| Summary: | tcsh's malloc clashes with system malloc -> segfault | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ian Collier <imc> | ||||
| Component: | tcsh | Assignee: | Fridolín Pokorný <fpokorny> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 17 | CC: | gpp, ovasik | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-04-11 15:23:06 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
We experience this same problem with tcsh-6.17-15.fc16 (32 bit) and "passwd compat" in /etc/nsswitch.conf, but we have discovered that running nscd (name service caching daemon) avoids the problem. Without nscd running, ksh also fails to do tilde expansion. Ksh complains with... ksh: nss_nis/nis-netgrp.c:75: _nss_nis_setnetgrent: Assertion `malloc_usable_size (netgrp->data) >= len + 1' failed. Bash does tilde expansion with or without nscd running. This message is a reminder that Fedora 16 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 16. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '16'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 16's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 16 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. I am not able to reproduce the issue with f17. I assume it was fixed meanwhile. Closing current release. Feel free to reopen if you have reproducer on current fedora. |
Created attachment 551630 [details] Traceback when tcsh crashes Description of problem: tcsh comes with its own version of malloc (in tc.alloc.c). However, some library calls in glibc call malloc behind the scenes and this leads to confusion, possibly ending in a crash. On my system, this hits whenever I try to use "~user" to name a user's home directory. This causes the whole terminal window to disappear (because the shell crashed) whenever I type "~user/foo" and press TAB to try a filename completion. Version-Release number of selected component (if applicable): tcsh-6.17-15.fc16.x86_64 How reproducible: 100% for me Steps to Reproduce: 1. Have "passwd compat" in /etc/nsswitch.conf 2. /bin/csh -fc 'echo ~imc' Actual results: Segmentation fault Additional info: A traceback is attached. The crash happens within malloc_usable_size (from glibc) because the chunk of memory which was passed to it was allocated with tcsh's own malloc. The glibc routine expects the integer immediately preceding the allocated chunk to contain its size, but tcsh's malloc uses it for other purposes. (Note that the value of p->size is 0x55555555013f06fd, where 0x55555555 is the value of RMAGIC in tc.alloc.c.)