Bug 1269088 - ksh crashes under chroot environment with segmentation fault
ksh crashes under chroot environment with segmentation fault
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ksh (Show other bugs)
Unspecified Unspecified
urgent Severity medium
: rc
: ---
Assigned To: Siteshwar Vashisht
Jan Kepler
: Reproducer
Depends On:
Blocks: 1295396 1221766
  Show dependency treegraph
Reported: 2015-10-06 05:39 EDT by Martin Kyral
Modified: 2017-08-01 12:26 EDT (History)
4 users (show)

See Also:
Fixed In Version: ksh-20120801-34.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1221766
Last Closed: 2017-08-01 12:26:55 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Martin Kyral 2015-10-06 05:39:27 EDT
This bug is present in RHEL 7, too.

Version-Release number of selected component (if applicable):


+++ This bug was initially created as a clone of Bug #1221766 +++

Description of problem:

  ksh crashes under chroot environment with segmentation fault

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Run the following commands.
  # cd /root
  # ./test.ksh
  # ulimit -c unlimited
  # chroot /root/NEWROOT /bin/ksh

Actual results:

  you will see
    Segmentation fault (core dumped)
  and get a corefile like "/root/NEWROOT/core.12345"

Expected results:

  Print an error.

Additional info:

(gdb) bt
#0  __strlen_sse42 () at ../sysdeps/x86_64/multiarch/strlen-sse4.S:32
#1  0x00000000004a7696 in strdup (s=0x0) at /usr/src/debug/ksh-20120801/src/lib/libast/string/strdup.c:59
#2  0x000000000041d447 in sh_histinit (sh_context=<value optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/edit/history.c:398
#3  0x0000000000406f2f in exfile (shp=0x76d180, iop=0x76adc0, fno=0) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/main.c:400
#4  0x0000000000407e60 in sh_main (ac=<value optimized out>, av=0x7fffc9f22c08, userinit=<value optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/main.c:353
#5  0x00007ff93162dd5d in __libc_start_main (main=0x406c00 <main>, argc=1, ubp_av=0x7fffc9f22c08, init=<value optimized out>, fini=<value optimized out>, 
    rtld_fini=<value optimized out>, stack_end=0x7fffc9f22bf8) at libc-start.c:226
#6  0x0000000000406b39 in _start ()

// strdup take '\0'.
(gdb) f 1
#1  0x00000000004a7696 in strdup (s=0x0) at /usr/src/debug/ksh-20120801/src/lib/libast/string/strdup.c:59
59		return (s && (t = oldof(0, char, n = strlen(s) + 1, 0))) ? (char*)memcpy(t, s, n) : (char*)0;

// ttyname(2) fails.
(gdb) f 2
#2  0x000000000041d447 in sh_histinit (sh_context=<value optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/edit/history.c:398
398					hp->tty = strdup(ttyname(2));

// strace shows ksh is trying to access /dev and /proc.
# strace -fttv chroot /root/NEWROOT /bin/ksh
14:46:55.268541 readlink("/proc/self/fd/2", 0x7f8e91325100, 4095) = -1 ENOENT (No such file or directory)
14:46:55.268558 fstat(2, {st_dev=makedev(0, 11), st_ino=3, st_mode=S_IFCHR|0620, st_nlink=1, st_uid=0, st_gid=5, st_blksize=1024, st_blocks=0, st_rdev=makedev(136, 0), st_atime=2015/05/14-14:46:55, st_mtime=2015/05/14-14:46:55, st_ctime=2015/05/14-14:40:13}) = 0
14:46:55.268583 stat("/dev/pts", 0x7ffff40874e0) = -1 ENOENT (No such file or directory)
14:46:55.268600 open("/dev", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
14:46:55.268620 --- SIGSEGV (Segmentation fault) @ 0 (0) ---
14:46:55.298019 +++ killed by SIGSEGV (core dumped) +++
Segmentation fault (core dumped)
Comment 1 Siteshwar Vashisht 2016-07-08 03:32:39 EDT
There is no 'test.ksh' file attached with this issue. And I have not been able to reproduce this issue by executing 'chroot /root/NEWROOT /bin/ksh'. Please clarify the reproducer steps.
Comment 2 Martin Kyral 2016-07-11 03:49:48 EDT
Sorry for the misleading filename. The reproducer is attached as 'reproducer' to the original bug, which is this bug a clone of: BZ#1221766 and it is included in the TCMS test case as test.sh: http://pkgs.devel.redhat.com/cgit/tests/ksh/tree/Regression/ksh-crashes-under-chroot-environment/test.sh
Comment 3 Siteshwar Vashisht 2016-07-11 07:09:05 EDT
I have been able to reproduce this issue. Backtrace shows that strdup() is being called with NULL parameter :

0  __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:38
#1  0x00000000004a64ae in strdup (s=0x0) at /usr/src/debug/ksh-20120801/src/lib/libast/string/strdup.c:59
#2  0x000000000041c76b in sh_histinit (sh_context=sh_context@entry=0x76e000 <sh>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/edit/history.c:398
#3  0x000000000040686f in exfile (shp=shp@entry=0x76e000 <sh>, iop=0x76bd20 <_Sfstdin>, fno=fno@entry=0) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/main.c:400
#4  0x000000000040795f in sh_main (ac=<optimized out>, av=0x7fffc4177d28, userinit=<optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/main.c:353
#5  0x00007f90d282eb15 in __libc_start_main (main=0x406640 <main>, argc=1, ubp_av=0x7fffc4177d28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffc4177d18) at libc-start.c:274
#6  0x0000000000406671 in _start ()

It seems fd=2 is not attached to any terminal.

(gdb) frame 2
#2  0x000000000041c76b in sh_histinit (sh_context=sh_context@entry=0x76e000 <sh>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/edit/history.c:398
398                                     hp->tty = strdup(ttyname(2));
Comment 4 Siteshwar Vashisht 2016-07-14 02:17:22 EDT
We already have patch for it https://bugzilla.redhat.com/attachment.cgi?id=1040916
Comment 9 errata-xmlrpc 2017-08-01 12:26:55 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.