Bug 1247383

Summary: Serious problem with correction of #1117404
Product: Red Hat Enterprise Linux 6 Reporter: Paulo Andrade <pandrade>
Component: kshAssignee: Michal Hlavinka <mhlavink>
Status: CLOSED ERRATA QA Contact: Martin Kyral <mkyral>
Severity: urgent Docs Contact: Milan Navratil <mnavrati>
Priority: urgent    
Version: 6.7CC: anrussel, asanders, avaddara, btotty, bugproxy, byodlows, darroch_royden, david_m_scott, edanilch, fhirtz, fkrska, hannsj_uhl, hartsjc, hvyas, jherrman, jindrich.novy, jkurik, jwalter, kristof.van.damme.ext, linux26port, magoldma, mhlavink, mkolbas, mnavrati, msaxena, ovasik, pablo.iranzo, pandrade, pdwyer, richard.brittain, Saket_Pusalkar, srandhaw, tushii012, vyonkov, wburrows, zpytela
Target Milestone: rcKeywords: Patch, Regression, Reproducer, ZStream
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: ksh-20120801-31.el6 Doc Type: Bug Fix
Doc Text:
KornShell now resets and modifies signal traps as expected and no longer crashes Previously, KornShell (ksh) terminated unexpectedly with a segmentation fault when attempting to reset or modify certain signal traps. With this update, ksh does not attempt to free memory used for a string literal. As a result, ksh no longer crashes in the described situation.
 Story Points: ---
Clone Of:
: 1252896 1298641 (view as bug list) Environment:
Last Closed: 2016-05-11 00:46:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1145214, 1172231, 1200114, 1239105, 1252896, 1298641    
Attachments:
Description Flags
core of ksh
none
core generate by ksh script
none
files for reproducing bug under staf/stax none

Description Paulo Andrade 2015-07-27 20:48:45 UTC 
I am partly to blame as it is a side effect of a
patch that I proposed for ksh.

The "fast" correction would be this change to
ksh-20120801-trapcom.patch:

-				if (shp->st.trapcom[isig])
+				if (shp->st.trapcom[isig] && shp->st.trapcom[isig] != Empty)

I did check all source code, and the only place
it does set it to a non strdup'ed string is at
src/cmd/ksh93/bltins/trap.c:

154:				arg = shp->st.trapcom[sig];
155:				sh_sigtrap(sig);
156:				shp->st.trapcom[sig] = (shp->sigflag[sig]&SH_SIGOFF) ? Empty : strdup(action);
157:				if(arg && arg != Empty)
158:					free(arg);

Empty is defined as:
#define Empty			((char*)(e_sptbnl+3))

and e_sptbnl is statically initialized as:
const char e_sptbnl[]		= " \t\n";
Comment 2 Paulo Andrade 2015-07-27 20:50:37 UTC 
Setting priority/severity to urgent because I believe
this will affect a lot of users.
Comment 4 Paulo Andrade 2015-07-28 16:57:52 UTC 
Reproducer fixed by experimental package at
http://people.redhat.com/pandrade/ksh-20120801-28.el6.1.sfdc01482714/x86_64/

$ cat nohup.ksh.segv
#!/bin/ksh
trap '' 1
HIVAR=`echo hi`
$ nohup ksh nohup.ksh.segv
Comment 5 Michal Hlavinka 2015-07-30 10:55:33 UTC 
*** Bug 1246815 has been marked as a duplicate of this bug. ***
Comment 7 Michal Hlavinka 2015-07-30 11:01:38 UTC 
*** Bug 1248134 has been marked as a duplicate of this bug. ***
Comment 30 Michal Hlavinka 2015-08-13 07:47:37 UTC 
*** Bug 1239105 has been marked as a duplicate of this bug. ***
Comment 31 tushii012 2015-08-13 11:36:48 UTC 
Hi,

we have tried to rerun the same steps and it reproduced again, adding core here.
This shell script was invoked from a c program.

