Bug 2027001

Summary: bash hang due to unsafe call to malloc from signal handler - PIPESTATUS variable issue
Product: Red Hat Enterprise Linux 7 Reporter: Paulo Andrade <pandrade>
Component: bashAssignee: Siteshwar Vashisht <svashisht>
Status: CLOSED WONTFIX QA Contact: Karel Volný <kvolny>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.9CC: chorn, dbodnarc, qguo, rmetrich, svashisht
Target Milestone: rcKeywords: Reopened
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-19 07:52:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paulo Andrade 2021-11-26 20:27:45 UTC 
(gdb) bt
#0  __lll_lock_wait_private () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:95
#1  0x00007f91f65207e5 in _L_lock_16773 () at malloc.c:5255
#2  0x00007f91f651d833 in __GI___libc_malloc (bytes=140264882956128, bytes@entry=32) at malloc.c:2897
#3  0x000000000046a50b in xmalloc (bytes=bytes@entry=32) at xmalloc.c:112
#4  0x000000000045902b in array_create () at array.c:89
#5  0x0000000000459071 in array_copy (a=0xbd0af0) at array.c:138
#6  0x000000000043af2b in save_pipestatus_array () at variables.c:4781
#7  0x0000000000454b16 in run_exit_trap () at trap.c:730
#8  0x0000000000456c06 in termsig_handler (sig=1) at sig.c:559
#9  <signal handler called>
#10 _int_malloc (av=av@entry=0x7f91f685e760 <main_arena>, bytes=bytes@entry=30) at malloc.c:3420
#11 0x00007f91f651d7dc in __GI___libc_malloc (bytes=bytes@entry=30) at malloc.c:2899
#12 0x000000000046a50b in xmalloc (bytes=bytes@entry=30) at xmalloc.c:112
#13 0x00000000004a661b in tilde_expand (string=string@entry=0x4bbb0d "~/.bash_logout") at ./tilde.c:200
#14 0x000000000042a7e2 in bash_tilde_expand (s=s@entry=0x4bbb0d "~/.bash_logout", assign_p=assign_p@entry=0) at general.c:991
#15 0x000000000046f0ef in maybe_execute_file (fname=fname@entry=0x4bbb0d "~/.bash_logout", force_noninteractive=force_noninteractive@entry=1) at evalfile.c:311
#16 0x000000000046fff3 in bash_logout () at ./exit.def:163
#17 0x0000000000470034 in exit_or_logout (list=list@entry=0x0) at ./exit.def:148
#18 0x00000000004701a5 in exit_builtin (list=list@entry=0x0) at ./exit.def:69
#19 0x0000000000428a28 in handle_eof_input_unit () at ./parse.y:5733
#20 yyparse () at ./parse.y:428
#21 0x000000000041dfca in parse_command () at eval.c:229
#22 0x000000000041e08c in read_command () at eval.c:273
#23 0x000000000041e28c in reader_loop () at eval.c:138
#24 0x000000000041c96e in main (argc=1, argv=0x7ffcc7eaeb58, env=0x7ffcc7eaeb68) at shell.c:759

  Working with user to see if we can get a reproducer.

  The code path that causes a malloc from signal handler, and the above backtrace
is due to usage of the PIPESTATUS special variable.

  The malloc from signal handler causes a deadlock when attempting to get the
malloc mutex from the signal handler.
Comment 3 Siteshwar Vashisht 2021-12-02 10:24:50 UTC 
Signal handling was reworked in bash-4.4, so this should be fixed when user upgrades to newer version of RHEL. It's mentioned in bash-4.4 release announcement[1]. It's unlikely it will be fixed in RHEL 7.

[1] https://lists.gnu.org/archive/html/bug-bash/2016-09/msg00018.html