[Bug 1697501] Re: ksh segfault on job_chksave () after it receive a SIGCHLD (Signal 17)

Tue Jul 4 17:21:07 UTC 2017

For "Ubuntu Sponsors Team",

Could you please sponsor the Devel Release - Artful debdiff ?

I have the privileges to sponsor in Stable Release so once Artful is
completed, I'll do the sponsor the SRU myself.

- Eric

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1697501

Title:
  ksh segfault on  job_chksave () after it receive a SIGCHLD (Signal 17)

Status in ksh package in Ubuntu:
  In Progress
Status in ksh source package in Trusty:
  In Progress
Status in ksh source package in Xenial:
  In Progress
Status in ksh source package in Yakkety:
  In Progress
Status in ksh source package in Zesty:
  In Progress
Status in ksh source package in Artful:
  In Progress
Status in ksh package in Debian:
  New

Bug description:
  [Impact]

   * The compiler optimization dropped parts from the ksh job
  locking mechanism from the binary code. As a consequence, ksh could terminate
  unexpectedly with a segmentation fault after it received the SIGCHLD signal.

  [Test Case]

   Unfortunately, there is no clear and easy way to reproduce the
  segfault.

   * But the original reporter of this bug can randomly reproduce the
  problem using an in-house ksh script that only works inside his
  infrastructure as follow : "ksh <in-house-script.ksh>" and then once
  in a while ksh will segfault as follow :

  (gdb) bt
  #0  job_chksave (pid=pid at entry=19003) at /build/ksh-6IEHIC/ksh-93u+20120801/src/cmd/ksh93/sh/jobs.c:1948
  #1  0x00000000004282ab in job_reap (sig=17) at /build/ksh-6IEHIC/ksh-93u+20120801/src/cmd/ksh93/sh/jobs.c:428
  #2  <signal handler called>
  ...

  [Regression Potential]

  * Regression risk : none expected, but even if one found, I'm sure it
  will be less critical than the current state of the package which
  unexpectedly segfault. Additionally, I doubt ksh has much users
  traction nowadays.

  * This update implements a fix to ensure the compiler does not drop
  parts of the ksh mechanism for the crash to no longer occurs.

  * The fix has been written by RH and has been proven to work for them
  for the last 3 years.

  Note that the RH fix has never been merged upstream (ksh is a
  unmaintained project) and/or possibly never been proposed to upstream
  (to be verified).

  * A test package including the RH fix has been intensively tested and
  verified (pre-SRU) by an affected user with positive feedbacks using
  his reproducer.

  * Test package (pre-SRU) feedbacks :
  https://bugs.launchpad.net/ubuntu/xenial/+source/ksh/+bug/1697501/comments/7

  [Other Info]

   * ksh project is unmaintained nowadays [https://github.com/att/ast],
  thus no new development is made upstream nor in debian upstream.

   * Details about the RH bug :
  --
     - https://bugzilla.redhat.com/show_bug.cgi?id=1123467
     - https://bugzilla.redhat.com/show_bug.cgi?id=1112306
     - https://access.redhat.com/solutions/1253243
     - http://rhn.redhat.com/errata/RHBA-2014-1015.html

    # ksh.spec
        Fri Jul 25 2014 Michal Hlavinka <mhlavink at redhat.com> - 20120801-10.8
      - job locking mechanism did not survive compiler optimization (#1123467)

    # patch
      - ksh-20120801-locking.patch
  --

   * Debian bug:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867181

  [Original Description]

  # gdb
  [New LWP 3882]
  Core was generated by `/bin/ksh <KSH_SCRIPT>.ksh'.
  Program terminated with signal SIGSEGV, Segmentation fault.
  #0 job_chksave (pid=pid at entry=19385) at /build/ksh-6IEHIC/ksh-93u+20120801/src/cmd/ksh93/sh/jobs.c:1948
  1948 if(jp->pid==pid)

  (gdb) p *jp
  Cannot access memory at address 0xb

  (gdb) p *jp->pid
  Cannot access memory at address 0x13

  (gdb) p pid
  $2 = 19385

  (gdb) p *jpold
  $1 = {next = 0xb, pid = -604008960, exitval = 11124}

  The struct is corrupted at some point looking at the next,pid and
  exitval struct members values which isn't valid data.

  # assembly code
  => 0x0000000000427159 <+41>: cmp %edi,0x8(%rdx)

  (gdb) p $edi  ## pid variable
  $1 = 19385

  (gdb) p *($rdx + 8) ## jp->pid struct
  Cannot access memory at address 0x13
  --

  ksh is segfaulting because it can't access struct "jp" ($rdx) thus
  cannot de-reference the struct member "jp>pid" ($rdx + 8) at line :
  src/cmd/ksh93/sh/jobs.c:1948 when looking if jp->pid is equal to pid
  ($edi) variable.

  I have looked at the github project "att/ast" upstream repo and some
  patches here and there, and nothing seems to apply.

  Note that the project seems unmaintained nowadays.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ksh/+bug/1697501/+subscriptions