86_64-linux"`
 - host os: `Linux 6.6.9-200.fc39.x86_64, Fedora Linux, 39.20240113.0 (Silverblue), nobuild`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.19.2`
 - nixpkgs: `/var/home/naidneelttil/.nix-defexpr/channels/nixpkgs`

Add a 👍 reaction to issues you find important.

@naidneelttil naidneelttil added the 0.kind: bug Something is broken label Feb 28, 2024
@trofi
Copy link
Contributor

trofi commented Feb 28, 2024

Yeah, that's probably fortify3 hardening. gcc build log even tells us that we have a few overruns:

display.c:1496:84: warning: '%s' directive writing up to 255 bytes into a region of size between 145 and 155 [-Wformat-overflow=]
 1496 |                 Sprintf(tmpbuf, "<span title=\"you\" class=\"nh_inv_%d nh_player\">%s</span>", color, html_c);
      |                                                                                    ^~                 ~~~~~~

I'll try to extract a backtrace to verify.

@trofi
Copy link
Contributor

trofi commented Feb 28, 2024

$ coredumpctl debug

(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1  0x00007f734250c0e3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2  0x00007f73424bce06 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007f73424a58f5 in __GI_abort () at abort.c:79
#4  0x00007f73424a67a1 in __libc_message (fmt=fmt@entry=0x7f734261e2f8 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:150
#5  0x00007f734259b1d9 in __GI___fortify_fail (msg=msg@entry=0x7f734261e2df "buffer overflow detected") at fortify_fail.c:24
#6  0x00007f734259ab94 in __GI___chk_fail () at chk_fail.c:28
#7  0x00000000005b2ac5 in strcpy (__src=0x7ffe68838b00 "Shall I pick a character's race, role, gender and alignment for you? [YNTQ] (y)",
    __dest=0x7ffe68838990 "\001") at /nix/store/B0S2LKF593R3585038WS4JD3LYLF2WDX-glibc-2.38-44-dev/include/bits/string_fortified.h:79
#8  curses_break_str (str=str@entry=0x7ffe68838b00 "Shall I pick a character's race, role, gender and alignment for you? [YNTQ] (y)", width=width@entry=163,
    line_num=line_num@entry=1) at ../win/curses/cursmisc.c:275
#9  0x00000000005b3f51 in curses_character_input_dialog (prompt=prompt@entry=0x7ffe68838cf0 "Shall I pick a character's race, role, gender and alignment for you?",
    choices=choices@entry=0x7ffe68838d70 "YNTQ", def=def@entry=121) at ../win/curses/cursdial.c:211
#10 0x00000000005b9ca0 in curses_choose_character () at ../win/curses/cursinit.c:556
#11 0x0000000000404eb1 in main (argc=<optimized out>, argv=<optimized out>) at ./../sys/unix/unixmain.c:309

This corresponds to this gcc warning:

../win/curses/cursmisc.c: In function 'curses_break_str':
../win/curses/cursmisc.c:275:5: warning: '__builtin___strcpy_chk' writing one too many bytes into a region of a size that depends on 'strlen' [-Wstringop-overflow=]
  275 |     strcpy(substr, str);
      |     ^

trofi added a commit to trofi/nixpkgs that referenced this issue Feb 28, 2024
Without the change `unnethack` startup crashes as:

    (gdb) bt
    #0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
    NixOS#1  0x00007f734250c0e3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
    NixOS#2  0x00007f73424bce06 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
    NixOS#3  0x00007f73424a58f5 in __GI_abort () at abort.c:79
    NixOS#4  0x00007f73424a67a1 in __libc_message (fmt=fmt@entry=0x7f734261e2f8 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:150
    NixOS#5  0x00007f734259b1d9 in __GI___fortify_fail (msg=msg@entry=0x7f734261e2df "buffer overflow detected") at fortify_fail.c:24
    NixOS#6  0x00007f734259ab94 in __GI___chk_fail () at chk_fail.c:28
    NixOS#7  0x00000000005b2ac5 in strcpy (__src=0x7ffe68838b00 "Shall I pick a character's race, role, gender and alignment for you? [YNTQ] (y)",
        __dest=0x7ffe68838990 "\001") at /nix/store/B0S2LKF593R3585038WS4JD3LYLF2WDX-glibc-2.38-44-dev/include/bits/string_fortified.h:79
    NixOS#8  curses_break_str (str=str@entry=0x7ffe68838b00 "Shall I pick a character's race, role, gender and alignment for you? [YNTQ] (y)", width=width@entry=163,
        line_num=line_num@entry=1) at ../win/curses/cursmisc.c:275
    NixOS#9  0x00000000005b3f51 in curses_character_input_dialog (prompt=prompt@entry=0x7ffe68838cf0 "Shall I pick a character's race, role, gender and alignment for you?",
        choices=choices@entry=0x7ffe68838d70 "YNTQ", def=def@entry=121) at ../win/curses/cursdial.c:211
    NixOS#10 0x00000000005b9ca0 in curses_choose_character () at ../win/curses/cursinit.c:556
    NixOS#11 0x0000000000404eb1 in main (argc=<optimized out>, argv=<optimized out>) at ./../sys/unix/unixmain.c:309

which corresponds to `gcc` warning:

    ../win/curses/cursmisc.c: In function 'curses_break_str':
    ../win/curses/cursmisc.c:275:5: warning: '__builtin___strcpy_chk' writing one too many bytes into a region of a size that depends on 'strlen' [-Wstringop-overflow=]
      275 |     strcpy(substr, str);
          |     ^

I did not find a single small upstream change that fixes it. Let's
disable `fortify3` until next release.

Closes: NixOS#292113
@trofi
Copy link
Contributor

trofi commented Feb 28, 2024

Proposed the change as #292170

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
0.kind: bug Something is broken
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants