[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 4.4: crash in redir10 test; use after free?
From: |
Christian Weisgerber |
Subject: |
Re: 4.4: crash in redir10 test; use after free? |
Date: |
Wed, 2 Nov 2016 22:51:52 +0100 |
User-agent: |
Mutt/1.7.1 (2016-10-04) |
Chet Ramey:
> > Running the bash 4.4 regression test suite on OpenBSD/amd64, I noticed
> > a crash in the redir tests. Specifically, running redir10.sub with
> > bash 4.4 causes it to die with a bus error most of the time.
>
> Thanks for the report. I can't reproduce this,
Here's the backtrace:
#0 0x00000d78f3634009 in find_pipeline (pid=11813, alive_only=1,
jobp=0x7f7fffff61b4) at jobs.c:1481
#1 0x00000d78f36340f5 in find_process (pid=11813, alive_only=1,
jobp=0x7f7fffff61b4) at jobs.c:1506
#2 0x00000d78f3637c53 in waitchld (wpid=-1, block=0) at jobs.c:3531
#3 0x00000d78f363795c in sigchld_handler (sig=20) at jobs.c:3411
#4 <signal handler called>
#5 0x00000d7b431cc78b in ofree (argpool=0xd7be5448350, p=0xd7b4d731360)
at /usr/src/lib/libc/stdlib/malloc.c:1085
#6 0x00000d7b431ccc8b in free (ptr=0xd7b0d3aa3e0)
at /usr/src/lib/libc/stdlib/malloc.c:1416
#7 0x00000d78f3633a97 in discard_pipeline (chain=0xd7b0d3aa3e0) at jobs.c:1232
#8 0x00000d78f364a3c5 in process_substitute (string=0xd7afbf56490 "echo x",
open_for_read_in_child=0) at subst.c:5812
* In process_substitute(), discard_pipeline(last_procsub_child)
is called.
* discard_pipeline() frees last_procsub_child.
* free() is interrupted by a signal.
* The signal handler eventually calls find_pipeline(), which accesses
the just-freed memory last_procsub_child points to.
--
Christian "naddy" Weisgerber naddy@mips.inka.de