On 01/03/11 15:36, Evangelos Foutras wrote:
> Configuration Information [Automatically generated, do not change]:
> Machine: x86_64
> OS: linux-gnu
> Compiler: gcc
> Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64'
> -DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-unknown-linux-gnu'
> -DCONF_VENDOR='unknown' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash'
> -DSHELL -DHAVE_CONFIG_H -I. -I. -I./include -I./lib -march=x86-64
> -mtune=generic -O2 -pipe
> -DDEFAULT_PATH_VALUE='/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin'
> -DSTANDARD_UTILS_PATH='/usr/bin:/bin:/usr/sbin:/sbin'
> -DSYS_BASHRC='/etc/bash.bashrc' -DSYS_BASH_LOGOUT='/etc/bash.bash_logout'
> uname output: Linux foutbox 2.6.37-ARCH #1 SMP PREEMPT Fri Feb 18 18:32:16
> CET 2011 x86_64 AMD Phenom(tm) II X6 1090T Processor AuthenticAMD GNU/Linux
> Machine Type: x86_64-unknown-linux-gnu
>
> Bash Version: 4.2
> Patch Level: 5
> Release Status: release
>
> Description:
> It appears that the chkexport function introduced in this patch level
> is prone to a segmentation fault.
>
> Repeat-By:
> A simple `bash -c 'unset TZ'` is enough to trigger the segmentation
> fault on my system.
>
> Fix:
> Maybe check the value returned by find_variable in chkexport to ensure
> it's not NULL? I noticed this is done in other places where
> find_variable is used, so I think it makes sense to do it here too.
I'm also attaching the backtrace I got from gdb.
Starting program: /bin/bash /etc/rc.d/network
Program received signal SIGSEGV, Segmentation fault.
0x0000000000439b7d in chkexport (name=0x7069c0 "TZ") at variables.c:3663
3663 if (exported_p (v))
> bt
---------
#0 0x0000000000439b7d in chkexport (name=0x7069c0 "TZ") at variables.c:3663
#1 0x000000000043ae84 in sv_tz (name=0x7069c0 "TZ") at variables.c:4582
#2 0x000000000043a9b3 in stupidly_hack_special_variables (name=0x7069c0 "TZ")
at variables.c:4298
#3 0x0000000000484723 in unset_builtin (list=0x70a4d0) at ./set.def:851
#4 0x0000000000432815 in execute_builtin (builtin=0x484430 <unset_builtin>,
words=0x70a410, flags=0, subshell=0) at execute_cmd.c:4096
#5 0x0000000000433400 in execute_builtin_or_function (words=0x70a410,
builtin=0x484430 <unset_builtin>, var=0x0, redirects=0x0,
fds_to_close=0x70a470, flags=0) at execute_cmd.c:4521
#6 0x000000000043235d in execute_simple_command (simple_command=0x706050,
pipe_in=-1, pipe_out=-1, async=0, fds_to_close=0x70a470)
at execute_cmd.c:3931
#7 0x000000000042c9d7 in execute_command_internal (command=0x707530,
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x70a470)
at execute_cmd.c:735
#8 0x000000000047be27 in parse_and_execute (
string=0x70a760 "#!/bin/bash\n# initscripts functions\n#\n\n#
width:\n\nSTAT_COL=80\nif [[ ! -t 1 ]]; then\n USECOLOR=\"\"\nelif [[ -t 0
]]; then\n # stty will fail when stdin isn't a terminal\n
STAT_COL=\"$(/bin/stty size"..., from_file=0x7072e0 "/etc/rc.d/functions",
flags=20) at evalstring.c:319
#9 0x000000000047b5d0 in _evalfile (filename=0x7072e0 "/etc/rc.d/functions",
flags=14) at evalfile.c:264
#10 0x000000000047b839 in source_file (
filename=0x7072e0 "/etc/rc.d/functions", sflags=0) at evalfile.c:344
#11 0x00000000004858d2 in source_builtin (list=0x705ed0) at ./source.def:192
#12 0x0000000000432815 in execute_builtin (builtin=0x485550 <source_builtin>,
words=0x7081b0, flags=0, subshell=0) at execute_cmd.c:4096
#13 0x0000000000433400 in execute_builtin_or_function (words=0x7081b0,
builtin=0x485550 <source_builtin>, var=0x0, redirects=0x0,
fds_to_close=0x705ff0, flags=0) at execute_cmd.c:4521
#14 0x000000000043235d in execute_simple_command (simple_command=0x706030,
pipe_in=-1, pipe_out=-1, async=0, fds_to_close=0x705ff0)
at execute_cmd.c:3931
#15 0x000000000042c9d7 in execute_command_internal (command=0x6d6eb0,
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x705ff0)
at execute_cmd.c:735
#16 0x000000000042c1dd in execute_command (command=0x6d6eb0)
at execute_cmd.c:382
#17 0x0000000000419248 in reader_loop () at eval.c:152
#18 0x000000000041720c in main (argc=2, argv=0x7fffffffe6b8,
env=0x7fffffffe6d0) at shell.c:749
> bt full
---------
#0 0x0000000000439b7d in chkexport (name=0x7069c0 "TZ") at variables.c:3663
v = 0x0
#1 0x000000000043ae84 in sv_tz (name=0x7069c0 "TZ") at variables.c:4582
No locals.
