RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1247383 - Serious problem with correction of #1117404
Summary: Serious problem with correction of #1117404
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ksh
Version: 6.7
Hardware: All
OS: All
urgent
urgent
Target Milestone: rc
: ---
Assignee: Michal Hlavinka
QA Contact: Martin Kyral
Milan Navratil
URL:
Whiteboard:
: 1217682 1239105 1246815 1247268 1248134 1261314 (view as bug list)
Depends On:
Blocks: 1145214 1172231 1200114 1239105 1252896 1298641
TreeView+ depends on / blocked
 
Reported: 2015-07-27 20:48 UTC by Paulo Andrade
Modified: 2023-10-06 17:29 UTC (History)
36 users (show)

Fixed In Version: ksh-20120801-31.el6
Doc Type: Bug Fix
Doc Text:
KornShell now resets and modifies signal traps as expected and no longer crashes Previously, KornShell (ksh) terminated unexpectedly with a segmentation fault when attempting to reset or modify certain signal traps. With this update, ksh does not attempt to free memory used for a string literal. As a result, ksh no longer crashes in the described situation.
Clone Of:
: 1252896 1298641 (view as bug list)
Environment:
Last Closed: 2016-05-11 00:46:37 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
core of ksh (960.00 KB, application/x-core)
2015-08-13 15:10 UTC, Saket Pusalkar 		no flags Details
core generate by ksh script (3.31 MB, application/octet-stream)
2015-08-14 11:12 UTC, IBM Bug Proxy 		no flags Details
files for reproducing bug under staf/stax (790 bytes, application/x-tgz)
2015-08-14 11:12 UTC, IBM Bug Proxy 		no flags Details
Show Obsolete (2) View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 1545883 0 None None None Never
Red Hat Product Errata RHBA-2016:0932 0 normal SHIPPED_LIVE ksh bug fix update 2016-05-10 22:54:18 UTC

Description Paulo Andrade 2015-07-27 20:48:45 UTC 
I am partly to blame as it is a side effect of a
patch that I proposed for ksh.

The "fast" correction would be this change to
ksh-20120801-trapcom.patch:

-				if (shp->st.trapcom[isig])
+				if (shp->st.trapcom[isig] && shp->st.trapcom[isig] != Empty)

I did check all source code, and the only place
it does set it to a non strdup'ed string is at
src/cmd/ksh93/bltins/trap.c:

154:				arg = shp->st.trapcom[sig];
155:				sh_sigtrap(sig);
156:				shp->st.trapcom[sig] = (shp->sigflag[sig]&SH_SIGOFF) ? Empty : strdup(action);
157:				if(arg && arg != Empty)
158:					free(arg);

Empty is defined as:
#define Empty			((char*)(e_sptbnl+3))

and e_sptbnl is statically initialized as:
const char e_sptbnl[]		= " \t\n";
Comment 2 Paulo Andrade 2015-07-27 20:50:37 UTC 
Setting priority/severity to urgent because I believe
this will affect a lot of users.
Comment 4 Paulo Andrade 2015-07-28 16:57:52 UTC 
Reproducer fixed by experimental package at
http://people.redhat.com/pandrade/ksh-20120801-28.el6.1.sfdc01482714/x86_64/

$ cat nohup.ksh.segv
#!/bin/ksh
trap '' 1
HIVAR=`echo hi`
$ nohup ksh nohup.ksh.segv
Comment 5 Michal Hlavinka 2015-07-30 10:55:33 UTC 
*** Bug 1246815 has been marked as a duplicate of this bug. ***
Comment 7 Michal Hlavinka 2015-07-30 11:01:38 UTC 
*** Bug 1248134 has been marked as a duplicate of this bug. ***
Comment 30 Michal Hlavinka 2015-08-13 07:47:37 UTC 
*** Bug 1239105 has been marked as a duplicate of this bug. ***
Comment 31 tushii012 2015-08-13 11:36:48 UTC 
Hi,

we have tried to rerun the same steps and it reproduced again, adding core here.
This shell script was invoked from a c program.

