group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1697501] Re: ksh segfault on job_chksave () after it receive a SIGCHLD (Signal 17)

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Bug Watch Updater <1697501@xxxxxxxxxxxxxxxxxx>
Date: Wed, 15 Apr 2020 16:50:01 -0000
Reply-to: Bug 1697501 <1697501@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Changed in: ksh (Debian)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1697501

Title:
  ksh segfault on  job_chksave () after it receive a SIGCHLD (Signal 17)

Status in ksh package in Ubuntu:
  Fix Released
Status in ksh source package in Trusty:
  Fix Released
Status in ksh source package in Xenial:
  Fix Released
Status in ksh source package in Yakkety:
  Fix Released
Status in ksh source package in Zesty:
  Fix Released
Status in ksh source package in Artful:
  Fix Released
Status in ksh package in Debian:
  Fix Released

Bug description:
  [Impact]

   * The compiler optimization dropped parts from the ksh job
  locking mechanism from the binary code. As a consequence, ksh could terminate
  unexpectedly with a segmentation fault after it received the SIGCHLD signal.

  [Test Case]

   Unfortunately, there is no clear and easy way to reproduce the
  segfault.

   * But the original reporter of this bug can randomly reproduce the
  problem using an in-house ksh script that only works inside his
  infrastructure as follow : "ksh <in-house-script.ksh>" and then once
  in a while ksh will segfault as follow :

  (gdb) bt
  #0  job_chksave (pid=pid@entry=19003) at /build/ksh-6IEHIC/ksh-93u+20120801/src/cmd/ksh93/sh/jobs.c:1948
  #1  0x00000000004282ab in job_reap (sig=17) at /build/ksh-6IEHIC/ksh-93u+20120801/src/cmd/ksh93/sh/jobs.c:428
  #2  <signal handler called>
  ...

  [Regression Potential]

  * Regression risk : low/none expected, the package has been
  highly/intensively tested by a user who run over 18M ksh scripts a day
  on each of their clusters.

  +

  * Secondly, I doubt ksh has much traction nowadays, so if a regression occurs... It will most likely be limited to a small amount of users IMHO.
  For instance, the bug has been reported 3 years ago for Red Hat, and we, Ubuntu, only heard about this same situation for the first time a few weeks ago.

  +

  * The fix has been written by RH and has been proven to work for them
  for the last 3 years.

  Note that the RH fix has never been merged upstream (ksh is a
  unmaintained project) and/or possibly never been proposed to upstream
  (to be verified).

  +

  * A test package including the RH fix has been intensively tested and verified (pre-SRU) by an affected user with positive feedbacks using a
  reproducer that segfault without the RH patch.

  +

  * Test package (pre-SRU) feedbacks :
  https://bugs.launchpad.net/ubuntu/xenial/+source/ksh/+bug/1697501/comments/7

  [Other Info]

   * ksh project is unmaintained nowadays [https://github.com/att/ast],
  thus no new development is made upstream nor in debian upstream.

   * Details about the RH bug :
  --
     - https://bugzilla.redhat.com/show_bug.cgi?id=1123467
     - https://bugzilla.redhat.com/show_bug.cgi?id=1112306
     - https://access.redhat.com/solutions/1253243
     - http://rhn.redhat.com/errata/RHBA-2014-1015.html

    # ksh.spec
        Fri Jul 25 2014 Michal Hlavinka <mhlavink@xxxxxxxxxx> - 20120801-10.8
      - job locking mechanism did not survive compiler optimization (#1123467)

    # patch
      - ksh-20120801-locking.patch
  --

   * Debian bug:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867181

  [Original Description]

  # gdb
  [New LWP 3882]
  Core was generated by `/bin/ksh <KSH_SCRIPT>.ksh'.
  Program terminated with signal SIGSEGV, Segmentation fault.
  #0 job_chksave (pid=pid@entry=19385) at /build/ksh-6IEHIC/ksh-93u+20120801/src/cmd/ksh93/sh/jobs.c:1948
  1948 if(jp->pid==pid)

  (gdb) p *jp
  Cannot access memory at address 0xb

  (gdb) p *jp->pid
  Cannot access memory at address 0x13

  (gdb) p pid
  $2 = 19385

  (gdb) p *jpold
  $1 = {next = 0xb, pid = -604008960, exitval = 11124}

  The struct is corrupted at some point looking at the next,pid and
  exitval struct members values which isn't valid data.

  # assembly code
  => 0x0000000000427159 <+41>: cmp %edi,0x8(%rdx)

  (gdb) p $edi  ## pid variable
  $1 = 19385

  (gdb) p *($rdx + 8) ## jp->pid struct
  Cannot access memory at address 0x13
  --

  ksh is segfaulting because it can't access struct "jp" ($rdx) thus
  cannot de-reference the struct member "jp>pid" ($rdx + 8) at line :
  src/cmd/ksh93/sh/jobs.c:1948 when looking if jp->pid is equal to pid
  ($edi) variable.

  I have looked at the github project "att/ast" upstream repo and some
  patches here and there, and nothing seems to apply.

  Note that the project seems unmaintained nowadays.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ksh/+bug/1697501/+subscriptions