#2 0x000000000043a9b3 in stupidly_hack_special_variables (name=0x7069c0 "TZ")
at variables.c:4298
sv_sorted = 1
i = 31
#3 0x0000000000484723 in unset_builtin (list=0x70a4d0) at ./set.def:851
var = 0x0
tem = -1
t = 0x49ccb8 "builtin_env"
unset_function = 0
unset_variable = 0
unset_array = 0
opt = -1
any_failed = 0
name = 0x7069c0 "TZ"
#4 0x0000000000432815 in execute_builtin (builtin=0x484430 <unset_builtin>,
words=0x70a410, flags=0, subshell=0) at execute_cmd.c:4096
old_e_flag = 0
result = 32767
eval_unwind = 0
isbltinenv = 1
error_trap = 0x0
#5 0x0000000000433400 in execute_builtin_or_function (words=0x70a410,
builtin=0x484430 <unset_builtin>, var=0x0, redirects=0x0,
fds_to_close=0x70a470, flags=0) at execute_cmd.c:4521
result = 0
saved_undo_list = 0x0
ofifo = 0
nfifo = 0
osize = 0
ofifo_list = 0x0
#6 0x000000000043235d in execute_simple_command (simple_command=0x706050,
pipe_in=-1, pipe_out=-1, async=0, fds_to_close=0x70a470)
at execute_cmd.c:3931
words = 0x70a410
lastword = 0x70a4d0
command_line = 0x0
lastarg = 0x7069c0 "TZ"
temp = 0x0
first_word_quoted = 0
result = 0
builtin_is_special = 0
already_forked = 0
dofork = 0
old_last_async_pid = -1
builtin = 0x484430 <unset_builtin>
func = 0x0
old_builtin = 1
old_command_builtin = 0
#7 0x000000000042c9d7 in execute_command_internal (command=0x707530,
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x70a470)
at execute_cmd.c:735
exec_result = 0
user_subshell = 0
invert = 0
ignore_return = 0
was_error_trap = 0
my_undo_list = 0x0
exec_undo_list = 0x0
last_pid = -1
save_line_number = 40
#8 0x000000000047be27 in parse_and_execute (
string=0x70a760 "#!/bin/bash\n# initscripts functions\n#\n\n#
width:\n\nSTAT_COL=80\nif [[ ! -t 1 ]]; then\n USECOLOR=\"\"\nelif [[ -t 0
]]; then\n # stty will fail when stdin isn't a terminal\n
STAT_COL=\"$(/bin/stty size"..., from_file=0x7072e0 "/etc/rc.d/functions",
flags=20) at evalstring.c:319
bitmap = 0x70a470
code = 0
lreset = 16
should_jump_to_top_level = 0
last_result = 0
command = 0x707530
#9 0x000000000047b5d0 in _evalfile (filename=0x7072e0 "/etc/rc.d/functions",
flags=14) at evalfile.c:264
old_interactive = 0
old_return_catch = {{__jmpbuf = {140737488348848, 0, 0,
140737341895776, 140737488347504, 7379744, 20, 0},
__mask_was_saved = -6480, __saved_mask = {__val = {4677219,
7379744, 140737344937632, 140737488347888, 0, 140737488348848,
0, 0, 140737341897068, 7379744, 4549312, 0, 140737488347768,
140737488347924, 140737488347920, 48}}}}
return_val = 0
fd = 6
result = 0
pflags = 20
i = 8869
nnull = 32767
nr = 8869
string = 0x70a760 "#!/bin/bash\n# initscripts functions\n#\n\n#
width:\n\nSTAT_COL=80\nif [[ ! -t 1 ]]; then\n USECOLOR=\"\"\nelif [[ -t 0
]]; then\n # stty will fail when stdin isn't a terminal\n
STAT_COL=\"$(/bin/stty size"...
