Bug 1321443

Summary: ksh segfaults in sfclose at the time of clean-up resources.
Product: Red Hat Enterprise Linux 7 Reporter: Mohit Agrawal <moagrawa>
Component: kshAssignee: Siteshwar Vashisht <svashisht>
Status: CLOSED ERRATA QA Contact: Jan Kepler <jkejda>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.4CC: isenfeld, jherrman, jkejda, pandrade, rhayden
Target Milestone: rc   
Target Release: 7.4   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ksh-20120801-34.el7 Doc Type: Bug Fix
Doc Text:
Previously, when sourcing multiple files, the ksh shell in some cases terminated unexpectedly with a segmentation fault. The underlying source code has been modified to fix this bug, and ksh no longer crashes in the described circumstances.
 Story Points: ---
Clone Of:
: 1437530 (view as bug list) Environment:
Last Closed: 2017-08-01 16:26:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1298243, 1393867, 1437530    
Attachments:
Description Flags
ksh-20120801-dotdoublefree.patch none

Description Mohit Agrawal 2016-03-27 06:22:31 UTC 
Description of problem:
ksh segfaults in sfclose at the time of clean-up resources.

Version-Release number of selected component (if applicable):
ksh-20120801-22.el7_1.3.x86_64

How reproducible:
Issue is reproducible in rhel-6 and rhel-7 both.

Steps to Reproduce
1) cat rwh_main_functions.ksh 
#!/bin/ksh

function f1
{

echo "something"

}

function f2
{
 if [[ $1 -eq 1 ]]: then
    echo "something"
 fi

}

function f3
{

[[ 1 = 1 ]] && set -x

}

cat rwh_sub1.ksh 
#!/bin/ksh

. ./rwh_main_functions.ksh

echo "something" > ./tmp.out

cat rwh_main.ksh 
#!/bin/ksh
. ./rwh_sub1.ksh

After execute rwh_main.ksh it is crashing after showing below message
./rwh_main.ksh[2]: .[3]: .: syntax error at line 12: `]]:' unexpected
Segmentation fault (core dumped)

Actual results:
ksh is crashed.

Expected results:

It should not crashed
Additional info:
Comment 1 Mohit Agrawal 2016-03-27 06:23:35 UTC 
Hi,

As per below core pattern it seems it is crashing due to invalid address in disc pointer.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>..

