Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Core was generated by `tmux new -s dipa'.
Program terminated with signal 11, Segmentation fault.
#0 __memcpy_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:2001
2001 mov %rdx, -8(%rdi)
(gdb) bt
#0 __memcpy_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:2001
#1 0x00007fcabfbbb262 in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>) at /usr/include/bits/string3.h:51
#2 evbuffer_add (buf=0x221cfd0, data_in=data_in@entry=0x2186aa0, datlen=8) at buffer.c:1574
#3 0x00007fcabfbbdb40 in bufferevent_write (bufev=<optimized out>, data=data@entry=0x2186aa0, size=<optimized out>) at bufferevent.c:379
#4 0x0000000000433dd3 in tty_puts (tty=0x287ce38, s=0x2186aa0 "\033[?1049h") at tty.c:394
#5 0x00000000004344b4 in tty_puts (s=<optimized out>, tty=<optimized out>) at tty.c:357
#6 tty_putcode (tty=<optimized out>, code=<optimized out>) at tty.c:356
#7 0x00000000004347a1 in tty_start_tty (tty=0x7ffd76aa7ef0, tty@entry=0x287ce38) at tty.c:209
#8 0x000000000042906f in server_client_msg_dispatch (c=c@entry=0x286cd30) at server-client.c:881
#9 0x000000000042939d in server_client_callback (fd=<optimized out>, events=<optimized out>, data=0x286cd30) at server-client.c:230
#10 0x00007fcabfbb4a14 in event_process_active_single_queue (activeq=0x1eabe10, base=0x1eab9f0) at event.c:1350
#11 event_process_active (base=<optimized out>) at event.c:1420
#12 event_base_loop (base=0x1eab9f0, flags=flags@entry=1) at event.c:1621
#13 0x00007fcabfbb57c1 in event_loop (flags=flags@entry=1) at event.c:1533
#14 0x000000000042ae4a in server_loop () at server.c:207
#15 0x000000000042b55d in server_start (lockfd=lockfd@entry=6, lockfile=<optimized out>) at server.c:198
#16 0x0000000000404d6a in client_connect (path=0x67d760 <socket_path> "/tmp/tmux-2646576/default", start_server=1) at client.c:124
#17 0x0000000000405045 in client_main (argc=argc@entry=3, argv=argv@entry=0x7ffd76aac830, flags=flags@entry=1) at client.c:221
#18 0x0000000000403a8d in main (argc=3, argv=0x7ffd76aac830) at tmux.c:406
Here we see chain->off is most certainly an invalid value.
(gdb) f 2
#2 evbuffer_add (buf=0x221cfd0, data_in=data_in@entry=0x2186aa0, datlen=8) at buffer.c:1574
1574 memcpy(chain->buffer + chain->off, data, datlen);
(gdb) p *chain
$1 = {next = 0x0, buffer_len = 513, misalign = 35770304, off = 140508774549432, flags = 0, buffer = 0x1eabe10 "\220\345\236\002"}
There above backtrace matches exactly a report at tmux-users.net
now archived at https://tmux-users.narkive.com/f91xW7iH/patch-fix-segmentation-fault-in-server-when-a-suspended-client-is-killed
The patch was never applied because the bug was supposed to be fixed in a newer
version. Checking https://github.com/tmux/tmux it should have been fixed in version
2.2 or newer, when a full rewrite was done, otherwise, there is no change in the
code path that leads to the bug.
Reproducer from report @tmux-users works in rhel 7.7:
$ tmux -L bug new-session -d
$ tmux -L bug attach-session
(we are now inside the client)
$ tmux suspend-client
(we are now outside the client)
$ kill -HUP %
[lost server]
$ tmux -L bug attach-session
no sessions
and cut&paste of the patch (never applied):
"""
When handling a MSG_WAKEUP on the server side, do not write to the
client's tty if the tty has been closed (by an earlier MSG_EXITING
message or otherwise). The below patch takes this approach. With the
patch, I can no longer trigger the segmentation fault.
---
server-client.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/server-client.c b/server-client.c
index e225de3..e952246 100644
--- a/server-client.c
+++ b/server-client.c
@@ -889,6 +889,8 @@ server_client_msg_dispatch(struct client *c)
if (c->session != NULL)
session_update_activity(c->session);
+ if (!(c->tty.flags & TTY_OPENED))
+ break;
tty_start_tty(&c->tty);
server_redraw_client(c);
recalculate_sizes();
"""
Created attachment 1622060[details]
tmux-1.8-sfdc02481892.patch
The attached patch, as expected, corrects the reproducer.
BTW, I also needed this pseudo patch to be able to build the package:
-Patch3: tmux-1.8-varrun.patch
+#Patch3: tmux-1.8-varrun.patch
...
-%patch3 -p1
+#%#patch3 -p1
as tmux-1.8-varrun.patch is not in git.
Red Hat Enterprise Linux 7 shipped it's final minor release on September 29th, 2020. 7.9 was the last minor releases scheduled for RHEL 7.
From intial triage it does not appear the remaining Bugzillas meet the inclusion criteria for Maintenance Phase 2 and will now be closed.
