Bug 1321443
Summary: | ksh segfaults in sfclose at the time of clean-up resources. | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Mohit Agrawal <moagrawa> | ||||
Component: | ksh | Assignee: | Siteshwar Vashisht <svashisht> | ||||
Status: | CLOSED ERRATA | QA Contact: | Jan Kepler <jkejda> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.4 | CC: | isenfeld, jherrman, jkejda, pandrade, rhayden | ||||
Target Milestone: | rc | ||||||
Target Release: | 7.4 | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | ksh-20120801-34.el7 | Doc Type: | Bug Fix | ||||
Doc Text: |
Previously, when sourcing multiple files, the ksh shell in some cases terminated unexpectedly with a segmentation fault. The underlying source code has been modified to fix this bug, and ksh no longer crashes in the described circumstances.
|
Story Points: | --- | ||||
Clone Of: | |||||||
: | 1437530 (view as bug list) | Environment: | |||||
Last Closed: | 2017-08-01 16:26:55 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1298243, 1393867, 1437530 | ||||||
Attachments: |
|
Description
Mohit Agrawal
2016-03-27 06:22:31 UTC
Hi, As per below core pattern it seems it is crashing due to invalid address in disc pointer. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>.. Core was generated by `/bin/ksh ./rwh_main.ksh'. Program terminated with signal 11, Segmentation fault. #0 sfraise (f=f@entry=0x7f641ec7f850, type=type@entry=4, data=data@entry=0x0) at /usr/src/debug/ksh-20120801/src/lib/libast/sfio/sfraise.c:84 84 { next = disc->disc; (gdb) bt #0 sfraise (f=f@entry=0x7f641ec7f850, type=type@entry=4, data=data@entry=0x0) at /usr/src/debug/ksh-20120801/src/lib/libast/sfio/sfraise.c:84 #1 0x00000000004bec06 in sfclose (f=0x7f641ec7f850) at /usr/src/debug/ksh-20120801/src/lib/libast/sfio/sfclose.c:74 #2 0x000000000045e048 in sh_eval (iop=0x7f641ec7f850, mode=<optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/xec.c:643 #3 0x000000000046c309 in b_dot_cmd (n=<optimized out>, argv=0x7f641ec64698, context=<optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/bltins/misc.c:295 #4 0x000000000045d420 in sh_exec (t=t@entry=0x7f641ec64610, flags=4) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/xec.c:1410 #5 0x0000000000406e50 in exfile (shp=shp@entry=0x76e000 <sh>, iop=0x7f641ec7f440, fno=11, fno@entry=3) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/main.c:581 #6 0x000000000040795f in sh_main (ac=<optimized out>, av=0x7ffecd838e48, userinit=<optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/main.c:353 #7 0x00007f641dfdcb15 in __libc_start_main (main=0x406640 <main>, argc=2, ubp_av=0x7ffecd838e48, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffecd838e38) at libc-start.c:274 #8 0x0000000000406671 in _start () (gdb) p next $1 = <optimized out> (gdb) p disc $2 = (Sfdisc_t *) 0x4145465f5453415f (gdb) p *f $3 = {next = 0x0, endw = 0x0, endr = 0x0, endb = 0x2000 <Address 0x2000 out of bounds>, push = 0x0, flags = 63712, file = 7879, data = 0x0, size = 4703242761108930911, val = 357645309268, extent = -1, here = 140067989782528, unused_1 = 33 '!', tiny = "", bits = 128, mode = 32, disc = 0x4145465f5453415f, pool = 0x5345525554, rsrv = 0x7f641ec7fa10, proc = 0x0, mutex = 