Bug 650363

Summary:

tcsh-6.14-17.el5_5.2 core dumps with backtick subsistution

Product:

Red Hat Enterprise Linux 5

Reporter:

Robert Minsk <robertminsk>

Component:

tcsh617

Assignee:

Vojtech Vitek <vvitek>

Status:

CLOSED ERRATA

QA Contact:

Severity:

high

Docs Contact:

Priority:

low

Version:

5.5

CC:

bnater, hripps, msvoboda, ovasik, pasteur

Target Milestone:

Target Release:

---

Hardware:

x86_64

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

When tcsh evaluated a backquoted command (using command substitution) which itself contained backquotes, it could have dumped core due to a buffer overflow. With this update, nested command substitutions are now handled correctly, and tcsh no longer dumps core in this situation.

Story Points:

---

Clone Of:

Clones:

657536 (view as bug list)

Environment:

Last Closed:

2011-07-21 08:49:31 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

657536

Attachments:

Description	Flags
Demonstrate core dump with multiple backtick evaluation	none

Description Robert Minsk 2010-11-05 22:51:18 UTC

Description of problem:
I have an alias
delenv eval `delenv.pl !*`

When I call
delenv PYTHONPATH /shows/cis/sw/lib/python/common /shows/cis/sw/lib/python/`/bin/uname -i`
tcsh will core dump

When when I call
delenv PYTHONPATH /shows/cis/sw/lib/python/common /shows/cis/sw/lib/pytho/x86_64
tcsh does not core dump.

I seems to be tied to the backtick evaluation on an alias that also has backtick evaluation.

Version-Release number of selected component (if applicable):
6.14-17.el5_5.2

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Robert Minsk 2010-11-05 23:56:33 UTC

The actual alias is
alias delenv 'eval `delenv.pl \!*`'

Comment 2 Vojtech Vitek 2011-04-14 14:49:16 UTC

Robert, do you have any other reproducer?
Unfortunately, I can't find out any test case to crash the program.

Comment 3 Robert Minsk 2011-04-14 17:39:51 UTC

Created attachment 492179 [details]
Demonstrate core dump with multiple backtick evaluation

Please extract into /var/tmp

Comment 4 Vojtech Vitek 2011-04-18 14:05:26 UTC

Thank you for the reproducer, Robert!

The bug will be solved by new component tcsh617 in RHEL-5.7, moving bz to this new component.
Pword() and other string related functions are rewritten from scratch in tcsh 6.17 so there is no such buffer overflow as described below.

---
Details of the issue in tcsh 6.14:

Core dump:

Program terminated with signal 11, Segmentation fault.
#0  0x0000000000414a2e in pword (bufsiz=10240) at sh.glob.c:1094
1094        pargv[pargc++] = Strsave(pargs);
(gdb) bt
#0  0x0000000000414a2e in pword (bufsiz=10240) at sh.glob.c:1094
#1  0x0000000000416049 in dobackp (cp=<value optimized out>, literal=0) at sh.glob.c:835
#2  0x00000000004160e6 in globexpand (v=0x6d5e70) at sh.glob.c:356
#3  0x0000000000416518 in globall (v=0x6d5e68) at sh.glob.c:707
#4  0x0000000000413664 in doeval (v=<value optimized out>, c=<value optimized out>) at sh.func.c:2337
#5  0x0000000000421534 in execute (t=0x6dace0, wanttty=<value optimized out>, pipein=0x0, pipeout=0x0, do_glob=1) at sh.sem.c:652
#6  0x0000000000421042 in execute (t=0x6daca0, wanttty=-1, pipein=0x0, pipeout=0x0, do_glob=1) at sh.sem.c:740
#7  0x000000000040424f in process (catch=1) at sh.c:2180
#8  0x0000000000405edb in main (argc=<value optimized out>, argv=<value optimized out>) at sh.c:1362

Patch to fix the issue (fixes possible buffer overflow when pargc is greater than exact tested value):

--- sh.glob.c-orig      2011-04-18 15:14:08.614338311 +0200
+++ sh.glob.c   2011-04-18 15:14:13.122425349 +0200
@@ -1085,7 +1085,7 @@ pword(bufsiz)
     int    bufsiz;
 {
     psave(0);
-    if (pargc == pargsiz - 1) {
+    if (pargc >= pargsiz - 1) {
        pargsiz += GLOBSPACE;
        pargv = (Char **) xrealloc((ptr_t) pargv,
                                   (size_t) (pargsiz * sizeof(Char *)));

---
Unfortunately, the simple patch reveals another weird bug (glibc related):

Program terminated with signal 11, Segmentation fault.
#0  _int_malloc (av=0x3c699971c0, bytes=<value optimized out>) at malloc.c:4628
4628            size = chunksize(victim);
(gdb) bt
#0  _int_malloc (av=0x3c699971c0, bytes=<value optimized out>) at malloc.c:4628
#1  0x0000003c69679ffd in __libc_malloc (bytes=24) at malloc.c:3660
#2  0x000000000043c052 in smalloc (n=24) at tc.alloc.c:498
#3  0x000000000041bd58 in lex (hp=0x678d20) at sh.lex.c:188
#4  0x00000000004040db in process (catch=0) at sh.c:2097
#5  0x000000000041373f in doeval (v=<value optimized out>, c=<value optimized out>) at sh.func.c:2372
#6  0x0000000000421534 in execute (t=0xcda0c0, wanttty=<value optimized out>, pipein=0x0, pipeout=0x0, do_glob=1) at sh.sem.c:652
#7  0x0000000000421042 in execute (t=0xcda080, wanttty=-1, pipein=0x0, pipeout=0x0, do_glob=1) at sh.sem.c:740
#8  0x000000000040424f in process (catch=1) at sh.c:2180
#9  0x0000000000405edb in main (argc=<value optimized out>, argv=<value optimized out>) at sh.c:1362

Comment 6 Vojtech Vitek 2011-04-18 14:22:24 UTC

Reproducer:

#!/bin/tcsh
alias testecho '`echo echo \!*`'
testecho This works
testecho This core dumps `echo me`

Comment 9 Robert Minsk 2011-04-19 00:54:13 UTC

Should the reproducer be

#!/bin/tcsh
alias testecho 'echo `echo \!*`'
testecho This works
testecho This core dumps `echo me`

Notice the change in testecho alias.

Comment 10 Vojtech Vitek 2011-04-19 07:38:17 UTC

Robert, both variants are OK..

$ `echo echo ...`
...
$ echo `echo ...`
...

Comment 11 Branislav Náter 2011-06-22 09:22:56 UTC

Bugfix was successfully verified on tcsh617-6.17-5.el5 package.

tcsh can handle multiple backtick evaluation now.

Comment 12 Miroslav Svoboda 2011-07-01 21:55:17 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
When tcsh evaluated a backquoted command (using command substitution) which itself contained backquotes, it could have dumped core due to a buffer overflow. With this update, nested command substitutions are now handled correctly, and tcsh no longer dumps core in this situation.

Comment 13 errata-xmlrpc 2011-07-21 08:49:31 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1072.html

Comment 14 errata-xmlrpc 2011-07-21 12:09:32 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1072.html

Comment 15 Robert Minsk 2011-07-21 14:49:27 UTC

Errata contains a small grammar error.  It currently reads "An new tcsh617 package".  It should read "A new tcsh617 package"