1125326 – ksh segfault

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1125326 - ksh segfault

Summary: ksh segfault

Keywords:
Status:	CLOSED DUPLICATE of bug 1112306
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ksh
Sub Component:
Version:	6.4
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Michal Hlavinka
QA Contact:	BaseOS QE - Apps
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-07-31 15:03 UTC by jstephen
Modified:	2014-08-04 14:45 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-08-04 10:44:09 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
ksh core (1.56 MB, application/octet-stream) 2014-07-31 15:05 UTC, jstephen	no flags	Details
View All

Description jstephen 2014-07-31 15:03:52 UTC

Description of problem:
The crash is in ksh's version of free under job_chksave - the "segment" asked for in regionof() is null.

Version-Release number of selected component (if applicable):
ksh-20120801-10.el6_5.5.x86_64

How reproducible:
It is happening intermittently, not every time a job is run.

Steps to Reproduce:
1. No identifiable reproducer at this time
2.
3.

Actual results:
ksh crashes
[400075.213273] ksh[10862]: segfault at 0 ip 00000000004dbbb4 sp 00007fff29e5bb50 error 4 in ksh93[400000+15b000]

Expected results:
No crash

Additional info:
Core dump attached

The crash is in ksh's version of free under job_chksave - the "segment" asked for in regionof() is null.

#0  0x00000000004dbbb4 in regionof (addr=0x7f08c1921860) at /usr/src/debug/ksh-20120801/src/lib/libast/vmalloc/malloc.c:347
#1  0x00000000004dca78 in _ast_free (data=0x7f08c1921860) at /usr/src/debug/ksh-20120801/src/lib/libast/vmalloc/malloc.c:594
#2  0x0000000000428154 in job_chksave (pid=<value optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/jobs.c:1980
#3  0x000000000042ac30 in job_post (shp=0x76cba0, pid=11334, join=<value optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/jobs.c:1396


#0  0x00000000004dbbb4 in regionof (addr=0x7f08c1921860) at /usr/src/debug/ksh-20120801/src/lib/libast/vmalloc/malloc.c:347
347                     Vmdata_t *vd = SEG(BLOCK(addr))->vmdt;

#define SEG(b)          ((b)->head.head.seg.seg)
#define BLOCK(d)        ((Block_t*)((char*)(d) - sizeof(Head_t)) )

(gdb) ptype Block_t
type = struct _block_s {
    Head_t head;
    Body_t body;
}

(gdb) p ((Block_t *)((char *)addr - sizeof(Head_t)))
$28 = (Block_t *) 0x7f08c1921850

(gdb) p ((Block_t *)((char *)addr - sizeof(Head_t)))->head.head.seg.seg
$30 = (Seg_t *) 0x0

I suspect that this is a kind of double-free that is happening in job_post/job_save.

I found the following BZ's that have very similar backtraces, it could be another manifestation of these problems in the job list code:
https://bugzilla.redhat.com/show_bug.cgi?id=1110063
https://bugzilla.redhat.com/show_bug.cgi?id=825520

Comment 1 jstephen 2014-07-31 15:05:20 UTC

Created attachment 922958 [details]
ksh core

Comment 2 Michal Hlavinka 2014-08-04 10:44:09 UTC

This is most likely duplicate of bug #1112306 but as there are no reproducers for either of these bugs, it's hard to say.

Anyway, closing as a duplicate at least for now - until you can reproduce this crash with fixed ksh package referenced in the duplicate bug. If you can do that, feel free to reopen this bug.

*** This bug has been marked as a duplicate of bug 1112306 ***

Note You need to log in before you can comment on or make changes to this bug.