bug-bash
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

altering some builtin variables segfaults bash

From: Stanislav Brabec
Subject: altering some builtin variables segfaults bash
Date: Thu, 25 Nov 2004 15:16:24 +0100 
Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux
Compiler: gcc -I/usr/src/packages/BUILD/bash-3.0 
-L/usr/src/packages/BUILD/bash-3.0/../readline-5.0
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64' 
-DCONF_OSTYPE='linux' -DCONF_MACHTYPE='x86_64-suse-linux' -DCONF_VENDOR='suse' 
-DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL -DHAVE_CONFIG_H  -I.  
-I. -I./include -I./lib   -O2 -fmessage-length=0 -Wall -D_GNU_SOURCE -Wall 
-pipe -g -fbranch-probabilities
uname output: Linux hammer 2.6.8-24-default #1 Wed Oct 6 09:16:23 UTC 2004 
x86_64 x86_64 x86_64 GNU/Linux
Machine Type: x86_64-suse-linux

Bash Version: 3.0
Patch Level: 0
Release Status: release

Description:

Altering variables BASH_LINENO, BASH_SOURCE and FUNCNAME can cause bash 
segfault.

Repeat-By:

sbrabec:~> export LANG=C
sbrabec:~> ./bash_crash
Segmentation fault

#! /bin/sh
# You need export LANG=C before starting this test.
unset POSIXLY_CORRECT
function crash {
    unset FUNCNAME
    LANG=en_US.UTF-8
}
crash

It crashes on both i386 and x86_64. I have more crash examples.

Sound as problem with execute_function() in execute_cmd.c:

  array_pop (bash_source_a);
  array_pop (funcname_a);
  array_pop (bash_lineno_a);

Program received signal SIGSEGV, Segmentation fault.
0x000000000044d05a in array_shift (a=0x5bee10, n=1, flags=0) at array.c:190
190             for (i = 0, ret = ae = element_forw(a->head); ae != a->head && i
< n; ae = element_forw(ae), i++)
(gdb) bt
#0  0x000000000044d05a in array_shift (a=0x5bee10, n=1, flags=0) at array.c:190
#1  0x0000000000428de0 in execute_function (var=0x5bef60, words=0x5bd870,
flags=0, fds_to_close=0x5bfe10, async=0, subshell=0)
    at execute_cmd.c:3272
#2  0x000000000042911b in execute_builtin_or_function (words=0x5bd870,
builtin=0, var=0x5bef60, redirects=0x0,
    fds_to_close=0x5bfe10, flags=0) at execute_cmd.c:3437
#3  0x00000000004283d5 in execute_simple_command (simple_command=0x5bfe50,
pipe_in=-1, pipe_out=-1, async=0,
    fds_to_close=0x5bfe10) at execute_cmd.c:2950
#4  0x000000000042471a in execute_command_internal (command=0x5bff70,
asynchronous=0, pipe_in=-1, pipe_out=-1,
    fds_to_close=0x5bfe10) at execute_cmd.c:660
#5  0x0000000000424129 in execute_command (command=0x5bff70) at 
execute_cmd.c:347
#6  0x0000000000416342 in reader_loop () at eval.c:146
#7  0x0000000000414444 in main (argc=2, argv=0x7fbfffe968, env=0x7fbfffe980) at
shell.c:704

(Note that this backtrace was generated with -g -O0 added to compilation flags.)

Fix:

-- 
Best Regards / S pozdravem,

Stanislav Brabec
software developer
---------------------------------------------------------------------
SuSE CR, s. r. o.                             e-mail: sbrabec@suse.cz
Drahobejlova 27                               tel: +420 296 542 382
190 00 Praha 9                                fax: +420 296 542 374
Czech Republic                                http://www.suse.cz/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]