Large pastes into readline enabled programs causes breakage from kernels v2.6.31 onwards

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1208740

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Logs are not needed here.

Hi,

Indeed logs are not needed, and a lot of info is available in the above mentioned URL.

To reproduce the issue, you can just type " in a bash shell and then paste anything larger than 4k (my test file has been the GPL file from /usr/share/common-licenses).

This message, sent to the readline mailing list, also includes a simple test program:
http://lists.gnu.org/archive/html/bug-readline/2013-07/msg00013.html

--
Cheers,
Marga

A test build of the patch identified here:
https://lkml.org/lkml/2013/9/3/539

Can be found here:
http://people.canonical.com/~arges/lp1208740

I've tested with the test case described in #3 and the patched kernel solves this issue.

Sauce patch sent to kernel ML for Saucy.

This bug was fixed in the package linux - 3.11.0-7.13

---------------
linux (3.11.0-7.13) saucy; urgency=low

  * Release tracker
    - LP: #1223545

  [ Andy Whitcroft ]

  * SAUCE: (no-up) scsi: add scsi device flag to request VPD pages be used at SPC-2
    - LP: #1223499
  * SAUCE: (no-up) scsi: add scsi device flag to request READ CAPACITY (16) be preferred
    - LP: #1223499
  * SAUCE: (no-up) scsi: hyper-v storage -- mark as VPD capable at SPC-2
    - LP: #1223499
  * SAUCE: (no-up) scsi: hyper-v storage -- mark as preferring READ CAPACITY (16) at SPC-2
    - LP: #1223499

  [ Maximiliano Curia ]

  * SAUCE: (no-up) Only let characters through when there are active readers.
    - LP: #1208740

  [ Tim Gardner ]

  * [Debian] getabis: Commit new ABI directory, remove the old
  * [Config] CONFIG_EFIVAR_FS=y
    - LP: #1223195
  * [Config] CONFIG_EFI_VARS_PSTORE=m,
    CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=n
  * SAUCE: (no-up) USB: input: cm109.c: Convert high volume dev_err() to dev_err_ratelimited()
    - LP: #1222850

  [ Upstream Kernel Changes ]

  * Intel xhci: refactor EHCI/xHCI port switching
    - LP: #1210858
 -- Tim Gardner <email address hidden> Tue, 10 Sep 2013 09:00:19 -0600

SRU Patches sent to ML for P/Q/R.

The precise kernel version 3.2.0-56.86 fixes the issue, thanks!

Why no verification-needed flag? Anyway, consider this verification-done-precise.

git tag --contains on the patches I see:

99a1224fd2b5d50a19977d5bbc0341793a16dcc7 - Ubuntu-3.2.0-56.86
6a0e09413c4106ed6925e235acd3b0010c6ea93e - Ubuntu-3.5.0-43.66
c58f8db5cfbcc3f7ba35c24edc752bb446d9c85d - Ubuntu-3.8.0-33.48

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-precise' to 'verification-done-precise'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-quantal' to 'verification-done-quantal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-raring' to 'verification-done-raring'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Hi,

I verified in precise for:
 linux-image-3.2.0-56-generic
 linux-image-3.5.0-43-generic
 linux-image-3.8.0-33-generic

Works correctly in all of them.

--
Regards,
Marga

This bug was fixed in the package linux - 3.2.0-56.86

---------------
linux (3.2.0-56.86) precise; urgency=low

  [Steve Conklin]

  * Release Tracking Bug
    - LP: #1242901

  [ Upstream Kernel Changes ]

  * Revert "xfs: fix _xfs_buf_find oops on blocks beyond the filesystem
    end"
    - LP: #1236041
    - CVE-2013-1819 fix backport:
  * cciss: fix info leak in cciss_ioctl32_passthru()
    - LP: #1188355
    - CVE-2013-2147
  * cpqarray: fix info leak in ida_locked_ioctl()
    - LP: #1188355
    - CVE-2013-2147
  * SAUCE: (no-up) Only let characters through when there are active
    readers.
    - LP: #1208740
  * Btrfs: fix hash overflow handling
    - LP: #1091187, #1091188
    - CVE-2012-5375
 -- Steve Conklin <email address hidden> Mon, 21 Oct 2013 15:11:01 -0500

This bug was fixed in the package linux - 3.5.0-43.66

---------------
linux (3.5.0-43.66) quantal; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1242895

