Bug 183456 – Possible race in pipeline built

Bug 183456 - Possible race in pipeline built

Summary:	Possible race in pipeline built

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 2.1
Classification:	Red Hat
Component:	bash (Show other bugs)
Sub Component:
Version:	2.1
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Tim Waugh
QA Contact:	Ben Levenson
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	143573
	Show dependency tree / graph

Reported:	2006-03-01 04:42 EST by Bastien Nocera
Modified:	2007-11-30 17:06 EST (History)
CC List:	1 user (show)

See Also:
Fixed In Version:	RHBA-2005-206
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2006-03-13 15:45:23 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2005:206	normal	SHIPPED_LIVE	bash bug fix update	2006-03-13 00:00:00 EST

Groups: None (edit)

Description Bastien Nocera 2006-03-01 04:42:11 EST

+++ This bug was initially created as a clone of Bug #181656 +++

Description of problem:
segfault while running a process intensive shell script

Version-Release number of selected component (if applicable):
bash-2.05b-29

How reproducible:
Once

Here is the backtrace:
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libtermcap.so.2...done.
Loaded symbols for /lib/libtermcap.so.2
Reading symbols from /lib/libdl.so.2...
Reading symbols from /usr/lib/debug//lib/libdl-2.3.2.so.debug...done.
done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/tls/libc.so.6.1...
Reading symbols from /usr/lib/debug//lib/tls/libc-2.3.2.so.debug...done.
done.
Loaded symbols for /lib/tls/libc.so.6.1
Reading symbols from /lib/ld-linux-ia64.so.2...
Reading symbols from /usr/lib/debug//lib/ld-2.3.2.so.debug...done.
done.
Loaded symbols for /lib/ld-linux-ia64.so.2
#0  find_pipeline (pid=16856, running_only=1, jobp=0x60000fffffffa424)
   at jobs.c:893
893     {
(gdb) frame 0
#0  find_pipeline (pid=16856, running_only=1, jobp=0x60000fffffffa424)
   at jobs.c:893
893     {
(gdb) list
888     static PROCESS *
889     find_pipeline (pid, running_only, jobp)
890          pid_t pid;
891          int running_only;
892          int *jobp;         /* index into jobs list or NO_JOB */
893     {
894       int job;
895       register PROCESS *p;
896
897       /* See if this process is in the pipeline that we are building. */
(gdb) bt
#0  find_pipeline (pid=16856, running_only=1, jobp=0x60000fffffffa424)
   at jobs.c:893
#1  0x4000000000062850 in waitchld (wpid=-1, block=63080) at jobs.c:2468
#2  0x40000000000626a0 in sigchld_handler (sig=63080) at jobs.c:2398
#3  <signal handler called>
#4  waitchld (wpid=Cannot access memory at address 0xffffffffffffff70
) at jobs.c:2468
Cannot access memory at address 0xffffffffffffffe8

903           do
904             {
905               /* Return it if we found it. */
906               if (p->pid == pid)
907                 {
908                   if ((running_only && PRUNNING(p)) || (running_only == 0))
909                     return (p);
910                 }
911
912               p = p->next;
913             }
914           while (p != the_pipeline);

Looks like p != NULL isn't checked, which could be problematic if you get to the
end of the list without finding "the_pipeline".

Hand-diff:
-           while (p != the_pipeline);
+           while (p != NULL && p != the_pipeline);

-- Additional comment from kmori@redhat.com on 2006-02-21 21:36 EST --
Created an attachment (id=125000)
Reproduction case


-- Additional comment from kmori@redhat.com on 2006-02-21 21:38 EST --
Created an attachment (id=125001)
Fix patch backported from upstream

Comment 7 Red Hat Bugzilla 2006-03-13 15:45:23 EST

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-206.html

Note You need to log in before you can comment on or make changes to this bug.