Red Hat Bugzilla – Bug 1269088
ksh crashes under chroot environment with segmentation fault
Last modified: 2017-08-01 12:26:55 EDT
This bug is present in RHEL 7, too. Version-Release number of selected component (if applicable): ksh-20120801-22.el7_1.2 +++ This bug was initially created as a clone of Bug #1221766 +++ Description of problem: ksh crashes under chroot environment with segmentation fault Version-Release number of selected component (if applicable): ksh-20120801-21.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. Run the following commands. # cd /root # ./test.ksh # ulimit -c unlimited # chroot /root/NEWROOT /bin/ksh Actual results: you will see Segmentation fault (core dumped) and get a corefile like "/root/NEWROOT/core.12345" Expected results: Print an error. Additional info: (gdb) bt #0 __strlen_sse42 () at ../sysdeps/x86_64/multiarch/strlen-sse4.S:32 #1 0x00000000004a7696 in strdup (s=0x0) at /usr/src/debug/ksh-20120801/src/lib/libast/string/strdup.c:59 #2 0x000000000041d447 in sh_histinit (sh_context=<value optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/edit/history.c:398 #3 0x0000000000406f2f in exfile (shp=0x76d180, iop=0x76adc0, fno=0) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/main.c:400 #4 0x0000000000407e60 in sh_main (ac=<value optimized out>, av=0x7fffc9f22c08, userinit=<value optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/main.c:353 #5 0x00007ff93162dd5d in __libc_start_main (main=0x406c00 <main>, argc=1, ubp_av=0x7fffc9f22c08, init=<value optimized out>, fini=<value optimized out>, rtld_fini=<value optimized out>, stack_end=0x7fffc9f22bf8) at libc-start.c:226 #6 0x0000000000406b39 in _start () // strdup take '\0'. (gdb) f 1 #1 0x00000000004a7696 in strdup (s=0x0) at /usr/src/debug/ksh-20120801/src/lib/libast/string/strdup.c:59 59 return (s && (t = oldof(0, char, n = strlen(s) + 1, 0))) ? (char*)memcpy(t, s, n) : (char*)0; // ttyname(2) fails. (gdb) f 2 #2 0x000000000041d447 in sh_histinit (sh_context=<value optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/edit/history.c:398 398 hp->tty = strdup(ttyname(2)); // strace shows ksh is trying to access /dev and /proc. # strace -fttv chroot /root/NEWROOT /bin/ksh ... 14:46:55.268541 readlink("/proc/self/fd/2", 0x7f8e91325100, 4095) = -1 ENOENT (No such file or directory) 14:46:55.268558 fstat(2, {st_dev=makedev(0, 11), st_ino=3, st_mode=S_IFCHR|0620, st_nlink=1, st_uid=0, st_gid=5, st_blksize=1024, st_blocks=0, st_rdev=makedev(136, 0), st_atime=2015/05/14-14:46:55, st_mtime=2015/05/14-14:46:55, st_ctime=2015/05/14-14:40:13}) = 0 14:46:55.268583 stat("/dev/pts", 0x7ffff40874e0) = -1 ENOENT (No such file or directory) 14:46:55.268600 open("/dev", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 ENOENT (No such file or directory) 14:46:55.268620 --- SIGSEGV (Segmentation fault) @ 0 (0) --- 14:46:55.298019 +++ killed by SIGSEGV (core dumped) +++ Segmentation fault (core dumped)
There is no 'test.ksh' file attached with this issue. And I have not been able to reproduce this issue by executing 'chroot /root/NEWROOT /bin/ksh'. Please clarify the reproducer steps.
Sorry for the misleading filename. The reproducer is attached as 'reproducer' to the original bug, which is this bug a clone of: BZ#1221766 and it is included in the TCMS test case as test.sh: http://pkgs.devel.redhat.com/cgit/tests/ksh/tree/Regression/ksh-crashes-under-chroot-environment/test.sh
I have been able to reproduce this issue. Backtrace shows that strdup() is being called with NULL parameter : 0 __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:38 #1 0x00000000004a64ae in strdup (s=0x0) at /usr/src/debug/ksh-20120801/src/lib/libast/string/strdup.c:59 #2 0x000000000041c76b in sh_histinit (sh_context=sh_context@entry=0x76e000 <sh>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/edit/history.c:398 #3 0x000000000040686f in exfile (shp=shp@entry=0x76e000 <sh>, iop=0x76bd20 <_Sfstdin>, fno=fno@entry=0) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/main.c:400 #4 0x000000000040795f in sh_main (ac=<optimized out>, av=0x7fffc4177d28, userinit=<optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/main.c:353 #5 0x00007f90d282eb15 in __libc_start_main (main=0x406640 <main>, argc=1, ubp_av=0x7fffc4177d28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffc4177d18) at libc-start.c:274 #6 0x0000000000406671 in _start () It seems fd=2 is not attached to any terminal. (gdb) frame 2 #2 0x000000000041c76b in sh_histinit (sh_context=sh_context@entry=0x76e000 <sh>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/edit/history.c:398 398 hp->tty = strdup(ttyname(2));
We already have patch for it https://bugzilla.redhat.com/attachment.cgi?id=1040916
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1936