  [ Timo Aaltonen ]

  * SAUCE: ubuntu/i915: silence unclaimed register poking debug messages
    - LP: #1138787

  [ Upstream Kernel Changes ]

  * Revert "xfs: fix _xfs_buf_find oops on blocks beyond the filesystem
    end"
    - LP: #1236041
    - CVE-2013-1819 fix backport:
  * Revert "sctp: fix call to SCTP_CMD_PROCESS_SACK in
    sctp_cmd_interpreter()"
    - LP: #1241093
  * get rid of full-hash scan on detaching vfsmounts
    - LP: #1226726
  * Smack: Fix the bug smackcipso can't set CIPSO correctly
    - LP: #1236743
  * SAUCE: (no-up) Only let characters through when there are active
    readers.
    - LP: #1208740
  * usb: xhci: define port register names and use them instead of magic
    numbers
    - LP: #1229576
  * usb: xhci: add USB2 Link power management BESL support
    - LP: #1229576
  * iwl4965: fix rfkill set state regression
    - LP: #1241093
  * ath9k_htc: Restore skb headroom when returning skb to mac80211
    - LP: #1241093
  * ALSA: opti9xx: Fix conflicting driver object name
    - LP: #1241093
  * SUNRPC: Fix memory corruption issue on 32-bit highmem systems
    - LP: #1241093
  * drm/i915: ivb: fix edp voltage swing reg val
    - LP: #1241093
  * drm/vmwgfx: Split GMR2_REMAP commands if they are to large
    - LP: #1241093
  * ALSA: ak4xx-adda: info leak in ak4xxx_capture_source_info()
    - LP: #1241093
  * Bluetooth: Add support for Foxconn/Hon Hai [0489:e04d]
    - LP: #1241093
  * [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a
    signal
    - LP: #1241093
  * xen-gnt: prevent adding duplicate gnt callbacks
    - LP: #1241093
  * usb: config->desc.bLength may not exceed amount of data returned by the
    device
    - LP: #1241093
  * USB: cdc-wdm: fix race between interrupt handler and tasklet
    - LP: #1241093
  * xhci-plat: Don't enable legacy PCI interrupts.
    - LP: #1241093
  * ASoC: wm8960: Fix PLL register writes
    - LP: #1241093
  * rculist: list_first_or_null_rcu() should use list_entry_rcu()
    - LP: #1241093
  * USB: mos7720: use GFP_ATOMIC under spinlock
    - LP: #1241093
  * USB: mos7720: fix big-endian control requests
    - LP: #1241093
  * staging: comedi: dt282x: dt282x_ai_insn_read() always fails
    - LP: #1241093
  * usb: ehci-mxc: check for pdata before dereferencing
    - LP: #1241093
  * usb: xhci: Disable runtime PM suspend for quirky controllers
    - LP: #1241093
  * USB: OHCI: Allow runtime PM without system sleep
    - LP: #1241093
  * ACPI / EC: Add HP Folio 13 to ec_dmi_table in order to skip DSDT scan
    - LP: #1241093
  * ACPI / EC: Add ASUSTEK L4R to quirk list in order to validate ECDT
    - LP: #1241093
  * USB: fix build error when CONFIG_PM_SLEEP isn't enabled
    - LP: #1241093
  * ALSA: hda - hdmi: Fallback to ALSA allocation when selecting CA
    - LP: #1241093
  * regmap: silence GCC warning
    - LP: #1241093
  * target: Fix trailing ASCII space usage in INQUIRY vendor+model
    - LP: #1241093
  * iwlwifi: dvm: don't send BT_CONFIG on devices w/o Bluetooth
    - LP: #1...

