Bug 922851

Summary: exec a script causes a fork bomb when receiving SIGTSTP
Product: Red Hat Enterprise Linux 6 Reporter: Dennis Kanbier <dennis>
Component: kshAssignee: Michal Hlavinka <mhlavink>
Status: CLOSED ERRATA QA Contact: Martin Kyral <mkyral>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: mkyral, ovasik
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ksh-20120801-2.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-21 10:54:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dennis Kanbier 2013-03-18 16:56:06 UTC 
Description of problem:

Calling a subshell within a script started by exec can cause the exec'ed script to call itself indefinitely, much like a fork bomb. 

Note: be careful with the test case, as it may make your system unstable.

Version-Release number of selected component (if applicable):

ksh-20100621-5.el5

How reproducible:

100% of the time

Steps to Reproduce:
1. Create an executable file "foo" with the following two strings:
$ cat /root/foo
vi /tmp/bar
# Comment needed to trigger the bomb

2. Start a KSH session and exec the foo script:
$ ksh
$ exec /root/foo

3. You are now in a VI session. Send the TSTP signal to VI using CTRL-Z, close VI using :q.
  
Actual results:

/root/foo spawns itself as a child until it hits the nproc limit and is unable to fork any more processes.

Expected results:

The VI session drops to the background and can be recalled using "fg".

Additional info:

Unable to reproduce using bash. Still reproduces using the updated KSH RPM's from bug https://bugzilla.redhat.com/show_bug.cgi?id=892206
Comment 1 Dennis Kanbier 2013-03-18 19:13:00 UTC 
Some more information on how the processes look:

$ ps -ef --forest
root      4741     1  0 20:11 pts/0    00:00:00 /root/foo
root      4742  4741  0 20:11 pts/0    00:00:00  \_ /root/foo
root      4743  4742  0 20:11 pts/0    00:00:00      \_ /root/foo
root      4744  4743  0 20:11 pts/0    00:00:00          \_ /root/foo
root      4745  4744  0 20:11 pts/0    00:00:00              \_ /root/foo
...
Comment 2 Michal Hlavinka 2013-03-19 15:43:05 UTC 
thanks for reporting
reproducible
Comment 3 Dennis Kanbier 2013-03-28 16:55:57 UTC 
Reproduces in RHEL6 as well:

$ ksh --version
  version         sh (AT&T Research) 93t+ 2010-06-21
$ rpm -qa |grep ksh
ksh-20100621-19.el6.x86_64

On RHEL6 the script sometimes gives a Memory fault without spawning unlimited childs:

$ exec /root/foo
/root/foo: line 1: 0:
/root/foo: line 1: 2396: Memory fault
Comment 4 Michal Hlavinka 2013-04-30 14:31:09 UTC 
There is already another ksh fork bomb bug reported for RHEL5 - bug #910923
Instead of closing this as a duplicate, I'll use it for tracking this bug in RHEL6
Comment 5 Dennis Kanbier 2013-05-01 08:29:14 UTC 
I'm not authorized to see that bug, I guess that is why it missed the search. 

Any details on the bug (hunting) yet?
Comment 7 Michal Hlavinka 2013-05-10 11:55:50 UTC 
(In reply to comment #5)
> Any details on the bug (hunting) yet?

We have patch ready for next update
Comment 12 errata-xmlrpc 2013-11-21 10:54:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1599.html