Core was generated by `/bin/ksh ./rwh_main.ksh'.
Program terminated with signal 11, Segmentation fault.
#0  sfraise (f=f@entry=0x7f641ec7f850, type=type@entry=4, data=data@entry=0x0) at /usr/src/debug/ksh-20120801/src/lib/libast/sfio/sfraise.c:84
84		{	next = disc->disc;
(gdb) bt
#0  sfraise (f=f@entry=0x7f641ec7f850, type=type@entry=4, data=data@entry=0x0) at /usr/src/debug/ksh-20120801/src/lib/libast/sfio/sfraise.c:84
#1  0x00000000004bec06 in sfclose (f=0x7f641ec7f850) at /usr/src/debug/ksh-20120801/src/lib/libast/sfio/sfclose.c:74
#2  0x000000000045e048 in sh_eval (iop=0x7f641ec7f850, mode=<optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/xec.c:643
#3  0x000000000046c309 in b_dot_cmd (n=<optimized out>, argv=0x7f641ec64698, context=<optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/bltins/misc.c:295
#4  0x000000000045d420 in sh_exec (t=t@entry=0x7f641ec64610, flags=4) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/xec.c:1410
#5  0x0000000000406e50 in exfile (shp=shp@entry=0x76e000 <sh>, iop=0x7f641ec7f440, fno=11, fno@entry=3) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/main.c:581
#6  0x000000000040795f in sh_main (ac=<optimized out>, av=0x7ffecd838e48, userinit=<optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/main.c:353
#7  0x00007f641dfdcb15 in __libc_start_main (main=0x406640 <main>, argc=2, ubp_av=0x7ffecd838e48, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffecd838e38)
    at libc-start.c:274
#8  0x0000000000406671 in _start ()
(gdb) p next
$1 = <optimized out>
(gdb) p disc
$2 = (Sfdisc_t *) 0x4145465f5453415f
(gdb) p *f
$3 = {next = 0x0, endw = 0x0, endr = 0x0, endb = 0x2000 <Address 0x2000 out of bounds>, push = 0x0, flags = 63712, file = 7879, data = 0x0, size = 4703242761108930911, val = 357645309268, 
  extent = -1, here = 140067989782528, unused_1 = 33 '!', tiny = "", bits = 128, mode = 32, disc = 0x4145465f5453415f, pool = 0x5345525554, rsrv = 0x7f641ec7fa10, proc = 0x0, 
  mutex = 0x7f641ec68000, stdio = 0x21, lpos = 4995426869437877845, iosz = 108179306327328, blksz = 512, getr = 516421792}
(gdb) p sh
$4 = {options = {v = {4398047559680, 0, 0, 0}}, var_tree = 0x7f641ec9dfc0, fun_tree = 0x7f641ec91c20, alias_tree = 0x7f641ec90b50, bltin_tree = 0x7f641ec91b30, topscope = 0x7ffecd838460, 
  inlineno = 3, exitval = 0, trapnote = 0 '\000', shcomp = 0 '\000', subshell = 0, pwdfd = 10, gd = 0x7f641ec9d0c0, st = {prevst = 0x76e320 <sh+800>, dolc = 0, dolv = 0x7ffecd838e50, 
    cmdname = 0x7f641ec6b170 "./rwh_main.ksh", filename = 0x7f641ec7f7f0 "/root/rwh_sub1.ksh", funname = 0x0, lineno = 1, save_tree = 0x7f641ec9dfc0, self = 0x7ffecd838460, 
    var_local = 0x7f641ec9dfc0, staklist = 0x0, states = 4, breakcnt = 0, execbrk = 0, loopcnt = 0, firstline = 0, optindex = 1, optnum = 0, tmout = 0, optchar = 0, opterror = 0, ioset = 0, 
    trapmax = 0, trap = {0x0, 0x0, 0x0, 0x0, 0x0}, otrap = 0x0, trapcom = 0x7f641ec64080, otrapcom = 0x0, timetrap = 0x0, real_fun = 0x0}, stk = 0x769f00 <_Stak_data>, heredocs = 0x0, 
  funlog = 0x0, fdptrs = 0x7f641ec9e180, savexit = 0, lastarg = 0x7f641ec94840 "./rwh_main.ksh", lastpath = 0x0, path_err = 0, track_tree = 0x7f641ec90c60, var_base = 0x7f641ec9dfc0, 
  openmatch = 0x0, namespace = 0x0, last_table = 0x0, prev_table = 0x0, outpool = 0x7f641ec9dd70, timeout = 0, curenv = 0, jobenv = 0, infd = 11, nextprompt = 2, poolfiles = 0, posix_fun = 0x0, 
  outbuff = 0x7f641ec50050 "something\n", errbuff = 0x7f641ec60070 "./rwh_main.ksh[2]: .[3]: .: syntax error at line 13: `]]:' unexpected\n", prompt = 0x0, 
  shname = 0x7f641ec6b140 "./rwh_main.ksh", comdiv = 0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>, prefix = 0x0, jmplist = 0x7ffecd838540, fifo = 0x0, oldexit = 3, bckpid = 0, 
  cpid = 0, spid = 0, pipepid = 0, outpipepid = 0, topfd = 0, savesig = 0, sigflag = 0x7f641ec9ded0 "", intrap = 0 '\000', login_sh = 0 '\000', lastbase = 0 '\000', forked = 0 '\000', 
  binscript = 0 '\000', deftype = 0 '\000', funload = 0 '\000', used_pos = 0 '\000', universe = 1 '\001', winch = 0 '\000', inarith = 0 '\000', indebug = 0 '\000', ignsig = 0 '\000', 
  lastsig = 0 '\000', pathinit = 0 '\000', comsub = 0 '\000', subshare = 0 '\000', toomany = 0 '\000', instance = 0 '\000', decomma = 0 '\000', redir0 = 0 '\000', readscript = 0x0, subdup = 0, 
