Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

free(): invalid pointer crash in path_pwd #694

Open
adavies42 opened this issue Nov 10, 2023 · 6 comments
Open

free(): invalid pointer crash in path_pwd #694

adavies42 opened this issue Nov 10, 2023 · 6 comments
Labels
question Further information is requested

Comments

@adavies42
Copy link

93u+m 1.0.6 can crash on startup in path_pwd:

$ ksh
*** glibc detected *** ksh: free(): invalid pointer: 0x00000000004b3b45 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x75e5e)[0x7f9ff3402e5e]
/lib64/libc.so.6(+0x78cad)[0x7f9ff3405cad]
ksh[0x438eec]
ksh[0x4071b1]
/lib64/libc.so.6(__libc_start_main+0x100)[0x7f9ff33abd20]
ksh[0x406449]
======= Memory map: ========
00400000-00507000 r-xp 00000000 00:1a 1360715816                         ksh
00707000-0071a000 rw-p 00107000 00:1a 1360715816                         ksh
0071a000-00720000 rw-p 00000000 00:00 0
009a6000-009ec000 rw-p 00000000 00:00 0                                  [heap]
7f9fec000000-7f9fec021000 rw-p 00000000 00:00 0
7f9fec021000-7f9ff0000000 ---p 00000000 00:00 0
7f9ff3177000-7f9ff318d000 r-xp 00000000 08:01 3172490                    /lib64/libgcc_s-4.4.7-20120601.so.1
7f9ff318d000-7f9ff338c000 ---p 00016000 08:01 3172490                    /lib64/libgcc_s-4.4.7-20120601.so.1
7f9ff338c000-7f9ff338d000 rw-p 00015000 08:01 3172490                    /lib64/libgcc_s-4.4.7-20120601.so.1
7f9ff338d000-7f9ff3518000 r-xp 00000000 08:01 3172456                    /lib64/libc-2.12.so
7f9ff3518000-7f9ff3717000 ---p 0018b000 08:01 3172456                    /lib64/libc-2.12.so
7f9ff3717000-7f9ff371b000 r--p 0018a000 08:01 3172456                    /lib64/libc-2.12.so
7f9ff371b000-7f9ff371d000 rw-p 0018e000 08:01 3172456                    /lib64/libc-2.12.so
7f9ff371d000-7f9ff3721000 rw-p 00000000 00:00 0
7f9ff3721000-7f9ff37a4000 r-xp 00000000 08:01 3172785                    /lib64/libm-2.12.so
7f9ff37a4000-7f9ff39a3000 ---p 00083000 08:01 3172785                    /lib64/libm-2.12.so
7f9ff39a3000-7f9ff39a4000 r--p 00082000 08:01 3172785                    /lib64/libm-2.12.so
7f9ff39a4000-7f9ff39a5000 rw-p 00083000 08:01 3172785                    /lib64/libm-2.12.so
7f9ff39a5000-7f9ff39a7000 r-xp 00000000 08:01 3172564                    /lib64/libutil-2.12.so
7f9ff39a7000-7f9ff3ba6000 ---p 00002000 08:01 3172564                    /lib64/libutil-2.12.so
7f9ff3ba6000-7f9ff3ba7000 r--p 00001000 08:01 3172564                    /lib64/libutil-2.12.so
7f9ff3ba7000-7f9ff3ba8000 rw-p 00002000 08:01 3172564                    /lib64/libutil-2.12.so
7f9ff3ba8000-7f9ff3baa000 r-xp 00000000 08:01 3172784                    /lib64/libdl-2.12.so
7f9ff3baa000-7f9ff3daa000 ---p 00002000 08:01 3172784                    /lib64/libdl-2.12.so
7f9ff3daa000-7f9ff3dab000 r--p 00002000 08:01 3172784                    /lib64/libdl-2.12.so
7f9ff3dab000-7f9ff3dac000 rw-p 00003000 08:01 3172784                    /lib64/libdl-2.12.so
7f9ff3dac000-7f9ff3dad000 r-xp 00000000 08:01 3172420                    /lib64/bash_ld_preload.so
7f9ff3dad000-7f9ff3fac000 ---p 00001000 08:01 3172420                    /lib64/bash_ld_preload.so
7f9ff3fac000-7f9ff3fad000 rw-p 00000000 08:01 3172420                    /lib64/bash_ld_preload.so
7f9ff3fad000-7f9ff3fcd000 r-xp 00000000 08:01 3172781                    /lib64/ld-2.12.so
7f9ff41b3000-7f9ff41b7000 rw-p 00000000 00:00 0
7f9ff41cb000-7f9ff41cd000 rw-p 00000000 00:00 0
7f9ff41cd000-7f9ff41ce000 r--p 00020000 08:01 3172781                    /lib64/ld-2.12.so
7f9ff41ce000-7f9ff41cf000 rw-p 00021000 08:01 3172781                    /lib64/ld-2.12.so
7f9ff41cf000-7f9ff41d0000 rw-p 00000000 00:00 0
7fff15052000-7fff1506a000 rw-p 00000000 00:00 0                          [stack]
7fff151eb000-7fff151ec000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted (core dumped)
$

