GNU bug report logs - #6149
24.0.50; shell buffer overflow when input longer than 4096 bytes

Message received at 6149 <at> debbugs.gnu.org:

Received: (at 6149) by debbugs.gnu.org; 28 Sep 2018 20:10:15 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Sep 28 16:10:15 2018
Received: from localhost ([127.0.0.1]:58015 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1g5z5b-0004a3-6y
	for submit <at> debbugs.gnu.org; Fri, 28 Sep 2018 16:10:15 -0400
Received: from sinyavsky.aurox.ch ([37.35.109.145]:51664)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <charles@HIDDEN>) id 1g5z5a-0004Zp-3i
 for 6149 <at> debbugs.gnu.org; Fri, 28 Sep 2018 16:10:14 -0400
Received: from sinyavsky.aurox.ch (sinyavsky.aurox.ch [127.0.0.1])
 by sinyavsky.aurox.ch (Postfix) with ESMTP id 8F42A2287E
 for <6149 <at> debbugs.gnu.org>; Fri, 28 Sep 2018 20:14:03 +0000 (UTC)
Authentication-Results: sinyavsky.aurox.ch (amavisd-new); dkim=pass
 reason="pass (just generated, assumed good)" header.d=aurox.ch
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aurox.ch; h=
 references:reply-to:subject:subject:in-reply-to:to:from:from
 :message-id:date:date; s=dkim; t=1538165641; x=1539029642; bh=N5
 Qo+caOmQGTJHcBrO6QfqdFN6wjHIh/8A/SV/jZEa8=; b=S9/JBc58W8NzPSefj7
 sEoyS6JTKZ0E62ODJHumbogR5rHERZVpwGW8nwm7sXHu1ci2s3IYN1HJg3DMv2/C
 +LukWJ2GlWt0BITx8AeD4o4dQ0X1A0TSps+0BVs/wcvBiwPs7nqwCaaest/4PYvO
 HgikOzvWHZs3GbDVokJhg3TH8=
X-Virus-Scanned: Debian amavisd-new at test.virtualizor.com
Received: from sinyavsky.aurox.ch ([127.0.0.1])
 by sinyavsky.aurox.ch (sinyavsky.aurox.ch [127.0.0.1]) (amavisd-new,
 port 10026) with ESMTP id dk3dxUVI_5eK for <6149 <at> debbugs.gnu.org>;
 Fri, 28 Sep 2018 20:14:01 +0000 (UTC)
Received: from gray (unknown [IPv6:2a02:1205:c693:2d60:c62c:3ff:fe30:b864])
 by sinyavsky.aurox.ch (Postfix) with ESMTPSA id 385B9226F4;
 Fri, 28 Sep 2018 20:14:01 +0000 (UTC)
Date: Fri, 28 Sep 2018 22:13:11 +0200
Message-Id: <m25zyp2xew.fsf@HIDDEN>
From: charles@HIDDEN (Charles A. Roelli)
To: jidanni@HIDDEN
In-reply-to: <87aas81jgh.fsf@HIDDEN>
Subject: Re: bug#6149: 24.0.50;
 shell buffer overflow when input longer than 4096 bytes
References: <87aas81jgh.fsf@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 6149
Cc: 6149 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Reply-To: charles@HIDDEN
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: jidanni@HIDDEN
> Date: Mon, 10 May 2010 12:14:54 +0800
> 
> This is a serious bug in M-x shell. It is not a bash or dash bug. It is
> not a readline bug. It does not happen in xterm. It does not happen when
> using pipes or backticks to get the input. It only happens in M-x
> shell... when one gives lines longer than ~4096 characters.
> 
> Actually it is not buffer overflow, but buffer truncation, with NO
> WARNING to the user. One day the wrong file will get removed via this
> mess.
> 
> In GNU Emacs 24.0.50.1 (i486-pc-linux-gnu, GTK+ Version 2.20.0)
>  of 2010-05-01 on elegiac, modified by Debian
>  (emacs-snapshot package, version 1:20100501-1)
> 
> 
> [application/octet-stream input_truncation.txt.gz (2kB)]

I can still reproduce this bug in 26.1 with the following recipe:

M-x shell RET
echo SPC C-SPC
C-u 5000 a RET
C-p C-e
M-=

On GNU/Linux: Region has 2 lines, 2 words, and 9096 characters.

If echo had received all of the input, you would expect around 10000
characters in the region.  Instead, there are 5000 + 4096 characters.

Back when EOF chars were used to flush output, we had an "fpathconf"
check as in:

https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=3d082a269ece18058ed82957f8a056822b39789e

It might be possible to reinstate this "fpathconf" check to warn the
user that he has gone over the PTY limit, or maybe to prevent overlong
lines from being sent at all.