Thanks Tushar
Comment 35 Saket Pusalkar 2015-08-13 15:10:17 UTC 
Created attachment 1062682 [details]
core of ksh

Faced the same issue with the experimental package at

http://people.redhat.com/pandrade/ksh-20120801-28.el6.1.sfdc01482714/x86_64/

[root@l111054 CVMVolDg]# ksh --version
  version         sh (AT&T Research) 93u+ 2012-08-01
[root@l111054 CVMVolDg]# rpm -qa |grep ksh
ksh-20120801-28.el6.x86_64
 
[root@l111054 CVMVolDg]# ls -al core.9976
-rw------- 1 root root 983040 Jul 21 19:50 core.9976
Comment 38 Paulo Andrade 2015-08-13 16:16:18 UTC 
(In reply to Saket Pusalkar from comment #35)
> Created attachment 1062682 [details]
> core of ksh
> 
> Faced the same issue with the experimental package at
> 
> http://people.redhat.com/pandrade/ksh-20120801-28.el6.1.sfdc01482714/x86_64/
> 
> [root@l111054 CVMVolDg]# ksh --version
>   version         sh (AT&T Research) 93u+ 2012-08-01
> [root@l111054 CVMVolDg]# rpm -qa |grep ksh
> ksh-20120801-28.el6.x86_64

  It should be:

$ rpm -q ksh
ksh-20120801-28.el6.1.sfdc01482714.x86_64

> [root@l111054 CVMVolDg]# ls -al core.9976
> -rw------- 1 root root 983040 Jul 21 19:50 core.9976

  The core is from the package without the correction.
Comment 42 Paulo Andrade 2015-08-13 20:01:43 UTC 
UPDATE:

If you are testing any of the packages at people.redhat.com/pandrade,
please switch to testing the ones, for the proper architecture under
http://people.redhat.com/pandrade/bz1247383/

We were told about a variant test where the original problem at
https://bugzilla.redhat.com/show_bug.cgi?id=1117404 could still
be triggered on nested ksh shell functions. The problem basically
is that ksh has a vector of information about traps, and when
running a subshell, or a shell function, it would save the
contents of this vector, and once finished, would restore the
vector of pointers.
The problem is that the contents of the vector of pointers could
be changed during the subshell of function, and when restoring,
it could have dangling pointers, pointing to released memory.
Comment 44 Saket Pusalkar 2015-08-14 08:20:08 UTC 
(In reply to Paulo Andrade from comment #42)
> UPDATE:
> 
> If you are testing any of the packages at people.redhat.com/pandrade,
> please switch to testing the ones, for the proper architecture under
> http://people.redhat.com/pandrade/bz1247383/
> 
> We were told about a variant test where the original problem at
> https://bugzilla.redhat.com/show_bug.cgi?id=1117404 could still
> be triggered on nested ksh shell functions. The problem basically
> is that ksh has a vector of information about traps, and when
> running a subshell, or a shell function, it would save the
> contents of this vector, and once finished, would restore the
> vector of pointers.
> The problem is that the contents of the vector of pointers could
> be changed during the subshell of function, and when restoring,
> it could have dangling pointers, pointing to released memory.


We can confirm that we cannot reproduce the issue with the new ksh (version ksh-20120801-28.el6.1.sfdc01482714.x86_64). Please let us know which new update will incorporate this fix.
Comment 45 Michal Hlavinka 2015-08-14 10:35:02 UTC 
*** Bug 1217682 has been marked as a duplicate of this bug. ***
Comment 47 IBM Bug Proxy 2015-08-14 11:12:28 UTC 
Created attachment 1062980 [details]
core generate by ksh script
Comment 48 IBM Bug Proxy 2015-08-14 11:12:30 UTC 
Created attachment 1062981 [details]
files for reproducing bug under staf/stax
Comment 60 Michal Hlavinka 2015-08-25 08:49:54 UTC 
*** Bug 1247268 has been marked as a duplicate of this bug. ***
Comment 66 Michal Hlavinka 2015-09-09 08:22:25 UTC 
*** Bug 1261314 has been marked as a duplicate of this bug. ***
Comment 67 Vasil Yonkov 2015-09-09 08:45:42 UTC 
Tested with the package suggested in Comment 42:

https://people.redhat.com/pandrade/bz1247383/x86_64/ksh-20120801-30.el6.bz1247383.x86_64

and the problem described in Bug 1261314 no longer appears.
Comment 79 errata-xmlrpc 2016-05-11 00:46:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0932.html
Note You need to log in before you can comment on or make changes to this bug.