Bug 1247383 - Serious problem with correction of #1117404
Serious problem with correction of #1117404
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ksh (Show other bugs)
6.7
All All
urgent Severity urgent
: rc
: ---
Assigned To: Michal Hlavinka
Martin Kyral
Milan Navratil
: Patch, Regression, Reproducer, ZStream
: 1217682 1239105 1246815 1247268 1248134 1261314 (view as bug list)
Depends On:
Blocks: 1145214 1172231 1200114 1239105 1252896 1298641
  Show dependency treegraph
 
Reported: 2015-07-27 16:48 EDT by Paulo Andrade
Modified: 2016-11-03 09:54 EDT (History)
36 users (show)

See Also:
Fixed In Version: ksh-20120801-31.el6
Doc Type: Bug Fix
Doc Text:
KornShell now resets and modifies signal traps as expected and no longer crashes Previously, KornShell (ksh) terminated unexpectedly with a segmentation fault when attempting to reset or modify certain signal traps. With this update, ksh does not attempt to free memory used for a string literal. As a result, ksh no longer crashes in the described situation.
Story Points: ---
Clone Of:
: 1252896 1298641 (view as bug list)
Environment:
Last Closed: 2016-05-10 20:46:37 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
core of ksh (960.00 KB, application/x-core)
2015-08-13 11:10 EDT, Saket Pusalkar
no flags Details
core generate by ksh script (3.31 MB, application/octet-stream)
2015-08-14 07:12 EDT, IBM Bug Proxy
no flags Details
files for reproducing bug under staf/stax (790 bytes, application/x-tgz)
2015-08-14 07:12 EDT, IBM Bug Proxy
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 1545883 None None None Never

  None (edit)
Description Paulo Andrade 2015-07-27 16:48:45 EDT
I am partly to blame as it is a side effect of a
patch that I proposed for ksh.

The "fast" correction would be this change to
ksh-20120801-trapcom.patch:

-				if (shp->st.trapcom[isig])
+				if (shp->st.trapcom[isig] && shp->st.trapcom[isig] != Empty)

I did check all source code, and the only place
it does set it to a non strdup'ed string is at
src/cmd/ksh93/bltins/trap.c:

154:				arg = shp->st.trapcom[sig];
155:				sh_sigtrap(sig);
156:				shp->st.trapcom[sig] = (shp->sigflag[sig]&SH_SIGOFF) ? Empty : strdup(action);
157:				if(arg && arg != Empty)
158:					free(arg);

Empty is defined as:
#define Empty			((char*)(e_sptbnl+3))

and e_sptbnl is statically initialized as:
const char e_sptbnl[]		= " \t\n";
Comment 2 Paulo Andrade 2015-07-27 16:50:37 EDT
Setting priority/severity to urgent because I believe
this will affect a lot of users.
Comment 4 Paulo Andrade 2015-07-28 12:57:52 EDT
Reproducer fixed by experimental package at
http://people.redhat.com/pandrade/ksh-20120801-28.el6.1.sfdc01482714/x86_64/

$ cat nohup.ksh.segv
#!/bin/ksh
trap '' 1
HIVAR=`echo hi`
$ nohup ksh nohup.ksh.segv
Comment 5 Michal Hlavinka 2015-07-30 06:55:33 EDT
*** Bug 1246815 has been marked as a duplicate of this bug. ***
Comment 7 Michal Hlavinka 2015-07-30 07:01:38 EDT
*** Bug 1248134 has been marked as a duplicate of this bug. ***
Comment 30 Michal Hlavinka 2015-08-13 03:47:37 EDT
*** Bug 1239105 has been marked as a duplicate of this bug. ***
Comment 31 tushii012 2015-08-13 07:36:48 EDT
Hi,

we have tried to rerun the same steps and it reproduced again, adding core here.
This shell script was invoked from a c program.