Thanks Tushar
Comment 35 Saket Pusalkar 2015-08-13 15:10:17 UTC 
Created attachment 1062682 [details]
core of ksh

Faced the same issue with the experimental package at

http://people.redhat.com/pandrade/ksh-20120801-28.el6.1.sfdc01482714/x86_64/

[root@l111054 CVMVolDg]# ksh --version
  version         sh (AT&T Research) 93u+ 2012-08-01
[root@l111054 CVMVolDg]# rpm -qa |grep ksh
ksh-20120801-28.el6.x86_64
 
[root@l111054 CVMVolDg]# ls -al core.9976
-rw------- 1 root root 983040 Jul 21 19:50 core.9976
Comment 38 Paulo Andrade 2015-08-13 16:16:18 UTC 
(In reply to Saket Pusalkar from comment #35)
> Created attachment 1062682 [details]
> core of ksh
> 
> Faced the same issue with the experimental package at
> 
> http://people.redhat.com/pandrade/ksh-20120801-28.el6.1.sfdc01482714/x86_64/
> 
> [root@l111054 CVMVolDg]# ksh --version
>   version         sh (AT&T Research) 93u+ 2012-08-01
> [root@l111054 CVMVolDg]# rpm -qa |grep ksh
> ksh-20120801-28.el6.x86_64

  It should be:

$ rpm -q ksh
ksh-20120801-28.el6.1.sfdc01482714.x86_64

> [root@l111054 CVMVolDg]# ls -al core.9976
> -rw------- 1 root root 983040 Jul 21 19:50 core.9976

  The core is from the package without the correction.
Comment 42 Paulo Andrade 2015-08-13 20:01:43 UTC 
UPDATE:

If you are testing any of the packages at people.redhat.com/pandrade,
please switch to testing the ones, for the proper architecture under
http://people.redhat.com/pandrade/bz1247383/

We were told about a variant test where the original problem at
https://bugzilla.redhat.com/show_bug.cgi?id=1117404 could still
be triggered on nested ksh shell functions. The problem basically
is that ksh has a vector of information about traps, and when
running a subshell, or a shell function, it would save the
contents of this vector, and once finished, would restore the
vector of pointers.
The problem is that the contents of the vector of pointers could
be changed during the subshell of function, and when restoring,
it could have dangling pointers, pointing to released memory.
Comment 44 Saket Pusalkar 2015-08-14 08:20:08 UTC 
(In reply to Paulo Andrade from comment #42)
> UPDATE:
> 
> If you are testing any of the packages at people.redhat.com/pandrade,
> please switch to testing the ones, for the proper architecture under
> http://people.redhat.com/pandrade/bz1247383/
> 
> We were told about a variant test where the original problem at
> https://bugzilla.redhat.com/show_bug.cgi?id=1117404 could still
> be triggered on nested ksh shell functions. The problem basically
> is that ksh has a vector of information about traps, and when
> running a subshell, or a shell function, it would save the
> contents of this vector, and once finished, would restore the
> vector of pointers.
> The problem is that the contents of the vector of pointers could
> be changed during the subshell of function, and when restoring,
> it could have dangling pointers, pointing to released memory.


We can confirm that we cannot reproduce the issue with the new ksh (version ksh-20120801-28.el6.1.sfdc01482714.x86_64). Please let us know which new update will incorporate this fix.
Comment 45 Michal Hlavinka 2015-08-14 10:35:02 UTC 
*** Bug 1217682 has been marked as a duplicate of this bug. ***
Comment 47 IBM Bug Proxy 2015-08-14 11:12:28 UTC 
Created attachment 1062980 [details]
core generate by ksh script
Comment 48 IBM Bug Proxy 2015-08-14 11:12:30 UTC 
Created attachment 1062981 [details]
files for reproducing bug under staf/stax
Comment 60 Michal Hlavinka 2015-08-25 08:49:54 UTC 
*** Bug 1247268 has been marked as a duplicate of this bug. ***
Comment 66 Michal Hlavinka 2015-09-09 08:22:25 UTC 
*** Bug 1261314 has been marked as a duplicate of this bug. ***
Comment 67 Vasil Yonkov 2015-09-09 08:45:42 UTC 
Tested with the package suggested in Comment 42:

https://people.redhat.com/pandrade/bz1247383/x86_64/ksh-20120801-30.el6.bz1247383.x86_64

and the problem described in Bug 1261314 no longer appears.
Comment 79 errata-xmlrpc 2016-05-11 00:46:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0932.html