Bug 183456 - Possible race in pipeline built
Summary: Possible race in pipeline built
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: bash
Version: 2.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tim Waugh
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 143573
TreeView+ depends on / blocked
 
Reported: 2006-03-01 09:42 UTC by Bastien Nocera
Modified: 2007-11-30 22:06 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2006-03-13 20:45:23 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2005:206 normal SHIPPED_LIVE bash bug fix update 2006-03-13 05:00:00 UTC

Description Bastien Nocera 2006-03-01 09:42:11 UTC 
+++ This bug was initially created as a clone of Bug #181656 +++

Description of problem:
segfault while running a process intensive shell script

Version-Release number of selected component (if applicable):
bash-2.05b-29

How reproducible:
Once

Here is the backtrace:
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libtermcap.so.2...done.
Loaded symbols for /lib/libtermcap.so.2
Reading symbols from /lib/libdl.so.2...
Reading symbols from /usr/lib/debug//lib/libdl-2.3.2.so.debug...done.
done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/tls/libc.so.6.1...
Reading symbols from /usr/lib/debug//lib/tls/libc-2.3.2.so.debug...done.
done.
Loaded symbols for /lib/tls/libc.so.6.1
Reading symbols from /lib/ld-linux-ia64.so.2...
Reading symbols from /usr/lib/debug//lib/ld-2.3.2.so.debug...done.
done.
Loaded symbols for /lib/ld-linux-ia64.so.2
#0  find_pipeline (pid=16856, running_only=1, jobp=0x60000fffffffa424)
   at jobs.c:893
893     {
(gdb) frame 0
#0  find_pipeline (pid=16856, running_only=1, jobp=0x60000fffffffa424)
   at jobs.c:893
893     {
(gdb) list
888     static PROCESS *
889     find_pipeline (pid, running_only, jobp)
890          pid_t pid;
891          int running_only;
892          int *jobp;         /* index into jobs list or NO_JOB */
893     {
894       int job;
895       register PROCESS *p;
896
897       /* See if this process is in the pipeline that we are building. */
(gdb) bt
#0  find_pipeline (pid=16856, running_only=1, jobp=0x60000fffffffa424)
   at jobs.c:893
#1  0x4000000000062850 in waitchld (wpid=-1, block=63080) at jobs.c:2468
#2  0x40000000000626a0 in sigchld_handler (sig=63080) at jobs.c:2398
#3  <signal handler called>
#4  waitchld (wpid=Cannot access memory at address 0xffffffffffffff70
) at jobs.c:2468
Cannot access memory at address 0xffffffffffffffe8

903           do
904             {
905               /* Return it if we found it. */
906               if (p->pid == pid)
907                 {
908                   if ((running_only && PRUNNING(p)) || (running_only == 0))
909                     return (p);
910                 }
911
912               p = p->next;
913             }
914           while (p != the_pipeline);

Looks like p != NULL isn't checked, which could be problematic if you get to the
end of the list without finding "the_pipeline".

Hand-diff:
-           while (p != the_pipeline);
+           while (p != NULL && p != the_pipeline);

-- Additional comment from kmori@redhat.com on 2006-02-21 21:36 EST --
Created an attachment (id=125000)
Reproduction case


-- Additional comment from kmori@redhat.com on 2006-02-21 21:38 EST --
Created an attachment (id=125001)
Fix patch backported from upstream
Comment 7 Red Hat Bugzilla 2006-03-13 20:45:23 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-206.html
Note You need to log in before you can comment on or make changes to this bug.