Bug 167547 - MALLOC_PERTURB_ causes use after free.
MALLOC_PERTURB_ causes use after free.
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: bash (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-05 01:12 EDT by Dave Jones
Modified: 2015-01-04 17:21 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-25 04:58:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dave Jones 2005-09-05 01:12:32 EDT
First, put export MALLOC_PERTURB_="204" in your .bashrc

Sometimes, when you ctrl-C an application, it not only kills the app, but the
terminal too, as bash segv's.

Core was generated by `bash'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib64/libtermcap.so.2...Reading symbols from
/usr/lib/debug/lib64/libtermcap.so.2.0.8.debug...done.
done.
Loaded symbols for /lib64/libtermcap.so.2
Reading symbols from /lib64/libdl.so.2...Reading symbols from
/usr/lib/debug/lib64/libdl-2.3.90.so.debug...done.
done.
Loaded symbols for /lib64/libdl.so.2
Reading symbols from /lib64/libc.so.6...Reading symbols from
/usr/lib/debug/lib64/libc-2.3.90.so.debug...done.
done.
Loaded symbols for /lib64/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from
/usr/lib/debug/lib64/ld-2.3.90.so.debug...done.
done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib64/libnss_files.so.2...Reading symbols from
/usr/lib/debug/lib64/libnss_files-2.3.90.so.debug...done.
done.
Loaded symbols for /lib64/libnss_files.so.2
#0  dispose_redirects (list=0xcccccccccccccccc) at dispose_cmd.c:298
298           list = list->next;
(gdb) bt
#0  dispose_redirects (list=0xcccccccccccccccc) at dispose_cmd.c:298
#1  0x0000000000424aa6 in dispose_command (command=0x6c3640)
    at dispose_cmd.c:43
#2  0x000000000041a320 in reader_loop () at eval.c:112
#3  0x0000000000419dad in main (argc=1, argv=0x7fffffa10298,
    env=0x7fffffa102a8) at shell.c:714
(gdb)

Note that 'list' is the value that MALLOC_PERTURB poisons with.
Comment 1 Tim Waugh 2005-10-17 09:13:20 EDT
I think there was a glibc fix in this area a few weeks ago.  Do you still see
this problem?
Comment 2 Dave Jones 2005-10-25 04:58:59 EDT
not recently. I'll reopen if it reoccurs, but this may have been more fallout
from the calloc bug that affected x86-64.

Note You need to log in before you can comment on or make changes to this bug.