esekeyd crashes with exit status 139. We confirmed the crash by re-running it in a fresh debian unstable installation. The attachment [1] contains a testcase (under ./crash) crashing the program. It ensures that you can easily reproduce the bug. Additionally, under ./crash_info/, we include more information about the crash such as a core dump, the dmesg generated by the crash, and its output. Regards, The Mayhem Team (Alexandre Rebert, Thanassis Avgerinos, Sang Kil Cha, David Brumley, Manuel Egele) Cylab, Carnegie Mellon University [1] http://www.forallsecure.com/bug-reports/b1de88e38b0a87de4c8dfb0cd10b31f315678f0f/full_report
The problem seem to be non-robust parsing of input data. The following
patch change the handling to return an error and exit.
diff --git a/src/esekeyd.c b/src/esekeyd.c
index e9cc06b..572dcc4 100644
--- a/src/esekeyd.c
+++ b/src/esekeyd.c
@@ -174,6 +174,10 @@ int main (int argc, char *argv[])
keys = (struct esekey *) realloc (keys, (keycount +1) * sizeof (struct esekey));
separator = strchr(buff, ':');
+ if (NULL == separator) {
+ printf("error locating key separator info\n");
+ return -1;
+ }
keys[keycount].command = (char *) malloc (read - (separator - buff));
memcpy (keys[keycount].command, separator + 1, read - (separator - buff));
separator[0] = '\0';
I do not know the program enough to come up with a sensible error
message, so take that part with a grain of salt. :)
CC to upstream, see <URL: https://bugs.debian.org/715870 > for the original report.
Note, the requestor email address, alexandre (at) cmu.edu, is no longer working.