This bug was fixed in the package linux - 3.8.0-33.48

---------------
linux (3.8.0-33.48) raring; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1242849

  [ Maximiliano Curia ]

  * SAUCE: (no-up) Only let characters through when there are active
    readers.
    - LP: #1208740

  [ Upstream Kernel Changes ]

  * cciss: fix info leak in cciss_ioctl32_passthru()
    - LP: #1188355
    - CVE-2013-2147
  * cpqarray: fix info leak in ida_locked_ioctl()
    - LP: #1188355
    - CVE-2013-2147
  * mount: consolidate permission checks
    - LP: #1226726
  * get rid of full-hash scan on detaching vfsmounts
    - LP: #1226726
  * Smack: Fix the bug smackcipso can't set CIPSO correctly
    - LP: #1236743
  * ipvs: add backup_only flag to avoid loops
    - LP: #1238494
  * tuntap: correctly handle error in tun_set_iff()
    - LP: #1229975
    - CVE-2013-4343
  * htb: fix sign extension bug
    - LP: #1240580
  * net: avoid to hang up on sending due to sysctl configuration overflow.
    - LP: #1240580
  * net: check net.core.somaxconn sysctl values
    - LP: #1240580
  * macvlan: validate flags
    - LP: #1240580
  * neighbour: populate neigh_parms on alloc before calling ndo_neigh_setup
    - LP: #1240580
  * bonding: modify only neigh_parms owned by us
    - LP: #1240580
  * fib_trie: remove potential out of bound access
    - LP: #1240580
  * bridge: don't try to update timers in case of broken MLD queries
    - LP: #1240580
  * tcp: cubic: fix overflow error in bictcp_update()
    - LP: #1240580
  * tcp: cubic: fix bug in bictcp_acked()
    - LP: #1240580
  * ipv6: don't stop backtracking in fib6_lookup_1 if subtree does not
    match
    - LP: #1240580
  * 8139cp: Fix skb leak in rx_status_loop failure path.
    - LP: #1240580
  * tun: signedness bug in tun_get_user()
    - LP: #1240580
  * ipv6: remove max_addresses check from ipv6_create_tempaddr
    - LP: #1240580
  * ipv6: Store Router Alert option in IP6CB directly.
    - LP: #1240580
  * ipv6: drop packets with multiple fragmentation headers
    - LP: #1240580
  * tcp: set timestamps for restored skb-s
    - LP: #1240580
  * net: usb: Add HP hs2434 device to ZLP exception table
    - LP: #1240580
  * tcp: initialize rcv_tstamp for restored sockets
    - LP: #1240580
  * ipv4: sendto/hdrincl: don't use destination address found in header
    - LP: #1240580
  * tcp: tcp_make_synack() should use sock_wmalloc
    - LP: #1240580
  * tipc: set sk_err correctly when connection fails
    - LP: #1240580
  * net: bridge: convert MLDv2 Query MRC into msecs_to_jiffies for
    max_delay
    - LP: #1240580
  * ICMPv6: treat dest unreachable codes 5 and 6 as EACCES, not EPROTO
    - LP: #1240580
  * tg3: Don't turn off led on 5719 serdes port 0
    - LP: #1240580
  * vhost_net: poll vhost queue after marking DMA is done
    - LP: #1240580
  * net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
    - LP: #1240580
  * drm/radeon/si: Add support for CP DMA to CS checker for compute v2
    - LP: #1240580
  * sfc: Fix efx_rx_buf_offset() for recycled pages
    - LP: #1240580
  * cfq: explicitly use 64bit divide operation for 64bit arguments
    - LP: #1240580
  * drm/radeon/atom: wor...

Unfortunately upstream didn't deliver on their promise of backporting the fix to 3.13. It's applied on 3.14 onwards (http://article.gmane.org/gmane.linux.kernel/1611767), but Trusty is still broken. Can we get either the patch version included here, or a backport of the version included in 3.14 in the Trusty kernel, please?

Attaching patch that is being sent to Kernel Team by e-mail.

Just for clarification, the patch "SAUCE: (no-up) Only let characters through when there are active readers." was not applied to 3.13, and the proper upstream patch is "n_tty: Fix buffer overruns with larger-than-4k pastes". The later patch is applied to 3.16, so 3.13 is the only remaining series that needs to be patched.
Thanks,

The verification of the Stable Release Update for linux-lts-trusty has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package linux - 3.13.0-33.58

---------------
linux (3.13.0-33.58) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1349897

  [ Upstream Kernel Changes ]

  * mm: numa: do not automatically migrate KSM pages
    - LP: #1346917
  * net: fix UDP tunnel GSO of frag_list GRO packets
    - LP: #1331219
  * auditsc: audit_krule mask accesses need bounds checking
    - LP: #1347088
  * n_tty: Fix buffer overruns with larger-than-4k pastes
    - LP: #1208740
 -- Tim Gardner <email address hidden> Fri, 18 Jul 2014 14:57:50 +0000