Bug 1247383 - Serious problem with correction of #1117404
Summary: Serious problem with correction of #1117404
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ksh
Version: 6.7
Hardware: All
OS: All
urgent
urgent
Target Milestone: rc
: ---
Assignee: Michal Hlavinka
QA Contact: Martin Kyral
Milan Navratil
URL:
Whiteboard:
: 1217682 1239105 1246815 1247268 1248134 1261314 (view as bug list)
Depends On:
Blocks: 1172231 1145214 1200114 1239105 1252896 1298641
TreeView+ depends on / blocked
 
Reported: 2015-07-27 20:48 UTC by Paulo Andrade
Modified: 2019-12-16 04:50 UTC (History)
36 users (show)

Fixed In Version: ksh-20120801-31.el6
Doc Type: Bug Fix
Doc Text:
KornShell now resets and modifies signal traps as expected and no longer crashes Previously, KornShell (ksh) terminated unexpectedly with a segmentation fault when attempting to reset or modify certain signal traps. With this update, ksh does not attempt to free memory used for a string literal. As a result, ksh no longer crashes in the described situation.
Clone Of:
: 1252896 1298641 (view as bug list)
Environment:
Last Closed: 2016-05-11 00:46:37 UTC
Target Upstream Version:


Attachments (Terms of Use)
core of ksh (960.00 KB, application/x-core)
2015-08-13 15:10 UTC, Saket Pusalkar
no flags Details
core generate by ksh script (3.31 MB, application/octet-stream)
2015-08-14 11:12 UTC, IBM Bug Proxy
no flags Details
files for reproducing bug under staf/stax (790 bytes, application/x-tgz)
2015-08-14 11:12 UTC, IBM Bug Proxy
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 1545883 0 None None None Never
Red Hat Product Errata RHBA-2016:0932 0 normal SHIPPED_LIVE ksh bug fix update 2016-05-10 22:54:18 UTC

Description Paulo Andrade 2015-07-27 20:48:45 UTC
I am partly to blame as it is a side effect of a
patch that I proposed for ksh.

The "fast" correction would be this change to
ksh-20120801-trapcom.patch:

-				if (shp->st.trapcom[isig])
+				if (shp->st.trapcom[isig] && shp->st.trapcom[isig] != Empty)

I did check all source code, and the only place
it does set it to a non strdup'ed string is at
src/cmd/ksh93/bltins/trap.c:

154:				arg = shp->st.trapcom[sig];
155:				sh_sigtrap(sig);
156:				shp->st.trapcom[sig] = (shp->sigflag[sig]&SH_SIGOFF) ? Empty : strdup(action);
157:				if(arg && arg != Empty)
158:					free(arg);

Empty is defined as:
#define Empty			((char*)(e_sptbnl+3))

and e_sptbnl is statically initialized as:
const char e_sptbnl[]		= " \t\n";

Comment 2 Paulo Andrade 2015-07-27 20:50:37 UTC
Setting priority/severity to urgent because I believe
this will affect a lot of users.

Comment 4 Paulo Andrade 2015-07-28 16:57:52 UTC
Reproducer fixed by experimental package at
http://people.redhat.com/pandrade/ksh-20120801-28.el6.1.sfdc01482714/x86_64/

$ cat nohup.ksh.segv
#!/bin/ksh
trap '' 1
HIVAR=`echo hi`
$ nohup ksh nohup.ksh.segv

Comment 5 Michal Hlavinka 2015-07-30 10:55:33 UTC
*** Bug 1246815 has been marked as a duplicate of this bug. ***

Comment 7 Michal Hlavinka 2015-07-30 11:01:38 UTC
*** Bug 1248134 has been marked as a duplicate of this bug. ***

Comment 30 Michal Hlavinka 2015-08-13 07:47:37 UTC
*** Bug 1239105 has been marked as a duplicate of this bug. ***

Comment 31 tushii012 2015-08-13 11:36:48 UTC
Hi,

we have tried to rerun the same steps and it reproduced again, adding core here.
This shell script was invoked from a c program.

