Menu

#98 dfu-signature segfaults on wrong options

0.10
closed
nobody
None
2021-09-19
2020-11-06
chrysn
No

I've observed several segfaults with dfu-suffix, both in the Debian released 0.9-1 version and the current master (5c323e45d611a4c817529a5ff8f8aaa99af1b89a).

Example invocations that crash:

dfu-suffix --add --vendor 0x2B04 --product 0xD00E /tmp/x.bin
dfu-suffix --add --vendor 0x2B04 --product 0xD00E /dev/null
dfu-suffix --remove /dev/null

The first is what I actually tried, the last doesn't make a lot of sense but appears to run into the same bug and is easier to reproduce. For comparison, an --add without parameters, or a --check work as expected.

Backtrace of the crash:

$ gdb --args =dfu-suffix --remove /tmp/x.bin
[...]
(gdb) run
Starting program: /tmp/dfu-util/src/dfu-suffix --remove /tmp/x.bin
dfu-suffix (dfu-util) 0.9

Copyright 2011-2012 Stefan Schmidt, 2013-2014 Tormod Volden
This program is Free Software and has ABSOLUTELY NO WARRANTY
Please report bugs to http://sourceforge.net/p/dfu-util/tickets/


Program received signal SIGSEGV, Segmentation fault.
__strncmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:853
(gdb) bt
#0  __strncmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:853
#1  0x00007ffff7e96171 in process_long_option (argc=argc@entry=3, argv=argv@entry=0x7fffffffdf88, 
    optstring=optstring@entry=0x5555555573a8 "hVc:a:D:p:v:d:S:s:T", longopts=longopts@entry=0x55555555a0e0 <opts>, longind=longind@entry=0x7fffffffde1c, 
    long_only=0, d=0x7ffff7f74640 <getopt_data>, print_errors=1, prefix=0x7ffff7f3d838 "--") at getopt.c:212
#2  0x00007ffff7e96aef in _getopt_internal_r (argc=3, argv=0x7fffffffdf88, optstring=0x5555555573a8 "hVc:a:D:p:v:d:S:s:T", longopts=0x55555555a0e0 <opts>, 
    longind=0x7fffffffde1c, long_only=long_only@entry=0, d=0x7ffff7f74640 <getopt_data>, posixly_correct=0) at getopt.c:650
#3  0x00007ffff7e96d51 in _getopt_internal (argc=<optimized out>, argv=<optimized out>, optstring=<optimized out>, longopts=<optimized out>, 
    longind=<optimized out>, long_only=long_only@entry=0, posixly_correct=0) at getopt.c:711
#4  0x00007ffff7e96dce in getopt_long (argc=<optimized out>, argv=<optimized out>, options=<optimized out>, long_options=<optimized out>, 
    opt_index=<optimized out>) at getopt1.c:31
#5  0x000055555555525b in main (argc=3, argv=0x7fffffffdf88) at suffix.c:95

Discussion

  • Tormod Volden

    Tormod Volden - 2020-11-06
    • status: open --> accepted
    • Milestone: none --> 1.0
     

  • Tormod Volden

    Tormod Volden - 2020-11-06

    Thanks a lot for the report. It is simply that the array of options needs to be zero-terminated.

     

  • Tormod Volden

    Tormod Volden - 2020-11-06

    Note that the correct option is --delete, --vid, and --pid, and that the argument to the --add option is the filename so e.g. your first example should be dfu-suffix --vid 0x2B04 --pid 0xD00E --add /tmp/x.bin

     

  • Tormod Volden

    Tormod Volden - 2020-11-06
    • summary: dfu-signature segfaults --> dfu-signature segfaults on wrong options
    • status: accepted --> closed
     

Anonymous
Anonymous

Add attachments
Cancel





MongoDB Logo MongoDB