Bug 186422 - Trashes stack and segfaults with test case
Trashes stack and segfaults with test case
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pdksh (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Smetana
:
Depends On:
Blocks: 246627
  Show dependency treegraph
 
Reported: 2006-03-23 09:36 EST by Bastien Nocera
Modified: 2010-10-22 00:46 EDT (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2007-0667
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-15 10:56:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
pdksh-testcase.tar.gz (682 bytes, application/octet-stream)
2006-03-23 09:49 EST, Bastien Nocera
no flags Details

  None (edit)
Description Bastien Nocera 2006-03-23 09:36:54 EST
pdksh-5.2.14-30.3

1. Launch "./test" in the test tarball attach
2. Wait a couple of seconds
3. See segfault

BT:
#0  0x0035f9f8 in strcmp () from /lib/tls/libc.so.6
#1  0x08059cf6 in error_prefix (fileline=1) at io.c:132
#2  0x08059de8 in bi_errorf (fmt=0x806f9ba "%s: %s") at io.c:79
#3  0x0804c1fd in c_kill (wp=0x9ae94c4) at c_ksh.c:1282
#4  0x08055c84 in call_builtin (tp=0x9adf790, wp=0x9ae94c4) at exec.c:1282
#5  0x0805793f in comexec (t=0x9ae7b50, tp=0x9adf790, ap=0x9ae94c4, flags=0) at
exec.c:592
#6  0x08056d95 in execute (t=0x9ae7b50, flags=0) at exec.c:156
#7  0x08056c73 in execute (t=0x9ae7b20, flags=0) at exec.c:194
#8  0x08056892 in execute (t=0x9ae9420, flags=0) at exec.c:277
#9  0x08057a47 in comexec (t=0x9ae32d0, tp=0x9ae3148, ap=0x9ae5f9c, flags=0) at
exec.c:667
#10 0x08056d95 in execute (t=0x9ae32d0, flags=0) at exec.c:156
#11 0x08056c73 in execute (t=0x9ae32a0, flags=0) at exec.c:194
#12 0x08056892 in execute (t=0x9ae31b8, flags=0) at exec.c:277
#13 0x08057a47 in comexec (t=0x9ae44d0, tp=0x9ae3180, ap=0x9ae4a74, flags=0) at
exec.c:667
#14 0x08056d95 in execute (t=0x9ae44d0, flags=0) at exec.c:156
#15 0x0805fee3 in shell (s=0x9ae2828, toplevel=1) at main.c:616
#16 0x08060845 in main (argc=0, argv=0xbfeebd04) at main.c:429

Valgrind is a bit better:
==623== Invalid read of size 4
==623==    at 0x8059D2D: error_prefix (io.c:131)
==623==    by 0x8059E37: bi_errorf (io.c:79)
==623==    by 0x804C24C: c_kill (c_ksh.c:1282)
==623==    by 0x8055CD3: call_builtin (exec.c:1282)
==623==    by 0x805798E: comexec (exec.c:592)
==623==    by 0x8056DE4: execute (exec.c:156)
==623==    by 0x8056CC2: execute (exec.c:194)
==623==    by 0x80568E1: execute (exec.c:277)
==623==    by 0x8057A96: comexec (exec.c:667)
==623==    by 0x8056DE4: execute (exec.c:156)
==623==    by 0x8056CC2: execute (exec.c:194)
==623==    by 0x80568E1: execute (exec.c:277)
==623==  Address 0x405C6C4 is 60 bytes inside a block of size 1,696 free'd
==623==    at 0x4004EFA: free (vg_replace_malloc.c:235)
==623==    by 0x804996C: afreeall (alloc.c:158)
==623==    by 0x805FBF4: reclaim (main.c:772)
==623==    by 0x805FC58: quitenv (main.c:696)
==623==    by 0x805FD8C: unwind (main.c:658)
==623==    by 0x804D61C: c_brkcont (c_sh.c:620)
==623==    by 0x8055CD3: call_builtin (exec.c:1282)
==623==    by 0x805798E: comexec (exec.c:592)
==623==    by 0x8056DE4: execute (exec.c:156)
==623==    by 0x80568E1: execute (exec.c:277)
==623==    by 0x8056A5C: execute (exec.c:270)
==623==    by 0x80572D0: execute (exec.c:372)
==623==
==623== Invalid read of size 4
==623==    at 0x8059CED: error_prefix (io.c:134)
==623==    by 0x8059E37: bi_errorf (io.c:79)
==623==    by 0x804C24C: c_kill (c_ksh.c:1282)
==623==    by 0x8055CD3: call_builtin (exec.c:1282)
==623==    by 0x805798E: comexec (exec.c:592)
==623==    by 0x8056DE4: execute (exec.c:156)
==623==    by 0x8056CC2: execute (exec.c:194)
==623==    by 0x80568E1: execute (exec.c:277)
==623==    by 0x8057A96: comexec (exec.c:667)
==623==    by 0x8056DE4: execute (exec.c:156)
==623==    by 0x8056CC2: execute (exec.c:194)
==623==    by 0x80568E1: execute (exec.c:277)
==623==  Address 0x405C6C4 is 60 bytes inside a block of size 1,696 free'd
==623==    at 0x4004EFA: free (vg_replace_malloc.c:235)
==623==    by 0x804996C: afreeall (alloc.c:158)
==623==    by 0x805FBF4: reclaim (main.c:772)
==623==    by 0x805FC58: quitenv (main.c:696)
==623==    by 0x805FD8C: unwind (main.c:658)
==623==    by 0x804D61C: c_brkcont (c_sh.c:620)
==623==    by 0x8055CD3: call_builtin (exec.c:1282)
==623==    by 0x805798E: comexec (exec.c:592)
==623==    by 0x8056DE4: execute (exec.c:156)
==623==    by 0x80568E1: execute (exec.c:277)
==623==    by 0x8056A5C: execute (exec.c:270)
==623==    by 0x80572D0: execute (exec.c:372)

The memory management looks convoluted to say the least.
Comment 1 Bastien Nocera 2006-03-23 09:49:53 EST
Created attachment 126549 [details]
pdksh-testcase.tar.gz
Comment 12 RHEL Product and Program Management 2007-05-09 06:39:46 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 18 errata-xmlrpc 2007-11-15 10:56:49 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0667.html

Note You need to log in before you can comment on or make changes to this bug.