Bug 1269088

Summary: ksh crashes under chroot environment with segmentation fault
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kyral <mkyral>
Component: kshAssignee: Siteshwar Vashisht <svashisht>
Status: CLOSED ERRATA QA Contact: Jan Kepler <jkejda>
Severity: medium Docs Contact:
Priority: urgent    
Version: 7.2CC: isenfeld, jkejda, kdudka, mkyral
Target Milestone: rcKeywords: Reproducer
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ksh-20120801-34.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1221766 Environment:
Last Closed: 2017-08-01 16:26:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1221766, 1295396    

Description Martin Kyral 2015-10-06 09:39:27 UTC 
This bug is present in RHEL 7, too.


Version-Release number of selected component (if applicable):

ksh-20120801-22.el7_1.2

+++ This bug was initially created as a clone of Bug #1221766 +++

Description of problem:

  ksh crashes under chroot environment with segmentation fault

Version-Release number of selected component (if applicable):

  ksh-20120801-21.el6.x86_64


How reproducible:

  Always

Steps to Reproduce:
1. Run the following commands.
  # cd /root
  # ./test.ksh
  # ulimit -c unlimited
  # chroot /root/NEWROOT /bin/ksh

Actual results:

  you will see
    Segmentation fault (core dumped)
  and get a corefile like "/root/NEWROOT/core.12345"

Expected results:

  Print an error.


Additional info:

(gdb) bt
#0  __strlen_sse42 () at ../sysdeps/x86_64/multiarch/strlen-sse4.S:32
#1  0x00000000004a7696 in strdup (s=0x0) at /usr/src/debug/ksh-20120801/src/lib/libast/string/strdup.c:59
#2  0x000000000041d447 in sh_histinit (sh_context=<value optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/edit/history.c:398
#3  0x0000000000406f2f in exfile (shp=0x76d180, iop=0x76adc0, fno=0) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/main.c:400
#4  0x0000000000407e60 in sh_main (ac=<value optimized out>, av=0x7fffc9f22c08, userinit=<value optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/main.c:353
#5  0x00007ff93162dd5d in __libc_start_main (main=0x406c00 <main>, argc=1, ubp_av=0x7fffc9f22c08, init=<value optimized out>, fini=<value optimized out>, 
    rtld_fini=<value optimized out>, stack_end=0x7fffc9f22bf8) at libc-start.c:226
#6  0x0000000000406b39 in _start ()

// strdup take '\0'.
(gdb) f 1
#1  0x00000000004a7696 in strdup (s=0x0) at /usr/src/debug/ksh-20120801/src/lib/libast/string/strdup.c:59
59		return (s && (t = oldof(0, char, n = strlen(s) + 1, 0))) ? (char*)memcpy(t, s, n) : (char*)0;

// ttyname(2) fails.
(gdb) f 2
#2  0x000000000041d447 in sh_histinit (sh_context=<value optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/edit/history.c:398
398					hp->tty = strdup(ttyname(2));



// strace shows ksh is trying to access /dev and /proc.
# strace -fttv chroot /root/NEWROOT /bin/ksh
...
14:46:55.268541 readlink("/proc/self/fd/2", 0x7f8e91325100, 4095) = -1 ENOENT (No such file or directory)
14:46:55.268558 fstat(2, {st_dev=makedev(0, 11), st_ino=3, st_mode=S_IFCHR|0620, st_nlink=1, st_uid=0, st_gid=5, st_blksize=1024, st_blocks=0, st_rdev=makedev(136, 0), st_atime=2015/05/14-14:46:55, st_mtime=2015/05/14-14:46:55, st_ctime=2015/05/14-14:40:13}) = 0
14:46:55.268583 stat("/dev/pts", 0x7ffff40874e0) = -1 ENOENT (No such file or directory)
14:46:55.268600 open("/dev", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
14:46:55.268620 --- SIGSEGV (Segmentation fault) @ 0 (0) ---
14:46:55.298019 +++ killed by SIGSEGV (core dumped) +++
Segmentation fault (core dumped)
Comment 1 Siteshwar Vashisht 2016-07-08 07:32:39 UTC 
There is no 'test.ksh' file attached with this issue. And I have not been able to reproduce this issue by executing 'chroot /root/NEWROOT /bin/ksh'. Please clarify the reproducer steps.
Comment 2 Martin Kyral 2016-07-11 07:49:48 UTC 
Sorry for the misleading filename. The reproducer is attached as 'reproducer' to the original bug, which is this bug a clone of: BZ#1221766 and it is included in the TCMS test case as test.sh: http://pkgs.devel.redhat.com/cgit/tests/ksh/tree/Regression/ksh-crashes-under-chroot-environment/test.sh
Comment 3 Siteshwar Vashisht 2016-07-11 11:09:05 UTC 
I have been able to reproduce this issue. Backtrace shows that strdup() is being called with NULL parameter :

0  __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:38
#1  0x00000000004a64ae in strdup (s=0x0) at /usr/src/debug/ksh-20120801/src/lib/libast/string/strdup.c:59
#2  0x000000000041c76b in sh_histinit (sh_context=sh_context@entry=0x76e000 <sh>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/edit/history.c:398
#3  0x000000000040686f in exfile (shp=shp@entry=0x76e000 <sh>, iop=0x76bd20 <_Sfstdin>, fno=fno@entry=0) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/main.c:400
#4  0x000000000040795f in sh_main (ac=<optimized out>, av=0x7fffc4177d28, userinit=<optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/main.c:353
#5  0x00007f90d282eb15 in __libc_start_main (main=0x406640 <main>, argc=1, ubp_av=0x7fffc4177d28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffc4177d18) at libc-start.c:274
#6  0x0000000000406671 in _start ()

It seems fd=2 is not attached to any terminal.

(gdb) frame 2
#2  0x000000000041c76b in sh_histinit (sh_context=sh_context@entry=0x76e000 <sh>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/edit/history.c:398
398                                     hp->tty = strdup(ttyname(2));
Comment 4 Siteshwar Vashisht 2016-07-14 06:17:22 UTC 
We already have patch for it https://bugzilla.redhat.com/attachment.cgi?id=1040916
Comment 9 errata-xmlrpc 2017-08-01 16:26:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1936