Re: bash randomly logs out on VT / serial console
On Mon, Jan 02, 2017 at 02:06:01PM -0500, Chet Ramey wrote:
> On 1/2/17 6:09 AM, Russell King wrote:
> > On Sun, Jan 01, 2017 at 09:14:45PM -0500, Chet Ramey wrote:
> >> On 1/1/17 4:01 PM, r...@armlinux.org.uk wrote:
> >>> Bash Version: 4.3
> >>> Patch Level: 30
> >>> Release Status: release
> >>>
> >>> Description:
> >>> Running:
> >>> while :; do s=$(sleep .005 | cat); echo $s; done | uniq
> >>> in a login shell on a virtual terminal or serial console results
> >>> in the shell randomly logging out after ^C.
> >>
> >> I believe this is fixed in bash-4.4.
> >
> > Thank you for your reply.
> >
> > However, while testing bash-4.4 with the five additional patches (bringing
> > it to 4.4.5) shows that it is not fixed in bash-4.4 - see below. The line
> > from __tty_check_change() is from the debug I added to the kernel, which
> > shows that the reason for the EIO error is because the tty pgrp doesn't
> > match the process' pgrp.
>
> OK. I can't reproduce it on Fedora 25.
Digging into why Fedora doesn't show it comes down to distro choices.
Fedora ships util-linux login, which does this when starting the shell:
setsid()= 14301
open("/dev/pts/4", O_RDWR|O_NONBLOCK|O_LARGEFILE) = 3
ioctl(3, TCGETS, {B38400 opost isig icanon echo ...}) = 0
fcntl64(3, F_GETFL) = 0x8802 (flags O_RDWR|O_NONBLOCK|O_LARGEFILE)
fcntl64(3, F_SETFL, O_RDWR|O_LARGEFILE) = 0
close(0)= 0
close(1)= 0
close(2)= 0
dup2(3, 0) = 0
dup2(3, 1) = 1
dup2(3, 2) = 2
close(3)= 0
ioctl(0, TIOCSCTTY, 1) = 0
rt_sigaction(SIGINT, {SIG_DFL, [INT], SA_RESTART}, {SIG_IGN, [], 0}, 8) = 0
setuid32(0) = 0
chdir("/root") = 0
execve("/home/rmk/bash/bash-4.4/build-pristine/bash", ["-bash"], [/* 8 vars
*/]) = 0
This has the effect that bash sees that the existing PGRP is the same
as the PID - so bash's "original_pgrp" and "shell_pgrp" end up as the
same thing.
Debian and Ubuntu ship shadow-utils login, which makes no calls to
setsid, no TIOC*PGRP calls, no TIOCSCTTY calls. It also makes no
attempt to open the tty itself, using the stdin/stderr supplied
to print it's prompts and read the login name and password.
This results in bash's "original_pgrp" being the PID of the login
process, and "shell_pgrp" the PID of the top level bash - and that
is a requirement for triggering the bug.
So, systems using util-linux login will not show this bug. Systems
using shadow-utils login do show the bug.
Now also reproduced it on a single-CPU machine, also using the
shadow-utils login.
--
Russell King
help vs. partial option lists
$ help complete ... Options: -pprint existing completion specifications in a reusable format -rremove a completion specification for each NAME, or, if no NAMEs are supplied, all completion specifications -Dapply the completions and actions as the default for commands without any specific completion defined -Eapply the completions and actions to "empty" commands -- completion attempted on a blank line I would say 'Option highlights / Some Options / Selected Options' as that is not a full list.
Re: bash randomly logs out on VT / serial console
Hi,
On Mon, Jan 02, 2017 at 11:33:16PM +, Russell King wrote:
[...]
> 17:38:39.478119 ioctl(255, SNDRV_TIMER_IOCTL_SELECT or TIOCSPGRP, [10928]) = 0
> 17:38:39.478250 rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
> 17:38:39.478395 ioctl(255, SNDCTL_TMR_TIMEBASE or
> SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B115200 opost isig icanon echo
> ...}) = 0
> 17:38:39.478626 ioctl(255, SNDCTL_TMR_STOP or SNDRV_TIMER_IOCTL_GINFO or
> TCSETSW, {B115200 opost isig icanon echo ...}) = 0
> 17:38:39.478782 ioctl(255, SNDCTL_TMR_TIMEBASE or
> SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B115200 opost isig icanon echo
> ...}) = 0
Just a side comment: if you were using strace version 4.10 or newer,
you'd see much better decoding of these and other ioctl calls.
