Bug 922851 - exec a script causes a fork bomb when receiving SIGTSTP
Summary: exec a script causes a fork bomb when receiving SIGTSTP
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ksh
Version: 6.4
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Michal Hlavinka
QA Contact: Martin Kyral
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-03-18 16:56 UTC by Dennis Kanbier
Modified: 2013-11-21 10:54 UTC (History)
2 users (show)

Fixed In Version: ksh-20120801-2.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-21 10:54:29 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1599 normal SHIPPED_LIVE ksh bug fix and enhancement update 2013-11-20 21:39:22 UTC

Description Dennis Kanbier 2013-03-18 16:56:06 UTC 
Description of problem:

Calling a subshell within a script started by exec can cause the exec'ed script to call itself indefinitely, much like a fork bomb. 

Note: be careful with the test case, as it may make your system unstable.

Version-Release number of selected component (if applicable):

ksh-20100621-5.el5

How reproducible:

100% of the time

Steps to Reproduce:
1. Create an executable file "foo" with the following two strings:
$ cat /root/foo
vi /tmp/bar
# Comment needed to trigger the bomb

2. Start a KSH session and exec the foo script:
$ ksh
$ exec /root/foo

3. You are now in a VI session. Send the TSTP signal to VI using CTRL-Z, close VI using :q.
  
Actual results:

/root/foo spawns itself as a child until it hits the nproc limit and is unable to fork any more processes.

Expected results:

The VI session drops to the background and can be recalled using "fg".

Additional info:

Unable to reproduce using bash. Still reproduces using the updated KSH RPM's from bug https://bugzilla.redhat.com/show_bug.cgi?id=892206
Comment 1 Dennis Kanbier 2013-03-18 19:13:00 UTC 
Some more information on how the processes look:

$ ps -ef --forest
root      4741     1  0 20:11 pts/0    00:00:00 /root/foo
root      4742  4741  0 20:11 pts/0    00:00:00  \_ /root/foo
root      4743  4742  0 20:11 pts/0    00:00:00      \_ /root/foo
root      4744  4743  0 20:11 pts/0    00:00:00          \_ /root/foo
root      4745  4744  0 20:11 pts/0    00:00:00              \_ /root/foo
...
Comment 2 Michal Hlavinka 2013-03-19 15:43:05 UTC 
thanks for reporting
reproducible
Comment 3 Dennis Kanbier 2013-03-28 16:55:57 UTC 
Reproduces in RHEL6 as well:

$ ksh --version
  version         sh (AT&T Research) 93t+ 2010-06-21
$ rpm -qa |grep ksh
ksh-20100621-19.el6.x86_64

On RHEL6 the script sometimes gives a Memory fault without spawning unlimited childs:

$ exec /root/foo
/root/foo: line 1: 0:
/root/foo: line 1: 2396: Memory fault
Comment 4 Michal Hlavinka 2013-04-30 14:31:09 UTC 
There is already another ksh fork bomb bug reported for RHEL5 - bug #910923
Instead of closing this as a duplicate, I'll use it for tracking this bug in RHEL6
Comment 5 Dennis Kanbier 2013-05-01 08:29:14 UTC 
I'm not authorized to see that bug, I guess that is why it missed the search. 

Any details on the bug (hunting) yet?
Comment 7 Michal Hlavinka 2013-05-10 11:55:50 UTC 
(In reply to comment #5)
> Any details on the bug (hunting) yet?

We have patch ready for next update
Comment 12 errata-xmlrpc 2013-11-21 10:54:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1599.html
Note You need to log in before you can comment on or make changes to this bug.