Project

General

Profile

Actions

Bug #13720

closed

ksh: segfault on unsetting/changing ${.sh.lineno}

Added by Andy Fiddaman about 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
cmd - userland programs
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

$ echo ${.sh.lineno}
0
$ typeset -u .sh.lineno
mdb: stop on SIGABRT
> ::umem_status
Status:         ready and active
Concurrency:    32
Logs:           (inactive)
Message buffer:
free(fffffc7feec267f0): invalid or corrupted buffer
stack trace:
libumem.so.1'umem_err_recoverable+0xd3
libumem.so.1'process_free+0xa5
libumem.so.1'umem_malloc_free+0x1a
libast.so.1'_ast_free+0xe
libshell.so.1'_nv_unset+0x460
libshell.so.1'nv_putv+0x9a
libshell.so.1'put_trans+0x231
libshell.so.1'nv_putv+0x14b
libshell.so.1'_nv_unset+0x422
libshell.so.1'nv_newattr+0x4d0
libshell.so.1'setall+0xfcc
libshell.so.1'b_typeset+0x748
libshell.so.1'sh_exec+0x3d68
libshell.so.1'exfile+0xaaf
libshell.so.1'sh_main+0x3da
ksh'main+0x51
ksh'_start_crt+0x87
ksh'_start+0x18

The buffer that it's attempting to free is:

> fffffc7feee467f0::whatis
fffffc7feee467f0 is libshell.so.1`sh+0x90, in /usr/lib/amd64/libshell.so.1 [fffffc7feee41000,fffffc7feee47000)

i.e., it's a pointer to the global &shp->st.lineno and should not be freed.

data/variables.c contains:

        "LINENO",       NV_NOFREE|NV_INTEGER,           (char*)0,
...
        ".sh.lineno",   NV_INTEGER,           (char*)0,

the ${.sh.lineno} instance should also be marked as non-free.
This change is taken from https://github.com/ksh93/ksh/, where they say:

- Running 'unset .sh.lineno' creates a memory fault, so fix that
by giving it the NV_NOFREE attribute. This crash was happening
because ${.sh.lineno} is an integer that cannot be freed from
memory with free(3).

Actions

Also available in: Atom PDF