Happy tracing,
--
ldv
pgpOwIAgUWMJl.pgp
Description: PGP signature
memory leak(not freeing allocated buffer)
Version:4.4
(This isn't so much a security bug)
While looking threw copy_cmd.c I saw when allocating new_redirect it
doesn't free it when it is done using it.
copy_cmd.c
Ln 115
REDIRECT *
copy_redirect (redirect)
REDIRECT *redirect;
{
REDIRECT *new_redirect;
new_redirect = (REDIRECT *)xmalloc (sizeof (REDIRECT));
#if 0
FASTCOPY ((char *)redirect, (char *)new_redirect, (sizeof (REDIRECT)));
#else
*new_redirect = *redirect;/* let the compiler do the fast structure
copy */
#endif
if (redirect->rflags & REDIR_VARASSIGN)
new_redirect->redirector.filename = copy_word
(redirect->redirector.filename);
Re: memory leak(not freeing allocated buffer)
On 1/2/17 7:52 PM, Sticky Chocolate wrote: > Version:4.4 > > (This isn't so much a security bug) > While looking threw copy_cmd.c I saw when allocating new_redirect it > doesn't free it when it is done using it. That's the return value from the function. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~chet/
Re: bash randomly logs out on VT / serial console
On Tue, Jan 03, 2017 at 09:03:52AM +, Russell King wrote:
> On Mon, Jan 02, 2017 at 02:06:01PM -0500, Chet Ramey wrote:
> > On 1/2/17 6:09 AM, Russell King wrote:
> > > On Sun, Jan 01, 2017 at 09:14:45PM -0500, Chet Ramey wrote:
> > >> On 1/1/17 4:01 PM, r...@armlinux.org.uk wrote:
> > >>> Bash Version: 4.3
> > >>> Patch Level: 30
> > >>> Release Status: release
> > >>>
> > >>> Description:
> > >>> Running:
> > >>> while :; do s=$(sleep .005 | cat); echo $s; done | uniq
> > >>> in a login shell on a virtual terminal or serial console results
> > >>> in the shell randomly logging out after ^C.
> > >>
> > >> I believe this is fixed in bash-4.4.
> > >
> > > Thank you for your reply.
> > >
> > > However, while testing bash-4.4 with the five additional patches (bringing
> > > it to 4.4.5) shows that it is not fixed in bash-4.4 - see below. The line
> > > from __tty_check_change() is from the debug I added to the kernel, which
> > > shows that the reason for the EIO error is because the tty pgrp doesn't
> > > match the process' pgrp.
> >
> > OK. I can't reproduce it on Fedora 25.
>
> Digging into why Fedora doesn't show it comes down to distro choices.
>
> Fedora ships util-linux login, which does this when starting the shell:
>
> setsid()= 14301
> open("/dev/pts/4", O_RDWR|O_NONBLOCK|O_LARGEFILE) = 3
> ioctl(3, TCGETS, {B38400 opost isig icanon echo ...}) = 0
> fcntl64(3, F_GETFL) = 0x8802 (flags O_RDWR|O_NONBLOCK|O_LARGEFILE)
> fcntl64(3, F_SETFL, O_RDWR|O_LARGEFILE) = 0
> close(0)= 0
> close(1)= 0
> close(2)= 0
> dup2(3, 0) = 0
> dup2(3, 1) = 1
> dup2(3, 2) = 2
> close(3)= 0
> ioctl(0, TIOCSCTTY, 1) = 0
> rt_sigaction(SIGINT, {SIG_DFL, [INT], SA_RESTART}, {SIG_IGN, [], 0}, 8) = 0
> setuid32(0) = 0
> chdir("/root") = 0
> execve("/home/rmk/bash/bash-4.4/build-pristine/bash", ["-bash"], [/* 8 vars
> */]) = 0
>
> This has the effect that bash sees that the existing PGRP is the same
> as the PID - so bash's "original_pgrp" and "shell_pgrp" end up as the
> same thing.
>
> Debian and Ubuntu ship shadow-utils login, which makes no calls to
> setsid, no TIOC*PGRP calls, no TIOCSCTTY calls. It also makes no
> attempt to open the tty itself, using the stdin/stderr supplied
> to print it's prompts and read the login name and password.
>
> This results in bash's "original_pgrp" being the PID of the login
> process, and "shell_pgrp" the PID of the top level bash - and that
> is a requirement for triggering the bug.
>
> So, systems using util-linux login will not show this bug. Systems
> using shadow-utils login do show the bug.
Sorry for the third mail since you last responded.
Having built the util-linux login on one of my Ubuntu boxes, when
logging in using the shadow-utils login, with the bash shell printing
its internal pgrp state in initialize_job_control() via the handy
function already provided:
TRACE: pid 6112: original_pgrp = 6076 shell_pgrp = 6112 terminal_pgrp = 6112
TRACE: pid 6112: tcgetpgrp(255) -> 6112, getpgid(0) -> 6112
With the util-linux flavour of login (used by Fedora):
TRACE: pid 6217: original_pgrp = 6217 shell_pgrp = 6217 terminal_pgrp = 6217
TRACE: pid 6217: tcgetpgrp(255) -> 6217, getpgid(0) -> 6217
Note - util-linux login is not offered as an alternative on debian or
ubuntu installations - this is a custom modification.
The bash problem is unreproducable when the util-linux login flavour
is used due to original_pgrp == shell_pgrp, which effectively hides the
bug.
--
Russell King