Thanks Tushar

Comment 35 Saket Pusalkar 2015-08-13 15:10:17 UTC
Created attachment 1062682 [details]
core of ksh

Faced the same issue with the experimental package at

http://people.redhat.com/pandrade/ksh-20120801-28.el6.1.sfdc01482714/x86_64/

[root@l111054 CVMVolDg]# ksh --version
  version         sh (AT&T Research) 93u+ 2012-08-01
[root@l111054 CVMVolDg]# rpm -qa |grep ksh
ksh-20120801-28.el6.x86_64
 
[root@l111054 CVMVolDg]# ls -al core.9976
-rw------- 1 root root 983040 Jul 21 19:50 core.9976

Comment 38 Paulo Andrade 2015-08-13 16:16:18 UTC
(In reply to Saket Pusalkar from comment #35)
> Created attachment 1062682 [details]
> core of ksh
> 
> Faced the same issue with the experimental package at
> 
> http://people.redhat.com/pandrade/ksh-20120801-28.el6.1.sfdc01482714/x86_64/
> 
> [root@l111054 CVMVolDg]# ksh --version
>   version         sh (AT&T Research) 93u+ 2012-08-01
> [root@l111054 CVMVolDg]# rpm -qa |grep ksh
> ksh-20120801-28.el6.x86_64

  It should be:

$ rpm -q ksh
ksh-20120801-28.el6.1.sfdc01482714.x86_64

> [root@l111054 CVMVolDg]# ls -al core.9976
> -rw------- 1 root root 983040 Jul 21 19:50 core.9976

  The core is from the package without the correction.

Comment 42 Paulo Andrade 2015-08-13 20:01:43 UTC
UPDATE:

If you are testing any of the packages at people.redhat.com/pandrade,
please switch to testing the ones, for the proper architecture under
http://people.redhat.com/pandrade/bz1247383/

We were told about a variant test where the original problem at
https://bugzilla.redhat.com/show_bug.cgi?id=1117404 could still
be triggered on nested ksh shell functions. The problem basically
is that ksh has a vector of information about traps, and when
running a subshell, or a shell function, it would save the
contents of this vector, and once finished, would restore the
vector of pointers.
The problem is that the contents of the vector of pointers could
be changed during the subshell of function, and when restoring,
it could have dangling pointers, pointing to released memory.

Comment 44 Saket Pusalkar 2015-08-14 08:20:08 UTC
(In reply to Paulo Andrade from comment #42)
> UPDATE:
> 
> If you are testing any of the packages at people.redhat.com/pandrade,
> please switch to testing the ones, for the proper architecture under
> http://people.redhat.com/pandrade/bz1247383/
> 
> We were told about a variant test where the original problem at
> https://bugzilla.redhat.com/show_bug.cgi?id=1117404 could still
> be triggered on nested ksh shell functions. The problem basically
> is that ksh has a vector of information about traps, and when
> running a subshell, or a shell function, it would save the
> contents of this vector, and once finished, would restore the
> vector of pointers.
> The problem is that the contents of the vector of pointers could
> be changed during the subshell of function, and when restoring,
> it could have dangling pointers, pointing to released memory.


We can confirm that we cannot reproduce the issue with the new ksh (version ksh-20120801-28.el6.1.sfdc01482714.x86_64). Please let us know which new update will incorporate this fix.

Comment 45 Michal Hlavinka 2015-08-14 10:35:02 UTC
*** Bug 1217682 has been marked as a duplicate of this bug. ***

Comment 47 IBM Bug Proxy 2015-08-14 11:12:28 UTC
Created attachment 1062980 [details]
core generate by ksh script

Comment 48 IBM Bug Proxy 2015-08-14 11:12:30 UTC
Created attachment 1062981 [details]
files for reproducing bug under staf/stax

Comment 60 Michal Hlavinka 2015-08-25 08:49:54 UTC
*** Bug 1247268 has been marked as a duplicate of this bug. ***

Comment 66 Michal Hlavinka 2015-09-09 08:22:25 UTC
*** Bug 1261314 has been marked as a duplicate of this bug. ***

Comment 67 Vasil Yonkov 2015-09-09 08:45:42 UTC
Tested with the package suggested in Comment 42:

https://people.redhat.com/pandrade/bz1247383/x86_64/ksh-20120801-30.el6.bz1247383.x86_64

and the problem described in Bug 1261314 no longer appears.

Comment 79 errata-xmlrpc 2016-05-11 00:46:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0932.html


Note You need to log in before you can comment on or make changes to this bug.