Core was generated by `tmux new -s dipa'. Program terminated with signal 11, Segmentation fault. #0 __memcpy_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:2001 2001 mov %rdx, -8(%rdi) (gdb) bt #0 __memcpy_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:2001 #1 0x00007fcabfbbb262 in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>) at /usr/include/bits/string3.h:51 #2 evbuffer_add (buf=0x221cfd0, data_in=data_in@entry=0x2186aa0, datlen=8) at buffer.c:1574 #3 0x00007fcabfbbdb40 in bufferevent_write (bufev=<optimized out>, data=data@entry=0x2186aa0, size=<optimized out>) at bufferevent.c:379 #4 0x0000000000433dd3 in tty_puts (tty=0x287ce38, s=0x2186aa0 "\033[?1049h") at tty.c:394 #5 0x00000000004344b4 in tty_puts (s=<optimized out>, tty=<optimized out>) at tty.c:357 #6 tty_putcode (tty=<optimized out>, code=<optimized out>) at tty.c:356 #7 0x00000000004347a1 in tty_start_tty (tty=0x7ffd76aa7ef0, tty@entry=0x287ce38) at tty.c:209 #8 0x000000000042906f in server_client_msg_dispatch (c=c@entry=0x286cd30) at server-client.c:881 #9 0x000000000042939d in server_client_callback (fd=<optimized out>, events=<optimized out>, data=0x286cd30) at server-client.c:230 #10 0x00007fcabfbb4a14 in event_process_active_single_queue (activeq=0x1eabe10, base=0x1eab9f0) at event.c:1350 #11 event_process_active (base=<optimized out>) at event.c:1420 #12 event_base_loop (base=0x1eab9f0, flags=flags@entry=1) at event.c:1621 #13 0x00007fcabfbb57c1 in event_loop (flags=flags@entry=1) at event.c:1533 #14 0x000000000042ae4a in server_loop () at server.c:207 #15 0x000000000042b55d in server_start (lockfd=lockfd@entry=6, lockfile=<optimized out>) at server.c:198 #16 0x0000000000404d6a in client_connect (path=0x67d760 <socket_path> "/tmp/tmux-2646576/default", start_server=1) at client.c:124 #17 0x0000000000405045 in client_main (argc=argc@entry=3, argv=argv@entry=0x7ffd76aac830, flags=flags@entry=1) at client.c:221 #18 0x0000000000403a8d in main (argc=3, argv=0x7ffd76aac830) at tmux.c:406 Here we see chain->off is most certainly an invalid value. (gdb) f 2 #2 evbuffer_add (buf=0x221cfd0, data_in=data_in@entry=0x2186aa0, datlen=8) at buffer.c:1574 1574 memcpy(chain->buffer + chain->off, data, datlen); (gdb) p *chain $1 = {next = 0x0, buffer_len = 513, misalign = 35770304, off = 140508774549432, flags = 0, buffer = 0x1eabe10 "\220\345\236\002"} There above backtrace matches exactly a report at tmux-users.net now archived at https://tmux-users.narkive.com/f91xW7iH/patch-fix-segmentation-fault-in-server-when-a-suspended-client-is-killed The patch was never applied because the bug was supposed to be fixed in a newer version. Checking https://github.com/tmux/tmux it should have been fixed in version 2.2 or newer, when a full rewrite was done, otherwise, there is no change in the code path that leads to the bug. Reproducer from report @tmux-users works in rhel 7.7: $ tmux -L bug new-session -d $ tmux -L bug attach-session (we are now inside the client) $ tmux suspend-client (we are now outside the client) $ kill -HUP % [lost server] $ tmux -L bug attach-session no sessions and cut&paste of the patch (never applied): """ When handling a MSG_WAKEUP on the server side, do not write to the client's tty if the tty has been closed (by an earlier MSG_EXITING message or otherwise). The below patch takes this approach. With the patch, I can no longer trigger the segmentation fault. --- server-client.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/server-client.c b/server-client.c index e225de3..e952246 100644 --- a/server-client.c +++ b/server-client.c @@ -889,6 +889,8 @@ server_client_msg_dispatch(struct client *c) if (c->session != NULL) session_update_activity(c->session); + if (!(c->tty.flags & TTY_OPENED)) + break; tty_start_tty(&c->tty); server_redraw_client(c); recalculate_sizes(); """
Created attachment 1622060 [details] tmux-1.8-sfdc02481892.patch The attached patch, as expected, corrects the reproducer. BTW, I also needed this pseudo patch to be able to build the package: -Patch3: tmux-1.8-varrun.patch +#Patch3: tmux-1.8-varrun.patch ... -%patch3 -p1 +#%#patch3 -p1 as tmux-1.8-varrun.patch is not in git.
Red Hat Enterprise Linux 7 shipped it's final minor release on September 29th, 2020. 7.9 was the last minor releases scheduled for RHEL 7. From intial triage it does not appear the remaining Bugzillas meet the inclusion criteria for Maintenance Phase 2 and will now be closed. From the RHEL life cycle page: https://access.redhat.com/support/policy/updates/errata#Maintenance_Support_2_Phase "During Maintenance Support 2 Phase for Red Hat Enterprise Linux version 7,Red Hat defined Critical and Important impact Security Advisories (RHSAs) and selected (at Red Hat discretion) Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available." If this BZ was closed in error and meets the above criteria please re-open it flag for 7.9.z, provide suitable business and technical justifications, and follow the process for Accelerated Fixes: https://source.redhat.com/groups/public/pnt-cxno/pnt_customer_experience_and_operations_wiki/support_delivery_accelerated_fix_release_handbook Feature Requests can re-opened and moved to RHEL 8 if the desired functionality is not already present in the product. Please reach out to the applicable Product Experience Engineer[0] if you have any questions or concerns. [0] https://bugzilla.redhat.com/page.cgi?id=agile_component_mapping.html&product=Red+Hat+Enterprise+Linux+7