Bug 167547

Summary: MALLOC_PERTURB_ causes use after free.
Product: [Fedora] Fedora Reporter: Dave Jones <davej>
Component: bashAssignee: Tim Waugh <twaugh>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: jakub, pfrields
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-10-25 08:58:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dave Jones 2005-09-05 05:12:32 UTC
First, put export MALLOC_PERTURB_="204" in your .bashrc

Sometimes, when you ctrl-C an application, it not only kills the app, but the
terminal too, as bash segv's.

Core was generated by `bash'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib64/libtermcap.so.2...Reading symbols from
/usr/lib/debug/lib64/libtermcap.so.2.0.8.debug...done.
done.
Loaded symbols for /lib64/libtermcap.so.2
Reading symbols from /lib64/libdl.so.2...Reading symbols from
/usr/lib/debug/lib64/libdl-2.3.90.so.debug...done.
done.
Loaded symbols for /lib64/libdl.so.2
Reading symbols from /lib64/libc.so.6...Reading symbols from
/usr/lib/debug/lib64/libc-2.3.90.so.debug...done.
done.
Loaded symbols for /lib64/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from
/usr/lib/debug/lib64/ld-2.3.90.so.debug...done.
done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib64/libnss_files.so.2...Reading symbols from
/usr/lib/debug/lib64/libnss_files-2.3.90.so.debug...done.
done.
Loaded symbols for /lib64/libnss_files.so.2
#0  dispose_redirects (list=0xcccccccccccccccc) at dispose_cmd.c:298
298           list = list->next;
(gdb) bt
#0  dispose_redirects (list=0xcccccccccccccccc) at dispose_cmd.c:298
#1  0x0000000000424aa6 in dispose_command (command=0x6c3640)
    at dispose_cmd.c:43
#2  0x000000000041a320 in reader_loop () at eval.c:112
#3  0x0000000000419dad in main (argc=1, argv=0x7fffffa10298,
    env=0x7fffffa102a8) at shell.c:714
(gdb)

Note that 'list' is the value that MALLOC_PERTURB poisons with.

Comment 1 Tim Waugh 2005-10-17 13:13:20 UTC
I think there was a glibc fix in this area a few weeks ago.  Do you still see
this problem?

Comment 2 Dave Jones 2005-10-25 08:58:59 UTC
not recently. I'll reopen if it reoccurs, but this may have been more fallout
from the calloc bug that affected x86-64.