[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 4.4: crash in redir10 test; use after free?

From: Christian Weisgerber
Subject: Re: 4.4: crash in redir10 test; use after free?
Date: Wed, 2 Nov 2016 22:51:52 +0100
User-agent: Mutt/1.7.1 (2016-10-04)

Chet Ramey:

> > Running the bash 4.4 regression test suite on OpenBSD/amd64, I noticed
> > a crash in the redir tests.  Specifically, running redir10.sub with
> > bash 4.4 causes it to die with a bus error most of the time.
> Thanks for the report.  I can't reproduce this,

Here's the backtrace:

#0  0x00000d78f3634009 in find_pipeline (pid=11813, alive_only=1,               
    jobp=0x7f7fffff61b4) at jobs.c:1481                                         
#1  0x00000d78f36340f5 in find_process (pid=11813, alive_only=1,                
    jobp=0x7f7fffff61b4) at jobs.c:1506
#2  0x00000d78f3637c53 in waitchld (wpid=-1, block=0) at jobs.c:3531
#3  0x00000d78f363795c in sigchld_handler (sig=20) at jobs.c:3411
#4  <signal handler called>
#5  0x00000d7b431cc78b in ofree (argpool=0xd7be5448350, p=0xd7b4d731360)
    at /usr/src/lib/libc/stdlib/malloc.c:1085
#6  0x00000d7b431ccc8b in free (ptr=0xd7b0d3aa3e0)
    at /usr/src/lib/libc/stdlib/malloc.c:1416
#7  0x00000d78f3633a97 in discard_pipeline (chain=0xd7b0d3aa3e0) at jobs.c:1232
#8  0x00000d78f364a3c5 in process_substitute (string=0xd7afbf56490 "echo x",
    open_for_read_in_child=0) at subst.c:5812

* In process_substitute(), discard_pipeline(last_procsub_child)
  is called.
* discard_pipeline() frees last_procsub_child.
* free() is interrupted by a signal.
* The signal handler eventually calls find_pipeline(), which accesses
  the just-freed memory last_procsub_child points to.

Christian "naddy" Weisgerber                          address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]