Thanks Tushar
Comment 35 Saket Pusalkar 2015-08-13 11:10:17 EDT
Created attachment 1062682 [details]
core of ksh

Faced the same issue with the experimental package at

http://people.redhat.com/pandrade/ksh-20120801-28.el6.1.sfdc01482714/x86_64/

[root@l111054 CVMVolDg]# ksh --version
  version         sh (AT&T Research) 93u+ 2012-08-01
[root@l111054 CVMVolDg]# rpm -qa |grep ksh
ksh-20120801-28.el6.x86_64
 
[root@l111054 CVMVolDg]# ls -al core.9976
-rw------- 1 root root 983040 Jul 21 19:50 core.9976
Comment 38 Paulo Andrade 2015-08-13 12:16:18 EDT
(In reply to Saket Pusalkar from comment #35)
> Created attachment 1062682 [details]
> core of ksh
> 
> Faced the same issue with the experimental package at
> 
> http://people.redhat.com/pandrade/ksh-20120801-28.el6.1.sfdc01482714/x86_64/
> 
> [root@l111054 CVMVolDg]# ksh --version
>   version         sh (AT&T Research) 93u+ 2012-08-01
> [root@l111054 CVMVolDg]# rpm -qa |grep ksh
> ksh-20120801-28.el6.x86_64

  It should be:

$ rpm -q ksh
ksh-20120801-28.el6.1.sfdc01482714.x86_64

> [root@l111054 CVMVolDg]# ls -al core.9976
> -rw------- 1 root root 983040 Jul 21 19:50 core.9976

  The core is from the package without the correction.
Comment 42 Paulo Andrade 2015-08-13 16:01:43 EDT
UPDATE:

If you are testing any of the packages at people.redhat.com/pandrade,
please switch to testing the ones, for the proper architecture under
http://people.redhat.com/pandrade/bz1247383/

We were told about a variant test where the original problem at
https://bugzilla.redhat.com/show_bug.cgi?id=1117404 could still
be triggered on nested ksh shell functions. The problem basically
is that ksh has a vector of information about traps, and when
running a subshell, or a shell function, it would save the
contents of this vector, and once finished, would restore the
vector of pointers.
The problem is that the contents of the vector of pointers could
be changed during the subshell of function, and when restoring,
it could have dangling pointers, pointing to released memory.
Comment 44 Saket Pusalkar 2015-08-14 04:20:08 EDT
(In reply to Paulo Andrade from comment #42)
> UPDATE:
> 
> If you are testing any of the packages at people.redhat.com/pandrade,
> please switch to testing the ones, for the proper architecture under
> http://people.redhat.com/pandrade/bz1247383/
> 
> We were told about a variant test where the original problem at
> https://bugzilla.redhat.com/show_bug.cgi?id=1117404 could still
> be triggered on nested ksh shell functions. The problem basically
> is that ksh has a vector of information about traps, and when
> running a subshell, or a shell function, it would save the
> contents of this vector, and once finished, would restore the
> vector of pointers.
> The problem is that the contents of the vector of pointers could
> be changed during the subshell of function, and when restoring,
> it could have dangling pointers, pointing to released memory.


We can confirm that we cannot reproduce the issue with the new ksh (version ksh-20120801-28.el6.1.sfdc01482714.x86_64). Please let us know which new update will incorporate this fix.
Comment 45 Michal Hlavinka 2015-08-14 06:35:02 EDT
*** Bug 1217682 has been marked as a duplicate of this bug. ***
Comment 47 IBM Bug Proxy 2015-08-14 07:12:28 EDT
Created attachment 1062980 [details]
core generate by ksh script
Comment 48 IBM Bug Proxy 2015-08-14 07:12:30 EDT
Created attachment 1062981 [details]
files for reproducing bug under staf/stax
Comment 60 Michal Hlavinka 2015-08-25 04:49:54 EDT
*** Bug 1247268 has been marked as a duplicate of this bug. ***
Comment 66 Michal Hlavinka 2015-09-09 04:22:25 EDT
*** Bug 1261314 has been marked as a duplicate of this bug. ***
Comment 67 Vasil Yonkov 2015-09-09 04:45:42 EDT
Tested with the package suggested in Comment 42:

https://people.redhat.com/pandrade/bz1247383/x86_64/ksh-20120801-30.el6.bz1247383.x86_64

and the problem described in Bug 1261314 no longer appears.
Comment 79 errata-xmlrpc 2016-05-10 20:46:37 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0932.html

Note You need to log in before you can comment on or make changes to this bug.