** Description changed: [Impact] * The compiler optimization dropped parts from the ksh job locking mechanism from the binary code. As a consequence, ksh could terminate unexpectedly with a segmentation fault after it received the SIGCHLD signal. [Test Case] Unfortunately, there is no clear and easy way to reproduce the segfault. * But the original reporter of this bug can randomly reproduce the problem using an in-house ksh script that only works inside his infrastructure as follow : "ksh <in-house-script.ksh>" and then once in a while ksh will segfault as follow : (gdb) bt #0 job_chksave (pid=pid@entry=19003) at /build/ksh-6IEHIC/ksh-93u+20120801/src/cmd/ksh93/sh/jobs.c:1948 #1 0x00000000004282ab in job_reap (sig=17) at /build/ksh-6IEHIC/ksh-93u+20120801/src/cmd/ksh93/sh/jobs.c:428 #2 <signal handler called> ... [Regression Potential] * This update implements a fix to ensure the compiler does not drop parts of the ksh mechanism for the crash to no longer occurs. * The fix has been written by RH and has been proven to work for them for the last 3 years. Note that the RH fix has never been merged upstream (ksh is a unmaintained project) and/or possibly never been proposed to upstream (to be verified). - * A test package including the RH fix has been tested and verified + * A test package including the RH fix has been tested and verified (pre-SRU) by an affected user with positive feedbacks using his reproducer. - * Feedbacks : - "I've confirmed that our users have not had a single occurrence of core dump on ksh with the patched package. They have run the script sequence over 3000 times since we updated with no issues." - + * Feedbacks : + https://bugs.launchpad.net/ubuntu/xenial/+source/ksh/+bug/1697501/comments/7 [Other Info] * ksh project is unmaintained nowadays [https://github.com/att/ast], thus no new development is made upstream nor in debian upstream. * Details about the RH bug : -- - https://bugzilla.redhat.com/show_bug.cgi?id=1123467 - https://bugzilla.redhat.com/show_bug.cgi?id=1112306 - https://access.redhat.com/solutions/1253243 - http://rhn.redhat.com/errata/RHBA-2014-1015.html # ksh.spec Fri Jul 25 2014 Michal Hlavinka <[email protected]> - 20120801-10.8 - job locking mechanism did not survive compiler optimization (#1123467) # patch - ksh-20120801-locking.patch -- [Original Description] # gdb [New LWP 3882] Core was generated by `/bin/ksh <KSH_SCRIPT>.ksh'. Program terminated with signal SIGSEGV, Segmentation fault. #0 job_chksave (pid=pid@entry=19385) at /build/ksh-6IEHIC/ksh-93u+20120801/src/cmd/ksh93/sh/jobs.c:1948 1948 if(jp->pid==pid) (gdb) p *jp Cannot access memory at address 0xb (gdb) p *jp->pid Cannot access memory at address 0x13 (gdb) p pid $2 = 19385 (gdb) p *jpold $1 = {next = 0xb, pid = -604008960, exitval = 11124} The struct is corrupted at some point looking at the next,pid and exitval struct members values which isn't valid data. # assembly code => 0x0000000000427159 <+41>: cmp %edi,0x8(%rdx) (gdb) p $edi ## pid variable $1 = 19385 (gdb) p *($rdx + 8) ## jp->pid struct Cannot access memory at address 0x13 -- ksh is segfaulting because it can't access struct "jp" ($rdx) thus cannot de-reference the struct member "jp>pid" ($rdx + 8) at line : src/cmd/ksh93/sh/jobs.c:1948 when looking if jp->pid is equal to pid ($edi) variable. I have looked at the github project "att/ast" upstream repo and some patches here and there, and nothing seems to apply. Note that the project seems unmaintained nowadays.
** Description changed: [Impact] * The compiler optimization dropped parts from the ksh job locking mechanism from the binary code. As a consequence, ksh could terminate unexpectedly with a segmentation fault after it received the SIGCHLD signal. [Test Case] Unfortunately, there is no clear and easy way to reproduce the segfault. * But the original reporter of this bug can randomly reproduce the problem using an in-house ksh script that only works inside his infrastructure as follow : "ksh <in-house-script.ksh>" and then once in a while ksh will segfault as follow : (gdb) bt #0 job_chksave (pid=pid@entry=19003) at /build/ksh-6IEHIC/ksh-93u+20120801/src/cmd/ksh93/sh/jobs.c:1948 #1 0x00000000004282ab in job_reap (sig=17) at /build/ksh-6IEHIC/ksh-93u+20120801/src/cmd/ksh93/sh/jobs.c:428 #2 <signal handler called> ... [Regression Potential] * This update implements a fix to ensure the compiler does not drop parts of the ksh mechanism for the crash to no longer occurs. * The fix has been written by RH and has been proven to work for them for the last 3 years. Note that the RH fix has never been merged upstream (ksh is a unmaintained project) and/or possibly never been proposed to upstream (to be verified). * A test package including the RH fix has been tested and verified (pre-SRU) by an affected user with positive feedbacks using his reproducer. - * Feedbacks : + * Test package (pre-SRU) feedbacks : https://bugs.launchpad.net/ubuntu/xenial/+source/ksh/+bug/1697501/comments/7 [Other Info] * ksh project is unmaintained nowadays [https://github.com/att/ast], thus no new development is made upstream nor in debian upstream. * Details about the RH bug : -- - https://bugzilla.redhat.com/show_bug.cgi?id=1123467 - https://bugzilla.redhat.com/show_bug.cgi?id=1112306 - https://access.redhat.com/solutions/1253243 - http://rhn.redhat.com/errata/RHBA-2014-1015.html # ksh.spec Fri Jul 25 2014 Michal Hlavinka <[email protected]> - 20120801-10.8 - job locking mechanism did not survive compiler optimization (#1123467) # patch - ksh-20120801-locking.patch -- [Original Description] # gdb [New LWP 3882] Core was generated by `/bin/ksh <KSH_SCRIPT>.ksh'. Program terminated with signal SIGSEGV, Segmentation fault. #0 job_chksave (pid=pid@entry=19385) at /build/ksh-6IEHIC/ksh-93u+20120801/src/cmd/ksh93/sh/jobs.c:1948 1948 if(jp->pid==pid) (gdb) p *jp Cannot access memory at address 0xb (gdb) p *jp->pid Cannot access memory at address 0x13 (gdb) p pid $2 = 19385 (gdb) p *jpold $1 = {next = 0xb, pid = -604008960, exitval = 11124} The struct is corrupted at some point looking at the next,pid and exitval struct members values which isn't valid data. # assembly code => 0x0000000000427159 <+41>: cmp %edi,0x8(%rdx) (gdb) p $edi ## pid variable $1 = 19385 (gdb) p *($rdx + 8) ## jp->pid struct Cannot access memory at address 0x13 -- ksh is segfaulting because it can't access struct "jp" ($rdx) thus cannot de-reference the struct member "jp>pid" ($rdx + 8) at line : src/cmd/ksh93/sh/jobs.c:1948 when looking if jp->pid is equal to pid ($edi) variable. I have looked at the github project "att/ast" upstream repo and some patches here and there, and nothing seems to apply. Note that the project seems unmaintained nowadays. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1697501 Title: ksh segfault on job_chksave () after it receive a SIGCHLD (Signal 17) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ksh/+bug/1697501/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