There is further discussion at:

http://lists.gnu.org/archive/html/emacs-devel/2010-08/msg00209.html


(Also, repeating this recipe on macOS with Emacs 26.1 results in the
behavior pointed out in Bug#32438.)

Message received at 6149 <at> debbugs.gnu.org:

Received: (at 6149) by debbugs.gnu.org; 1 Jun 2010 01:50:40 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 31 21:50:40 2010
Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1OJGcq-0001jD-I0
	for submit <at> debbugs.gnu.org; Mon, 31 May 2010 21:50:40 -0400
Received: from ironport2-out.teksavvy.com ([206.248.154.183]
	helo=ironport2-out.pppoe.ca)
	by debbugs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <monnier@HIDDEN>) id 1OJGco-0001j6-Vl
	for 6149 <at> debbugs.gnu.org; Mon, 31 May 2010 21:50:39 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AlUFAGIEBExMCpdY/2dsb2JhbACSJIwHcr8BhRYEjEw
X-IronPort-AV: E=Sophos;i="4.53,337,1272859200"; d="scan'208";a="66559480"
Received: from 76-10-151-88.dsl.teksavvy.com (HELO pastel.home)
	([76.10.151.88])
	by ironport2-out.pppoe.ca with ESMTP; 31 May 2010 21:50:37 -0400
Received: by pastel.home (Postfix, from userid 20848)
	id 3B98681F8; Mon, 31 May 2010 21:50:37 -0400 (EDT)
From: Stefan Monnier <monnier@HIDDEN>
To: jidanni@HIDDEN
Subject: Re: bug#6149: 24.0.50;
	shell buffer overflow when input longer than 4096 bytes
Message-ID: <jwv6323wmhk.fsf-monnier+emacs@HIDDEN>
References: <87aas81jgh.fsf@HIDDEN>
Date: Mon, 31 May 2010 21:50:37 -0400
In-Reply-To: <87aas81jgh.fsf@HIDDEN> (jidanni@HIDDEN's message of
	"Mon, 10 May 2010 12:14:54 +0800")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: 6149
Cc: 6149 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/pipermail/debbugs-submit>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces <at> debbugs.gnu.org
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
X-Spam-Score: -2.2 (--)

>>>>> "jidanni" == jidanni  <jidanni@HIDDEN> writes:

> This is a serious bug in M-x shell. It is not a bash or dash bug. It is
> not a readline bug. It does not happen in xterm. It does not happen when
> using pipes or backticks to get the input. It only happens in M-x
> shell... when one gives lines longer than ~4096 characters.

> Actually it is not buffer overflow, but buffer truncation, with NO
> WARNING to the user. One day the wrong file will get removed via this
> mess.

> In GNU Emacs 24.0.50.1 (i486-pc-linux-gnu, GTK+ Version 2.20.0)
>  of 2010-05-01 on elegiac, modified by Debian
>  (emacs-snapshot package, version 1:20100501-1)

Thanks for this nice test case.
It appears it was a silly mistake (code placed in the wrong side of
a #if).  I've installed the patch below which should fix it,


        Stefan


=== modified file 'src/sysdep.c'
--- src/sysdep.c	2010-05-04 07:40:53 +0000
+++ src/sysdep.c	2010-06-01 01:40:00 +0000
@@ -537,15 +537,6 @@
   s.main.c_cflag = (s.main.c_cflag & ~CBAUD) | B9600; /* baud rate sanity */
 #endif /* AIX */
 
-#else /* not HAVE_TERMIO */
-
-  s.main.sg_flags &= ~(ECHO | CRMOD | ANYP | ALLDELAY | RAW | LCASE
-		       | CBREAK | TANDEM);
-  s.main.sg_flags |= LPASS8;
-  s.main.sg_erase = 0377;
-  s.main.sg_kill = 0377;
-  s.lmode = LLITOUT | s.lmode;        /* Don't strip 8th bit */
-
   /* We used to enable ICANON (and set VEOF to 04), but this leads to
      problems where process.c wants to send EOFs every once in a while
      to force the output, which leads to weird effects when the
@@ -558,6 +549,15 @@
   s.main.c_cc[VMIN] = 1;
   s.main.c_cc[VTIME] = 0;
 
+#else /* not HAVE_TERMIO */
+
+  s.main.sg_flags &= ~(ECHO | CRMOD | ANYP | ALLDELAY | RAW | LCASE
+		       | CBREAK | TANDEM);
+  s.main.sg_flags |= LPASS8;
+  s.main.sg_erase = 0377;
+  s.main.sg_kill = 0377;
+  s.lmode = LLITOUT | s.lmode;        /* Don't strip 8th bit */
+
 #endif /* not HAVE_TERMIO */
 