  inpipe = 0x0, outpipe = 0x0, cpipe = {-1, 0, 0}, coutpipe = -1, inuse_bits = 0, envlist = 0x0, arglist = 0x0, fn_depth = 0, fn_reset = 0, dot_depth = 1, hist_depth = 0, xargmin = 0, 
  xargmax = 0, xargexit = 0, nenv = 0, mask = 18, lexsize = 216, env = 0x0, init_context = 0x7f641ec665e0, mac_context = 0x7f641ec9d9d0, lex_context = 0x7f641ec9da70, 
  arg_context = 0x7f641ec9da20, job_context = 0x0, pathlist = 0x7f641ec7f570, defpathlist = 0x0, cdpathlist = 0x0, argaddr = 0x0, optlist = 0x0, global = {prevst = 0x0, dolc = 0, 
    dolv = 0x7ffecd838e50, cmdname = 0x7f641ec6b170 "./rwh_main.ksh", filename = 0x7f641ec6f3f0 "/root/rwh_main.ksh", funname = 0x0, lineno = 0, save_tree = 0x7f641ec9dfc0, 
    self = 0x76e320 <sh+800>, var_local = 0x0, staklist = 0x0, states = 4, breakcnt = 0, execbrk = 0, loopcnt = 0, firstline = 0, optindex = 1, optnum = 0, tmout = 0, optchar = 0, opterror = 0, 
    ioset = 0, trapmax = 0, trap = {0x0, 0x0, 0x0, 0x0, 0x0}, otrap = 0x0, trapcom = 0x7f641ec64080, otrapcom = 0x0, timetrap = 0x0, real_fun = 0x0}, checkbase = {buff = {{__jmpbuf = {0, 
          -2045927498963846239, 140732346371656, 140732346371648, 0, 0, 2046600984751143841, -2045928049428366431}, __mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 16 times>}}}}, 
    prev = 0x0, topfd = 0, mode = 12, olist = 0x0, err = {context = 0x0, errors = 0, flags = 0, line = 0, warnings = 0, file = 0x0, id = 0x7f641ec6b170 "./rwh_main.ksh"}}, userinit = 0x0, 
  bltinfun = 0x0, bltindata = {shp = 0x76e000 <sh>, ptr = 0x0, version = 20071012, shrun = 0x45e5d0 <sh_run>, shtrap = 0x419be0 <sh_trap>, shexit = 0x41a2c0 <sh_exit>, 
    shbltin = 0x40ab90 <sh_addbuiltin>, notify = 0 '\000', sigset = 0 '\000', nosfio = 0 '\000', bnode = 0x0, vnode = 0x0, data = 0x0, flags = 0, shgetenv = 0x43b4d0 <sh_getenv>, 
    shsetenv = 0x440880 <sh_setenviron>, invariant = 0}, cur_line = 0x0, offsets = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, sftable = 0x7f641ec9e080, fdstatus = 0x7f641ec9e280 "12", 
  pwd = 0x7f641ec947b0 "/root", jmpbuffer = 0x76e3f8 <sh+1016>, mktype = 0x0, strbuf = 0x7f641ec9db60, strbuf2 = 0x0, first_root = 0x0, prefix_root = 0x0, last_root = 0x7f641ec9dfc0, 
  prev_root = 0x0, fpathdict = 0x0, typedict = 0x7f641ec91d10, inpool = 0x0, transdict = 0x0, ifstable = '\000' <repeats 255 times>, test = 0, offoptions = {v = {0, 0, 0, 0}}, glob_options = {
    v = {0, 0, 0, 0}}, typeinit = 0x0, nvfun = {disc = 0x0, nofree = 1 '\001', subshell = 0 '\000', dsize = 0, next = 0x0, last = 0x76e000 <sh> "", type = 0x0}, 
  mathnodes = 0x7f641ec91eb0 "\020\037\311\036d\177", 0x0, bltin_dir = 0x0, regress = 0x0}
(gdb) f 1
#1  0x00000000004bec06 in sfclose (f=0x7f641ec7f850) at /usr/src/debug/ksh-20120801/src/lib/libast/sfio/sfclose.c:74
74		if(f->disc && (ex = SFRAISE(f,local ? SF_NEW : SF_CLOSING,NIL(Void_t*))) != 0)
(gdb) p f
$5 = (Sfio_t *) 0x7f641ec7f850
(gdb) p *f
$6 = {next = 0x0, endw = 0x0, endr = 0x0, endb = 0x2000 <Address 0x2000 out of bounds>, push = 0x0, flags = 63712, file = 7879, data = 0x0, size = 4703242761108930911, val = 357645309268, 
  extent = -1, here = 140067989782528, unused_1 = 33 '!', tiny = "", bits = 128, mode = 32, disc = 0x4145465f5453415f, pool = 0x5345525554, rsrv = 0x7f641ec7fa10, proc = 0x0, 
  mutex = 0x7f641ec68000, stdio = 0x21, lpos = 4995426869437877845, iosz = 108179306327328, blksz = 512, getr = 516421792}
(gdb) f 2
#2  0x000000000045e048 in sh_eval (iop=0x7f641ec7f850, mode=<optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/xec.c:643
643			sfclose(io_save);
(gdb) p io_ave
No symbol "io_ave" in current context.
(gdb) p io_save
$7 = (Sfio_t *) 0x7f641ec7f850
(gdb) p *io_save
$8 = {_next = 0x0, _endw = 0x0, _endr = 0x0, _endb = 0x2000 <Address 0x2000 out of bounds>, _push = 0x0, _flags = 63712, _file = 7879, _data = 0x0, _size = 4703242761108930911, 
  _val = 357645309268}
(gdb) 

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


Regards
Mohit Agrawal
Comment 5 Siteshwar Vashisht 2017-01-04 11:18:58 UTC 
Created attachment 1237093 [details]
ksh-20120801-dotdoublefree.patch

Fix a crash during clean up after sourcing multiple files
Comment 7 Siteshwar Vashisht 2017-01-09 14:16:48 UTC 
I posted this patch to upstream http://lists.research.att.com/pipermail/ast-developers/2017q1/004075.html
Comment 12 errata-xmlrpc 2017-08-01 16:26:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1936