Bug 650363 - tcsh-6.14-17.el5_5.2 core dumps with backtick subsistution
Summary: tcsh-6.14-17.el5_5.2 core dumps with backtick subsistution
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: tcsh617
Version: 5.5
Hardware: x86_64
OS: Linux
low
high
Target Milestone: rc
: ---
Assignee: Vojtech Vitek
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 657536
TreeView+ depends on / blocked
 
Reported: 2010-11-05 22:51 UTC by Robert Minsk
Modified: 2018-11-29 21:00 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
When tcsh evaluated a backquoted command (using command substitution) which itself contained backquotes, it could have dumped core due to a buffer overflow. With this update, nested command substitutions are now handled correctly, and tcsh no longer dumps core in this situation.
Clone Of:
: 657536 (view as bug list)
Environment:
Last Closed: 2011-07-21 08:49:31 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Demonstrate core dump with multiple backtick evaluation (10.00 KB, application/x-tar)
2011-04-14 17:39 UTC, Robert Minsk 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1072 0 normal SHIPPED_LIVE new package: tcsh617 2011-07-21 08:47:46 UTC

Description Robert Minsk 2010-11-05 22:51:18 UTC 
Description of problem:
I have an alias
delenv eval `delenv.pl !*`

When I call
delenv PYTHONPATH /shows/cis/sw/lib/python/common /shows/cis/sw/lib/python/`/bin/uname -i`
tcsh will core dump

When when I call
delenv PYTHONPATH /shows/cis/sw/lib/python/common /shows/cis/sw/lib/pytho/x86_64
tcsh does not core dump.

I seems to be tied to the backtick evaluation on an alias that also has backtick evaluation.

Version-Release number of selected component (if applicable):
6.14-17.el5_5.2

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Robert Minsk 2010-11-05 23:56:33 UTC 
The actual alias is
alias delenv 'eval `delenv.pl \!*`'
Comment 2 Vojtech Vitek 2011-04-14 14:49:16 UTC 
Robert, do you have any other reproducer?
Unfortunately, I can't find out any test case to crash the program.
Comment 3 Robert Minsk 2011-04-14 17:39:51 UTC 
Created attachment 492179 [details]
Demonstrate core dump with multiple backtick evaluation

Please extract into /var/tmp
Comment 4 Vojtech Vitek 2011-04-18 14:05:26 UTC 
Thank you for the reproducer, Robert!

The bug will be solved by new component tcsh617 in RHEL-5.7, moving bz to this new component.
Pword() and other string related functions are rewritten from scratch in tcsh 6.17 so there is no such buffer overflow as described below.

---
Details of the issue in tcsh 6.14:

Core dump:

Program terminated with signal 11, Segmentation fault.
#0  0x0000000000414a2e in pword (bufsiz=10240) at sh.glob.c:1094
1094        pargv[pargc++] = Strsave(pargs);
(gdb) bt
#0  0x0000000000414a2e in pword (bufsiz=10240) at sh.glob.c:1094
#1  0x0000000000416049 in dobackp (cp=<value optimized out>, literal=0) at sh.glob.c:835
#2  0x00000000004160e6 in globexpand (v=0x6d5e70) at sh.glob.c:356
#3  0x0000000000416518 in globall (v=0x6d5e68) at sh.glob.c:707
#4  0x0000000000413664 in doeval (v=<value optimized out>, c=<value optimized out>) at sh.func.c:2337
#5  0x0000000000421534 in execute (t=0x6dace0, wanttty=<value optimized out>, pipein=0x0, pipeout=0x0, do_glob=1) at sh.sem.c:652
#6  0x0000000000421042 in execute (t=0x6daca0, wanttty=-1, pipein=0x0, pipeout=0x0, do_glob=1) at sh.sem.c:740
#7  0x000000000040424f in process (catch=1) at sh.c:2180
#8  0x0000000000405edb in main (argc=<value optimized out>, argv=<value optimized out>) at sh.c:1362

Patch to fix the issue (fixes possible buffer overflow when pargc is greater than exact tested value):

--- sh.glob.c-orig      2011-04-18 15:14:08.614338311 +0200
+++ sh.glob.c   2011-04-18 15:14:13.122425349 +0200
@@ -1085,7 +1085,7 @@ pword(bufsiz)
     int    bufsiz;
 {
     psave(0);
-    if (pargc == pargsiz - 1) {
+    if (pargc >= pargsiz - 1) {
        pargsiz += GLOBSPACE;
        pargv = (Char **) xrealloc((ptr_t) pargv,
                                   (size_t) (pargsiz * sizeof(Char *)));

---
Unfortunately, the simple patch reveals another weird bug (glibc related):

Program terminated with signal 11, Segmentation fault.
#0  _int_malloc (av=0x3c699971c0, bytes=<value optimized out>) at malloc.c:4628
4628            size = chunksize(victim);
(gdb) bt
#0  _int_malloc (av=0x3c699971c0, bytes=<value optimized out>) at malloc.c:4628
#1  0x0000003c69679ffd in __libc_malloc (bytes=24) at malloc.c:3660
#2  0x000000000043c052 in smalloc (n=24) at tc.alloc.c:498
#3  0x000000000041bd58 in lex (hp=0x678d20) at sh.lex.c:188
#4  0x00000000004040db in process (catch=0) at sh.c:2097
#5  0x000000000041373f in doeval (v=<value optimized out>, c=<value optimized out>) at sh.func.c:2372
#6  0x0000000000421534 in execute (t=0xcda0c0, wanttty=<value optimized out>, pipein=0x0, pipeout=0x0, do_glob=1) at sh.sem.c:652
#7  0x0000000000421042 in execute (t=0xcda080, wanttty=-1, pipein=0x0, pipeout=0x0, do_glob=1) at sh.sem.c:740
#8  0x000000000040424f in process (catch=1) at sh.c:2180
#9  0x0000000000405edb in main (argc=<value optimized out>, argv=<value optimized out>) at sh.c:1362
Comment 6 Vojtech Vitek 2011-04-18 14:22:24 UTC 
Reproducer:

#!/bin/tcsh
alias testecho '`echo echo \!*`'
testecho This works
testecho This core dumps `echo me`
Comment 9 Robert Minsk 2011-04-19 00:54:13 UTC 
Should the reproducer be

#!/bin/tcsh
alias testecho 'echo `echo \!*`'
testecho This works
testecho This core dumps `echo me`

Notice the change in testecho alias.
Comment 10 Vojtech Vitek 2011-04-19 07:38:17 UTC 
Robert, both variants are OK..

$ `echo echo ...`
...
$ echo `echo ...`
...
Comment 11 Branislav Náter 2011-06-22 09:22:56 UTC 
Bugfix was successfully verified on tcsh617-6.17-5.el5 package.

tcsh can handle multiple backtick evaluation now.
Comment 12 Miroslav Svoboda 2011-07-01 21:55:17 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
When tcsh evaluated a backquoted command (using command substitution) which itself contained backquotes, it could have dumped core due to a buffer overflow. With this update, nested command substitutions are now handled correctly, and tcsh no longer dumps core in this situation.
Comment 13 errata-xmlrpc 2011-07-21 08:49:31 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1072.html
Comment 14 errata-xmlrpc 2011-07-21 12:09:32 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1072.html
Comment 15 Robert Minsk 2011-07-21 14:49:27 UTC 
Errata contains a small grammar error.  It currently reads "An new tcsh617 package".  It should read "A new tcsh617 package"
Note You need to log in before you can comment on or make changes to this bug.