   EMACS_SET_TTY (out, &s, 0);

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 10 May 2010 04:16:51 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 10 00:16:51 2010
Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1OBKQF-0000mY-AO
	for submit <at> debbugs.gnu.org; Mon, 10 May 2010 00:16:51 -0400
Received: from mx10.gnu.org ([199.232.76.166])
	by debbugs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <jidanni@HIDDEN>) id 1OBKP5-0000m5-HC
	for submit <at> debbugs.gnu.org; Mon, 10 May 2010 00:16:50 -0400
Received: from lists.gnu.org ([199.232.76.165]:40976)
	by monty-python.gnu.org with esmtps
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60)
	(envelope-from <jidanni@HIDDEN>) id 1OBKOq-0003iR-Qp
	for submit <at> debbugs.gnu.org; Mon, 10 May 2010 00:15:24 -0400
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1OBKOp-0008Ho-PJ
	for bug-gnu-emacs@HIDDEN; Mon, 10 May 2010 00:15:23 -0400
Received: from [140.186.70.92] (port=57086 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1OBKOi-0008A7-9y
	for bug-gnu-emacs@HIDDEN; Mon, 10 May 2010 00:15:23 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_MIME_NO_TEXT,
	T_TVD_MIME_NO_HEADERS autolearn=unavailable version=3.3.1
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69)
	(envelope-from <jidanni@HIDDEN>) id 1OBKOS-0004Dg-FC
	for bug-gnu-emacs@HIDDEN; Mon, 10 May 2010 00:15:05 -0400
Received: from caiajhbdcahe.dreamhost.com ([208.97.132.74]:40434
	helo=homiemail-a14.g.dreamhost.com)
	by eggs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <jidanni@HIDDEN>) id 1OBKOS-0004DP-9J
	for bug-gnu-emacs@HIDDEN; Mon, 10 May 2010 00:15:00 -0400
Received: from jidanni.org (218-163-3-173.dynamic.hinet.net [218.163.3.173])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	(Authenticated sender: jidanni@HIDDEN)
	by homiemail-a14.g.dreamhost.com (Postfix) with ESMTPSA id 5C2BB8C06A
	for <bug-gnu-emacs@HIDDEN>; Sun,  9 May 2010 21:14:57 -0700 (PDT)
From: jidanni@HIDDEN
To: bug-gnu-emacs@HIDDEN
Subject: 24.0.50; shell buffer overflow when input longer than 4096 bytes
Date: Mon, 10 May 2010 12:14:54 +0800
Message-ID: <87aas81jgh.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6,
	seldom 2.4 (older, 4)
X-Spam-Score: -5.3 (-----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/pipermail/debbugs-submit>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces <at> debbugs.gnu.org
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
X-Spam-Score: -5.3 (-----)

--=-=-=

This is a serious bug in M-x shell. It is not a bash or dash bug. It is
not a readline bug. It does not happen in xterm. It does not happen when
using pipes or backticks to get the input. It only happens in M-x
shell... when one gives lines longer than ~4096 characters.

Actually it is not buffer overflow, but buffer truncation, with NO
WARNING to the user. One day the wrong file will get removed via this
mess.

In GNU Emacs 24.0.50.1 (i486-pc-linux-gnu, GTK+ Version 2.20.0)
 of 2010-05-01 on elegiac, modified by Debian
 (emacs-snapshot package, version 1:20100501-1)


--=-=-=
Content-Type: application/octet-stream
Content-Disposition: attachment; filename=input_truncation.txt.gz
Content-Transfer-Encoding: base64
Content-Description: buffer truncation