0x7f641ec68000, stdio = 0x21, lpos = 4995426869437877845, iosz = 108179306327328, blksz = 512, getr = 516421792} (gdb) p sh $4 = {options = {v = {4398047559680, 0, 0, 0}}, var_tree = 0x7f641ec9dfc0, fun_tree = 0x7f641ec91c20, alias_tree = 0x7f641ec90b50, bltin_tree = 0x7f641ec91b30, topscope = 0x7ffecd838460, inlineno = 3, exitval = 0, trapnote = 0 '\000', shcomp = 0 '\000', subshell = 0, pwdfd = 10, gd = 0x7f641ec9d0c0, st = {prevst = 0x76e320 <sh+800>, dolc = 0, dolv = 0x7ffecd838e50, cmdname = 0x7f641ec6b170 "./rwh_main.ksh", filename = 0x7f641ec7f7f0 "/root/rwh_sub1.ksh", funname = 0x0, lineno = 1, save_tree = 0x7f641ec9dfc0, self = 0x7ffecd838460, var_local = 0x7f641ec9dfc0, staklist = 0x0, states = 4, breakcnt = 0, execbrk = 0, loopcnt = 0, firstline = 0, optindex = 1, optnum = 0, tmout = 0, optchar = 0, opterror = 0, ioset = 0, trapmax = 0, trap = {0x0, 0x0, 0x0, 0x0, 0x0}, otrap = 0x0, trapcom = 0x7f641ec64080, otrapcom = 0x0, timetrap = 0x0, real_fun = 0x0}, stk = 0x769f00 <_Stak_data>, heredocs = 0x0, funlog = 0x0, fdptrs = 0x7f641ec9e180, savexit = 0, lastarg = 0x7f641ec94840 "./rwh_main.ksh", lastpath = 0x0, path_err = 0, track_tree = 0x7f641ec90c60, var_base = 0x7f641ec9dfc0, openmatch = 0x0, namespace = 0x0, last_table = 0x0, prev_table = 0x0, outpool = 0x7f641ec9dd70, timeout = 0, curenv = 0, jobenv = 0, infd = 11, nextprompt = 2, poolfiles = 0, posix_fun = 0x0, outbuff = 0x7f641ec50050 "something\n", errbuff = 0x7f641ec60070 "./rwh_main.ksh[2]: .[3]: .: syntax error at line 13: `]]:' unexpected\n", prompt = 0x0, shname = 0x7f641ec6b140 "./rwh_main.ksh", comdiv = 0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>, prefix = 0x0, jmplist = 0x7ffecd838540, fifo = 0x0, oldexit = 3, bckpid = 0, cpid = 0, spid = 0, pipepid = 0, outpipepid = 0, topfd = 0, savesig = 0, sigflag = 0x7f641ec9ded0 "", intrap = 0 '\000', login_sh = 0 '\000', lastbase = 0 '\000', forked = 0 '\000', binscript = 0 '\000', deftype = 0 '\000', funload = 0 '\000', used_pos = 0 '\000', universe = 1 '\001', winch = 0 '\000', inarith = 0 '\000', indebug = 0 '\000', ignsig = 0 '\000', lastsig = 0 '\000', pathinit = 0 '\000', comsub = 0 '\000', subshare = 0 '\000', toomany = 0 '\000', instance = 0 '\000', decomma = 0 '\000', redir0 = 0 '\000', readscript = 0x0, subdup = 0, inpipe = 0x0, outpipe = 0x0, cpipe = {-1, 0, 0}, coutpipe = -1, inuse_bits = 0, envlist = 0x0, arglist = 0x0, fn_depth = 0, fn_reset = 0, dot_depth = 1, hist_depth = 0, xargmin = 0, xargmax = 0, xargexit = 0, nenv = 0, mask = 18, lexsize = 216, env = 0x0, init_context = 0x7f641ec665e0, mac_context = 0x7f641ec9d9d0, lex_context = 0x7f641ec9da70, arg_context = 0x7f641ec9da20, job_context = 0x0, pathlist = 0x7f641ec7f570, defpathlist = 0x0, cdpathlist = 0x0, argaddr = 0x0, optlist = 0x0, global = {prevst = 0x0, dolc = 0, dolv = 0x7ffecd838e50, cmdname = 0x7f641ec6b170 "./rwh_main.ksh", filename = 0x7f641ec6f3f0 "/root/rwh_main.ksh", funname = 0x0, lineno = 0, save_tree = 0x7f641ec9dfc0, self = 0x76e320 <sh+800>, var_local = 0x0, staklist = 0x0, states = 4, breakcnt = 0, execbrk = 0, loopcnt = 0, firstline = 0, optindex = 1, optnum = 0, tmout = 0, optchar = 0, opterror = 0, ioset = 0, trapmax = 0, trap = {0x0, 0x0, 0x0, 0x0, 