Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1426215

Summary: shell segfaults due to invalid pointer in ncurses
Product: Red Hat Enterprise Linux 7 Reporter: Renaud Métrich <rmetrich>
Component: ncursesAssignee: Miroslav Lichvar <mlichvar>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: medium Docs Contact:
Priority: urgent    
Version: 7.3CC: fkrska, jkejda, thozza, toneata
Target Milestone: rcKeywords: EasyFix, FastFix, Patch, Reproducer, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ncurses-5.9-14.20130511.el7 Doc Type: If docs needed, set a value
Doc Text:
Prior to this update, setting the $TERM environment variable repeatedly caused command-line shells, such as bash, zsh, or tcsh, to terminate unexpectedly. This update fixes an invalid pointer that caused this bug when the ncurses-term package was installed. The described problem no longer occurs.
 Story Points: ---
Clone Of:
: 1481714 (view as bug list) Environment:
Last Closed: 2018-04-11 10:07:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1420851, 1481714    
Attachments:
Description Flags
Fix crash in libtinfo initialization none

Description Renaud Métrich 2017-02-23 12:48:27 UTC 
Description of problem:

Shell occasionally crashes.

Version-Release number of selected component (if applicable):

5.9

How reproducible:

100% with reproducer below

Steps to Reproduce:

Install a rhel7.3 VM
In a bash or zsh shell, run the following:

for n in `seq 64`; do echo $n; export TERM=foo$n; export TERM=unknown; done

Actual results:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

Program received signal SIGSEGV, Segmentation fault.

Expected results:

Print number from 1 to 64 without crashing.

Additional info:

__strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:164
164		movdqu	(%rdi), %xmm1
(gdb) where
#0  __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:164
#1  0x00007ffff7bc4d48 in _nc_setupterm (tname=tname@entry=0x6fc350 "foo23", Filedes=Filedes@entry=1, 
    errret=errret@entry=0x7fffffffdb14, reuse=reuse@entry=1) at ../../ncurses/tinfo/lib_setup.c:681
#2  0x00007ffff7bc4f33 in tgetent (bufp=0x717660 "؍\232\367\377\177", name=name@entry=0x6fc350 "foo23")
    at ../../ncurses/tinfo/lib_termcap.c:103
#3  0x000000000049edd7 in _rl_init_terminal_io (terminal_name=<optimized out>) at terminal.c:452
#4  0x000000000049f0ed in rl_reset_terminal (terminal_name=<optimized out>) at terminal.c:594
#5  0x000000000044b59c in do_assignment_internal (word=word@entry=0x7fffffffdbf0, expand=expand@entry=0)
    at subst.c:2821
#6  0x000000000044b73a in do_assignment_no_expand (string=string@entry=0x70d950 "TERM=foo23") at subst.c:2881
#7  0x000000000047718d in set_or_show_attributes (list=0x6f8450, attribute=1, nodefs=<optimized out>)
    at ./setattr.def:248
#8  0x000000000042f22f in execute_builtin (builtin=builtin@entry=0x477300 <export_builtin>, flags=<optimized out>, 
    flags@entry=0, subshell=subshell@entry=0, words=<optimized out>) at execute_cmd.c:4138
#9  0x0000000000431319 in execute_builtin_or_function (flags=0, fds_to_close=0x70d7a0, redirects=<optimized out>, 
    var=0x0, builtin=0x477300 <export_builtin>, words=0x6f9090) at execute_cmd.c:4563
#10 execute_simple_command (simple_command=<optimized out>, pipe_in=pipe_in@entry=-1, pipe_out=pipe_out@entry=-1, 
    async=async@entry=0, fds_to_close=fds_to_close@entry=0x70d7a0) at execute_cmd.c:3973
#11 0x00000000004326ab in execute_command_internal (command=0x6f51d0, asynchronous=0, pipe_in=-1, pipe_out=-1, 
    fds_to_close=0x70d7a0) at execute_cmd.c:747
#12 0x00000000004324c0 in execute_connection (fds_to_close=0x70d7a0, pipe_out=-1, pipe_in=-1, asynchronous=0, 
    command=0x6f5230) at execute_cmd.c:2355
#13 execute_command_internal (command=0x6f5230, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x70d7a0)
    at execute_cmd.c:903
#14 0x0000000000433b5e in execute_command (command=0x6f5230) at execute_cmd.c:386
#15 0x0000000000432484 in execute_connection (fds_to_close=0x6f82d0, pipe_out=-1, pipe_in=-1, asynchronous=0, 
    command=0x6f5ae0) at execute_cmd.c:2353
#16 execute_command_internal (command=0x6f5ae0, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x6f82d0)
    at execute_cmd.c:903
#17 0x0000000000433b5e in execute_command (command=0x6f5ae0) at execute_cmd.c:386
#18 0x0000000000432ec5 in execute_for_command (for_command=0x6f5b10) at execute_cmd.c:2538
#19 execute_command_internal (command=0x6f5860, asynchronous=asynchronous@entry=0, pipe_in=pipe_in@entry=-1, 
    pipe_out=pipe_out@entry=-1, fds_to_close=fds_to_close@entry=0x6f5f50) at execute_cmd.c:815
#20 0x000000000046f494 in parse_and_execute (string=<optimized out>, from_file=from_file@entry=0x4a6970 "-c", 
    flags=flags@entry=4) at evalstring.c:340
#21 0x000000000041d780 in run_one_command (command=<optimized out>) at shell.c:1325
#22 0x000000000041c5dc in main (argc=3, argv=0x7fffffffe448, env=0x7fffffffe468) at shell.c:698
(gdb) frame 1
#1  0x00007ffff7bc4d48 in _nc_setupterm (tname=tname@entry=0x6fc350 "foo23", Filedes=Filedes@entry=1, 
    errret=errret@entry=0x7fffffffdb14, reuse=reuse@entry=1) at ../../ncurses/tinfo/lib_setup.c:681
681		&& !strcmp(termp->_termname, tname)
(gdb) list
676	     */
677	    if (reuse
678		&& (termp != 0)
679		&& termp->Filedes == Filedes
680		&& termp->_termname != 0
681		&& !strcmp(termp->_termname, tname)
682		&& _nc_name_match(termp->type.term_names, tname, "|")) {
683		T(("reusing existing terminal information and mode-settings"));
684		code = OK;
685	#ifdef USE_TERM_DRIVER
(gdb) print tname
$1 = 0x6fc350 "foo23"
(gdb) print termp
$2 = (TERMINAL *) 0x711f90
(gdb) print termp->_termname 
$3 = 0x4 <Address 0x4 out of bounds>
(gdb)
Comment 2 Renaud Métrich 2017-02-23 12:52:45 UTC 
This issue is fixed with ncurses-5.9 patch 20130608.
I have tested it on my test setup.
Comment 3 Miroslav Lichvar 2017-02-23 13:07:23 UTC 
Thanks for the investigation, Renaud.

The actual fix seems to be the following change in lib_setup.c:
https://github.com/ThomasDickey/ncurses-snapshots/commit/e97ede6473ebaa8f935f09725315fe43a035bb9a#diff-9139e789ed4c2139d1fb10b8d62a4358
https://github.com/ThomasDickey/ncurses-snapshots/commit/e97ede6473ebaa8f935f09725315fe43a035bb9a#diff-9139e789ed4c2139d1fb10b8d62a4358
Comment 4 Miroslav Lichvar 2017-02-23 13:38:48 UTC 
Please note that the reproducer needs the ncurses-term subpackage to be installed. Without ncurses-term, it didn't crash for me.
Comment 5 Renaud Métrich 2017-02-23 13:39:28 UTC 
Indeed, forgot to mention that.
Comment 7 Miroslav Lichvar 2017-03-06 10:26:05 UTC 
Created attachment 1260344 [details]
Fix crash in libtinfo initialization