(exact paths to ksh have been redacted)

backtrace from the core:

(gdb) bt
#0  0x00007f9ff33bf4f5 in raise () from /lib64/libc.so.6
#1  0x00007f9ff33c0cd5 in abort () from /lib64/libc.so.6
#2  0x00007f9ff33fd417 in __libc_message () from /lib64/libc.so.6
#3  0x00007f9ff3402e5e in malloc_printerr () from /lib64/libc.so.6
#4  0x00007f9ff3405cad in _int_free () from /lib64/libc.so.6
#5  0x0000000000438eec in path_pwd ()
#6  0x00000000004071b1 in sh_main ()
#7  0x00007f9ff33abd20 in __libc_start_main () from /lib64/libc.so.6
#8  0x0000000000406449 in _start ()
(gdb)
@McDutchie
Copy link

I cannot reproduce this.

What is your operating system, operating system version, system architecture, etc.?

@McDutchie McDutchie added the question Further information is requested label Dec 30, 2023
@JohnoKing
Copy link

I also cannot reproduce this crash. I even went out of my way to replicate a similar environment based on the stacktrace (which looks an awful lot like RHEL 6 or CentOS 6 based on the software versions) and everything works fine for me. The crash for all I know could be caused by something in the kshrc file.

@JohnoKing
Copy link

JohnoKing commented Jan 22, 2024
edited
Loading

In any case the stacktrace points to the crash occurring at the free call in path_pwd, after it's called in sh_main:

ksh/src/cmd/ksh93/sh/main.c

Lines 139 to 141 in 00b296c

command = error_info.id;
path_pwd();
iop = NULL;

ksh/src/cmd/ksh93/sh/path.c

Lines 210 to 216 in 00b296c

/* Don't bother if PWD already set */
if(sh.pwd)
{
if(*sh.pwd=='/')
return (char*)sh.pwd;
free((void*)sh.pwd);
}

My best guess is that sh.pwd might be used uninitialized here. Below is a patch that sets sh.pwd to NULL in sh_init, which should prevent this scenario (although I'm still not sure this actually fixes the crash, since I can't reproduce it).

--- a/src/cmd/ksh93/sh/init.c
+++ b/src/cmd/ksh93/sh/init.c
@@ -1314,6 +1314,8 @@ Shell_t *sh_init(int argc,char *argv[], Shinit_f userinit)
 	sh.stk = stkstd;
 	sfsetbuf(sh.strbuf,NULL,64);
 	error_info.catalog = e_dict;
+	/* initialize sh.pwd in case it's used uninitialized later */
+	sh.pwd = NULL;
 #if SHOPT_REGRESS
 	{
 		Opt_t*	nopt;

@McDutchie
Copy link

The whole sh struct is explicitly initialised to zero in defs.c, so sh.pwd is definitely initialised.

@McDutchie
Copy link

What is your operating system, operating system version, system architecture, etc.?

@adavies42, please provide the above information, as well as your .kshrc, so we have a chance of reproducing and tracing the problem.

@adavies42
Copy link
Author

adavies42 commented Jan 31, 2024
edited
Loading

yes, this was REHL 6.10 (on intel)

i don't have a .kshrc by that name, but i do have a .profile which sets ENV to .envfile and an .envfile which loads a bunch of other stuff, which is both proprietary and much too long to post

but i suspect the problem was indeed due to some kind of corruption in pwd

on further investigation, i found some very weird stuff going on with the cwd of the parent process of that ksh instance -- /proc/$$/cwd pointed to a bare directory name, not an absolute path (i.e. ls -l /proc/$$/cwd showed /proc/123/cwd -> adavies42 instead of /proc/123/cwd -> /home/adavies42 (not that those are the real pid or path))

my homedir on this system is on nfs, and i suspect some nfs issue was involved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@adavies42 @McDutchie @JohnoKing