0x0}, otrap = 0x0, trapcom = 0x7f641ec64080, otrapcom = 0x0, timetrap = 0x0, real_fun = 0x0}, checkbase = {buff = {{__jmpbuf = {0, -2045927498963846239, 140732346371656, 140732346371648, 0, 0, 2046600984751143841, -2045928049428366431}, __mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 16 times>}}}}, prev = 0x0, topfd = 0, mode = 12, olist = 0x0, err = {context = 0x0, errors = 0, flags = 0, line = 0, warnings = 0, file = 0x0, id = 0x7f641ec6b170 "./rwh_main.ksh"}}, userinit = 0x0, bltinfun = 0x0, bltindata = {shp = 0x76e000 <sh>, ptr = 0x0, version = 20071012, shrun = 0x45e5d0 <sh_run>, shtrap = 0x419be0 <sh_trap>, shexit = 0x41a2c0 <sh_exit>, shbltin = 0x40ab90 <sh_addbuiltin>, notify = 0 '\000', sigset = 0 '\000', nosfio = 0 '\000', bnode = 0x0, vnode = 0x0, data = 0x0, flags = 0, shgetenv = 0x43b4d0 <sh_getenv>, shsetenv = 0x440880 <sh_setenviron>, invariant = 0}, cur_line = 0x0, offsets = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, sftable = 0x7f641ec9e080, fdstatus = 0x7f641ec9e280 "12", pwd = 0x7f641ec947b0 "/root", jmpbuffer = 0x76e3f8 <sh+1016>, mktype = 0x0, strbuf = 0x7f641ec9db60, strbuf2 = 0x0, first_root = 0x0, prefix_root = 0x0, last_root = 0x7f641ec9dfc0, prev_root = 0x0, fpathdict = 0x0, typedict = 0x7f641ec91d10, inpool = 0x0, transdict = 0x0, ifstable = '\000' <repeats 255 times>, test = 0, offoptions = {v = {0, 0, 0, 0}}, glob_options = { v = {0, 0, 0, 0}}, typeinit = 0x0, nvfun = {disc = 0x0, nofree = 1 '\001', subshell = 0 '\000', dsize = 0, next = 0x0, last = 0x76e000 <sh> "", type = 0x0}, mathnodes = 0x7f641ec91eb0 "\020\037\311\036d\177", 0x0, bltin_dir = 0x0, regress = 0x0} (gdb) f 1 #1 0x00000000004bec06 in sfclose (f=0x7f641ec7f850) at /usr/src/debug/ksh-20120801/src/lib/libast/sfio/sfclose.c:74 74 if(f->disc && (ex = SFRAISE(f,local ? SF_NEW : SF_CLOSING,NIL(Void_t*))) != 0) (gdb) p f $5 = (Sfio_t *) 0x7f641ec7f850 (gdb) p *f $6 = {next = 0x0, endw = 0x0, endr = 0x0, endb = 0x2000 <Address 0x2000 out of bounds>, push = 0x0, flags = 63712, file = 7879, data = 0x0, size = 4703242761108930911, val = 357645309268, extent = -1, here = 140067989782528, unused_1 = 33 '!', tiny = "", bits = 128, mode = 32, disc = 0x4145465f5453415f, pool = 0x5345525554, rsrv = 0x7f641ec7fa10, proc = 0x0, mutex = 0x7f641ec68000, stdio = 0x21, lpos = 4995426869437877845, iosz = 108179306327328, blksz = 512, getr = 516421792} (gdb) f 2 #2 0x000000000045e048 in sh_eval (iop=0x7f641ec7f850, mode=<optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/xec.c:643 643 sfclose(io_save); (gdb) p io_ave No symbol "io_ave" in current context. (gdb) p io_save $7 = (Sfio_t *) 0x7f641ec7f850 (gdb) p *io_save $8 = {_next = 0x0, _endw = 0x0, _endr = 0x0, _endb = 0x2000 <Address 0x2000 out of bounds>, _push = 0x0, _flags = 63712, _file = 7879, _data = 0x0, _size = 4703242761108930911, _val = 357645309268} (gdb) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Regards Mohit Agrawal Created attachment 1237093 [details]
ksh-20120801-dotdoublefree.patch
Fix a crash during clean up after sourcing multiple files
I posted this patch to upstream http://lists.research.att.com/pipermail/ast-developers/2017q1/004075.html Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1936 |