bterm crashes on console screen

Solution Verified - Updated -

Issue

Symptom/Problem

  • SIGSEGV occurs when customer use an editor with a console screen of bterm

Environment

  • Red Hat Enterprise Linux 5.3 i386

Resolution

  • There are a patch proposed against this issue. Fixed in Red Hat Enterprise Linux 5.3 Fastrack channel.

  • Refer to the patch below:

    diff -up bogl-0.1.18/bogl-term.c.original bogl-0.1.18/bogl-term.c
--- bogl-0.1.18/bogl-term.c.original     2009-08-17 23:43:22.000000000 +0900
+++ bogl-0.1.18/bogl-term.c     2009-08-17 23:44:11.000000000 +0900
@@ -465,6 +465,7 @@ bogl_term_out (struct bogl_term *term, c
                     /* Move all other lines down.  Fortunately, this is easy.  */
                     dirty_backscroll(term);
                     term->yorig--;
+                    if(term->yorig==-1) term->yorig=term->ysize-1;

                     /* Clear the top line.  */
                     for (i = SCR (0, 0); i < SCR (term->xsize, 0); i++)

Diagnostic Steps (internal)

  • Reproducer:

    • boot with kernel option vga=771

    • start vi to edit 80 lines of file

    • shift + g to reach bottom

    • continuously press k to move cursor up.

    • just about the next line to the top-most line, SEGV occurs.

  • backtrace:

    #0  bogl_term_out (term=0x855c9e0, 
s=0xbfc81670 "\033[1;1Hline 39\r\033[?25h\033[2J\033[1;1Hline 40\r\nline 41\r\nline 42\r\nline 43\r\nline 44\r\nline 45\r\nline 46\r\nline 47\r\nline 48\r\nline 49\r\nline 50\r\nline 51\r\nline 52\r\nline 53\r\nline 54\r\nline 55\r\nline 56\r\nline 57\r\nline 58\r"..., n=20) at bogl-term.c:472

Root Cause

  • term->yorig is invalid. It crashes when the value is negative.
  • under bterm scrolling by a line is no problem, whereas it's not adopting well to jump, i.e. :80 (jump to 80th line), ctrl+f, ctrl+g etc. It does not update term->yorig. After these jumps going back by line decrements term->yorig, which eventually reaches -1, resulting in segv.

Comments (internal)

  • The trace shows:

    308 void309 bogl_term_out (struct bogl_term *term, char *s, int n)310 {
469                     /* Clear the top line.  */
470                     for (i = SCR (0, 0); i < SCR (term->xsize, 0); i++)
471                     {
472                         term->screen[i] = ' '; ###<---
473                         term->screenfg[i] = term->fg;
474                         term->screenbg[i] = term->bg;
475                         term->screenul[i] = 0;
476                         term->cchars[i] = 0;
477                         term->dirty[i] = 1;
478                     }
479                 }
480             }

  • Actually this occurs when doing SCR macro:

    96 #define SCR(x, y) \
97 ((x) + (((y) + term->yorig) % term->ysize) * term->xsize)

  • yorig being negative number:

(gdb) p *term
     $2 = {font = 0x20, xbase = 32, ybase = 32, xsize = 32, ysize = 32, xstep = 32, ystep = 32, xpos = 32,
       ypos = 32, def_fg = 32, def_bg = 32, fg = 32, bg = 32, ul = 32, rev = 32, state = 32, cur_visible = 32,
       xp = 32, yp = 32, arg = {32, 32}, ps = {flags_ = 32, wcout_ = 32}, screen = 0x20, screenfg = 0x8562800,
       screenbg = 0x85672d8, screenul = 0x856bdb0, dirty = 0x8561548 "\001", cchars = 0x8570888, yorig = -1,
       acs = 0, utf = "M\000\000\000\000", utfn = 0}

Comments (external)

*

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content