finfo = {st_dev = 2051, st_ino = 173068, st_nlink = 1,
st_mode = 33188, st_uid = 0, st_gid = 0, __pad0 = 0, st_rdev = 0,
st_size = 8869, st_blksize = 4096, st_blocks = 24, st_atim = {
tv_sec = 1298982442, tv_nsec = 0}, st_mtim = {tv_sec = 1296587253,
tv_nsec = 0}, st_ctim = {tv_sec = 1298982442, tv_nsec = 0},
__unused = {0, 0, 0}}
file_size = 8869
errfunc = 0x477b7d <builtin_error>
funcname_v = 0x7027c0
nfv = 0x0
bash_source_v = 0x701fe0
bash_lineno_v = 0x7020f0
funcname_a = 0x702870
bash_source_a = 0x702090
bash_lineno_a = 0x7021a0
bash_argv_v = 0x701ed0
bash_argc_v = 0x701dc0
bash_argv_a = 0x701f80
bash_argc_a = 0x701e70
t = 0x705eb0 "source"
tt = "1"
#10 0x000000000047b839 in source_file (
filename=0x7072e0 "/etc/rc.d/functions", sflags=0) at evalfile.c:344
flags = 14
rval = 4570982
#11 0x00000000004858d2 in source_builtin (list=0x705ed0) at ./source.def:192
result = 0
filename = 0x7072e0 "/etc/rc.d/functions"
debug_trap = 0x0
#12 0x0000000000432815 in execute_builtin (builtin=0x485550 <source_builtin>,
words=0x7081b0, flags=0, subshell=0) at execute_cmd.c:4096
old_e_flag = 0
result = 32767
eval_unwind = 0
isbltinenv = 1
error_trap = 0x0
#13 0x0000000000433400 in execute_builtin_or_function (words=0x7081b0,
builtin=0x485550 <source_builtin>, var=0x0, redirects=0x0,
fds_to_close=0x705ff0, flags=0) at execute_cmd.c:4521
result = 0
saved_undo_list = 0x0
ofifo = 0
nfifo = 0
osize = 0
ofifo_list = 0x0
#14 0x000000000043235d in execute_simple_command (simple_command=0x706030,
pipe_in=-1, pipe_out=-1, async=0, fds_to_close=0x705ff0)
at execute_cmd.c:3931
words = 0x7081b0
lastword = 0x705ed0
command_line = 0x0
lastarg = 0x707290 "/etc/rc.d/functions"
temp = 0x7ffff7739ef8 ""
first_word_quoted = 0
result = 0
builtin_is_special = 0
already_forked = 0
dofork = 0
old_last_async_pid = -1
builtin = 0x485550 <source_builtin>
func = 0x0
old_builtin = 0
old_command_builtin = 0
#15 0x000000000042c9d7 in execute_command_internal (command=0x6d6eb0,
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x705ff0)
at execute_cmd.c:735
exec_result = 0
user_subshell = 0
invert = 0
ignore_return = 0
was_error_trap = 0
my_undo_list = 0x0
exec_undo_list = 0x0
last_pid = -1
save_line_number = 4
#16 0x000000000042c1dd in execute_command (command=0x6d6eb0)
at execute_cmd.c:382
bitmap = 0x705ff0
result = 0
#17 0x0000000000419248 in reader_loop () at eval.c:152
code = 0
our_indirection_level = 1
current_command = 0x6d6eb0
#18 0x000000000041720c in main (argc=2, argv=0x7fffffffe6b8,
env=0x7fffffffe6d0) at shell.c:749
i = 2
code = 0
old_errexit_flag = 0
saverst = 0
locally_skip_execution = 0
arg_index = 2
top_level_arg_index = 1
quit
A debugging session is active.
Inferior 1 [process 5836] will be killed.
Quit anyway? (y or n)