H4sICIKG50sAA2lucHV0X3RydW5jYXRpb24udHh0AO1YyW7jOBC991f0YeYUkBCpxfLXGJREK5xQ
opqkbHdjkG+fKsoLtbg754EPQZCwVNt7tZB/fZf1u/muVT9eiFZVTRp5OnBa0DQl7FNeBmlVJ3sv
NM0PKi0L2sgK5Kvz+UzgUB9yWqY5YQeh9e0MpLWpOehJaPrZKs8TliR5UoBYrKMzv/5xaXNgdE85
zT6rUemGk3QmVIu+ktYK0vqP5JBQni203AQ2Dys9Sm+Mf08PGS1Swh+nR2W7s7CSTNEfrZRPI78F
d343ykHIENfMjPuhlZcpSQ4paOApZbGl2poeDpJBM8JYEn+JllUnWkmupjkpyuIrCOCXlXB/9vke
p5VCe/kR0hTB9XDhbpm/8d0svnfvB+KkPUlLnOoGLSfwE5qlc+zbERhEGE0gFyyfJRxPnQcvOtAy
6LFVvQshJJShOP6ifL9A8P7JH6SE0ztgUg6pXxz1ppPkToQdhJgm4N9CSho1MFCQ0d1nJb1I35qj
a2OpBWF60wfOzNI5l5mf1YMyYJwxkj2UVq7pBMh6pd2hBGKxyOJgTT24A/s7FSlUSEn2v+EOJ3mE
IGFR5hGTDTTw3yuUGnU8Tt5MZmeJgh8lrs6iR4sq6KpaK+DfgYdPc8o/QxLnZs9XqeT3Yq7RjPLJ
IoEcAjaQvIwUc9z8Bw9k45Qna+yn09p0HZTgXSTmq1CalU++hp+78pymm8T6kD+t6ttkotVMRW2s
vAGbz9I4fLQQDsvpji76lTHOE2Um0jugIzhwmH4tGuMgOtKZZtTSoS4wPT+/8CIj+zTAmFB36kMX
ztieJHThS+j6d3+i7IgT+p8nhzwogeJ6uyviO1CUzDNiOqihDOSSBZi6EQPQNCM4FTLKl6k2tgZt
WajvLIjNqGDGAT9mG0l2P91J9Qo4R8uyccf406pqKvykiDA/mt7XULqqJdMv/BD9jSJv8QQ9TYFz
C09DvkLzWyXs5gqZQN9wCMfVaHV62E1845t8a4QXD8rFZIXS045jje+xG7IFIcAtFrjAs9nJScM0
hp5MZxN4+OnfTQ9jYTDWV2MLwLE4C9M5B+p2EFUnNJjN4a9innxi6yjUewpB7dSK1rRN2jVhsdVB
I9TYViDl+5WbbhzQzxBGeTfzY2iO2FPn9TU62C1G6ENAUEj0XRrBcbVVg3+Gjjgdje2Ez/lXKV/X
LJTYJuvFIOqPtD2GZslIOTtF39O180/xwORBY8BM5ewr7nXQOEMBAE3jXIvBKw/NH9JTBL8irz/C
FngdAKi+XPLfdkT1Xmo2VfIy5ql2YMRtVo8Xrkfc+ZyKANhkErDdzVooVMtGsTyKOKrepZdWNNL0
z9wEnL0VfbpuVwIGdRMwxQV2uVGCZr6t8nhUOa55dL84gPLDUbBRgsAeAvanRW6LQY9A2ZNIA2Db
UOGEsFAGsBPeCy4ik3PvCA+O1XzxpfNN/fZWbLrkzq4WWn51JoR+R6bOtd32zCB7K84sVOsyhtHL
bvCw/YUI8nkzwQ3orIHlfUtgRtg6bGN0P61u8ZJbWXdqebQIFPNxPgGR3YDIVrDXBLY6hxBCxydR
iOHSQqRzsNEo6JGMLW5Kk2W+YXS95DixueXEcd42zO1IsYU+tjfQFARYrG6wynWcQMnddUFBO7y0
STvXukGJkCVcF9ZJAoUhfdDrCF6BonEakruZ1x8+I5dOH7LQQqEdxWZ76WvhCRIEMgWpKffxcT0M
23qr60JNGlNPq10OaZ3WnzIaqcoZoEQjcZllxXzWomNNNbptz24WtrQvw4MozsZ+bCu6ygBHnp7H
HNmgx7QDEuGcAhDD0AMOPiq9ld7LS/g3tNb5Mv8uNewMUJYwavZx9Hce8edEQtdOPTaQAiwub0tI
Byu13GSE/zXtOJA0FeNxBi9hs1nd7mSrsbGE9TDBBWG5ODHSSSdIqy8QTLmxyY+TxPoU0LkVfeQI
DFnoPMHBhPOMRCXdvr1docrm5Xy5XpAvxrZQUcPoifvZ47CtXcBt5TbcpHG9xzWpfNrZnpTkhjV5
Cnt8wAtTPscKq0joaVlhSJFdvr7R3PfLcj6otGmt8cIjlpDCWDXesYjs4TYvb11neZe6pnMqx0dK
Y74NqYZLPr6f7Eu8B9DVM8mtAaKSzd43GGhMFU7LMGhZ8SiBEBeBol1H5mQD2OMWFD15/Pv9XH97
vYq9XsVer2KvV7EwK1+vYo9Z+noVe72KvV7FXq9ir1ex16vYQ/PrVez1KvZ6FXu9iv0PXsW+/Qem
/j/+GCMAAA==
--=-=-=--