Project

General

Profile

Actions
Copy link

Bug #13720

closed

ksh: segfault on unsetting/changing ${.sh.lineno}

Added by Andy Fiddaman over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Andy Fiddaman
Category:
cmd - userland programs
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:
1417
External Bug:

Description

$ echo ${.sh.lineno}
0
$ typeset -u .sh.lineno
mdb: stop on SIGABRT
> ::umem_status
Status:         ready and active
Concurrency:    32
Logs:           (inactive)
Message buffer:
free(fffffc7feec267f0): invalid or corrupted buffer
stack trace:
libumem.so.1'umem_err_recoverable+0xd3
libumem.so.1'process_free+0xa5
libumem.so.1'umem_malloc_free+0x1a
libast.so.1'_ast_free+0xe
libshell.so.1'_nv_unset+0x460
libshell.so.1'nv_putv+0x9a
libshell.so.1'put_trans+0x231
libshell.so.1'nv_putv+0x14b
libshell.so.1'_nv_unset+0x422
libshell.so.1'nv_newattr+0x4d0
libshell.so.1'setall+0xfcc
libshell.so.1'b_typeset+0x748
libshell.so.1'sh_exec+0x3d68
libshell.so.1'exfile+0xaaf
libshell.so.1'sh_main+0x3da
ksh'main+0x51
ksh'_start_crt+0x87
ksh'_start+0x18

The buffer that it's attempting to free is:

> fffffc7feee467f0::whatis
fffffc7feee467f0 is libshell.so.1`sh+0x90, in /usr/lib/amd64/libshell.so.1 [fffffc7feee41000,fffffc7feee47000)

i.e., it's a pointer to the global &shp->st.lineno and should not be freed.

data/variables.c contains:

        "LINENO",       NV_NOFREE|NV_INTEGER,           (char*)0,
...
        ".sh.lineno",   NV_INTEGER,           (char*)0,

the ${.sh.lineno} instance should also be marked as non-free.
This change is taken from https://github.com/ksh93/ksh/, where they say:

- Running 'unset .sh.lineno' creates a memory fault, so fix that
by giving it the NV_NOFREE attribute. This crash was happening
because ${.sh.lineno} is an integer that cannot be freed from
memory with free(3).

Actions
Copy link
 #1

Updated by Andy Fiddaman over 2 years ago

  • Subject changed from ksh segfault on typeset -u namespaced variables to ksh segfault on unsetting/changing ${.sh.lineno}
Actions
Copy link
 #2

Updated by Andy Fiddaman over 2 years ago

  • Subject changed from ksh segfault on unsetting/changing ${.sh.lineno} to ksh: segfault on unsetting/changing ${.sh.lineno}
Actions
Copy link
 #3

Updated by Electric Monk over 2 years ago

  • Gerrit CR set to 1417
Actions
Copy link
 #4

Updated by Andy Fiddaman over 2 years ago

  • Description updated (diff)
Actions
Copy link
 #5

Updated by Andy Fiddaman over 2 years ago

To test this, I confirmed that unsetting/modifying ${.sh.lineno} no longer causes a segfault. The new test from #13718 also now passes with this variable.

Actions
Copy link
 #6

Updated by Electric Monk over 2 years ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit b0be34a9836f228ccc040cc619b03ae1fe91256e

commit  b0be34a9836f228ccc040cc619b03ae1fe91256e
Author: Johnothan King <johnothanking@protonmail.com>
Date:   2021-05-04T18:50:34.000Z

    13720 ksh: segfault on unsetting/changing ${.sh.lineno}
    Reviewed by: Robert Mustacchi <rm@fingolfin.org>
    Reviewed by: Andy Fiddaman <andy@omnios.org>
    Approved by: Dan McDonald <danmcd@joyent.com>

Actions
Copy link

Also available in: Atom PDF