From the RHEL life cycle page:
https://access.redhat.com/support/policy/updates/errata#Maintenance_Support_2_Phase
"During Maintenance Support 2 Phase for Red Hat Enterprise Linux version 7,Red Hat defined Critical and Important impact Security Advisories (RHSAs) and selected (at Red Hat discretion) Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available."
If this BZ was closed in error and meets the above criteria please re-open it flag for 7.9.z, provide suitable business and technical justifications, and follow the process for Accelerated Fixes:
https://source.redhat.com/groups/public/pnt-cxno/pnt_customer_experience_and_operations_wiki/support_delivery_accelerated_fix_release_handbook
Feature Requests can re-opened and moved to RHEL 8 if the desired functionality is not already present in the product.
Please reach out to the applicable Product Experience Engineer[0] if you have any questions or concerns.
[0] https://bugzilla.redhat.com/page.cgi?id=agile_component_mapping.html&product=Red+Hat+Enterprise+Linux+7
Core was generated by `tmux new -s dipa'. Program terminated with signal 11, Segmentation fault. #0 __memcpy_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:2001 2001 mov %rdx, -8(%rdi) (gdb) bt #0 __memcpy_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:2001 #1 0x00007fcabfbbb262 in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>) at /usr/include/bits/string3.h:51 #2 evbuffer_add (buf=0x221cfd0, data_in=data_in@entry=0x2186aa0, datlen=8) at buffer.c:1574 #3 0x00007fcabfbbdb40 in bufferevent_write (bufev=<optimized out>, data=data@entry=0x2186aa0, size=<optimized out>) at bufferevent.c:379 #4 0x0000000000433dd3 in tty_puts (tty=0x287ce38, s=0x2186aa0 "\033[?1049h") at tty.c:394 #5 0x00000000004344b4 in tty_puts (s=<optimized out>, tty=<optimized out>) at tty.c:357 #6 tty_putcode (tty=<optimized out>, code=<optimized out>) at tty.c:356 #7 0x00000000004347a1 in tty_start_tty (tty=0x7ffd76aa7ef0, tty@entry=0x287ce38) at tty.c:209 #8 0x000000000042906f in server_client_msg_dispatch (c=c@entry=0x286cd30) at server-client.c:881 #9 0x000000000042939d in server_client_callback (fd=<optimized out>, events=<optimized out>, data=0x286cd30) at server-client.c:230 #10 0x00007fcabfbb4a14 in event_process_active_single_queue (activeq=0x1eabe10, base=0x1eab9f0) at event.c:1350 #11 event_process_active (base=<optimized out>) at event.c:1420 #12 event_base_loop (base=0x1eab9f0, flags=flags@entry=1) at event.c:1621 #13 0x00007fcabfbb57c1 in event_loop (flags=flags@entry=1) at event.c:1533 #14 0x000000000042ae4a in server_loop () at server.c:207 #15 0x000000000042b55d in server_start (lockfd=lockfd@entry=6, lockfile=<optimized out>) at server.c:198 #16 0x0000000000404d6a in client_connect (path=0x67d760 <socket_path> "/tmp/tmux-2646576/default", start_server=1) at client.c:124 #17 0x0000000000405045 in client_main (argc=argc@entry=3, argv=argv@entry=0x7ffd76aac830, flags=flags@entry=1) at client.c:221 #18 0x0000000000403a8d in main (argc=3, argv=0x7ffd76aac830) at tmux.c:406 Here we see chain->off is most certainly an invalid value. (gdb) f 2 #2 evbuffer_add (buf=0x221cfd0, data_in=data_in@entry=0x2186aa0, datlen=8) at buffer.c:1574 1574 memcpy(chain->buffer + chain->off, data, datlen); (gdb) p *chain $1 = {next = 0x0, buffer_len = 513, misalign = 35770304, off = 140508774549432, flags = 0, buffer = 0x1eabe10 "\220\345\236\002"} There above backtrace matches exactly a report at tmux-users.net now archived at https://tmux-users.narkive.com/f91xW7iH/patch-fix-segmentation-fault-in-server-when-a-suspended-client-is-killed The patch was never applied because the bug was supposed to be fixed in a newer version. Checking https://github.com/tmux/tmux it should have been fixed in version 2.2 or newer, when a full rewrite was done, otherwise, there is no change in the code path that leads to the bug. Reproducer from report @tmux-users works in rhel 7.7: $ tmux -L bug new-session -d $ tmux -L bug attach-session (we are now inside the client) $ tmux suspend-client (we are now outside the client) $ kill -HUP % [lost server] $ tmux -L bug attach-session no sessions and cut&paste of the patch (never applied): """ When handling a MSG_WAKEUP on the server side, do not write to the client's tty if the tty has been closed (by an earlier MSG_EXITING message or otherwise). The below patch takes this approach. With the patch, I can no longer trigger the segmentation fault. --- server-client.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/server-client.c b/server-client.c index e225de3..e952246 100644 --- a/server-client.c +++ b/server-client.c @@ -889,6 +889,8 @@ server_client_msg_dispatch(struct client *c) if (c->session != NULL) session_update_activity(c->session); + if (!(c->tty.flags & TTY_OPENED)) + break; tty_start_tty(&c->tty); server_redraw_client(c); recalculate_sizes(); """