4.4: crash in redir10 test; use after free?

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

4.4: crash in redir10 test; use after free?

From:	Christian Weisgerber
Subject:	4.4: crash in redir10 test; use after free?
Date:	Tue, 1 Nov 2016 17:03:02 +0100
User-agent:	Mutt/1.7.1 (2016-10-04)

Running the bash 4.4 regression test suite on OpenBSD/amd64, I noticed
a crash in the redir tests.  Specifically, running redir10.sub with
bash 4.4 causes it to die with a bus error most of the time.

Program terminated with signal 10, Bus error.

#0  0x00001c9ad0634009 in find_pipeline (pid=97028, alive_only=1,
    jobp=0x7f7ffffea514) at jobs.c:1481
1481              if (p->pid == pid && ((alive_only == 0 && PRECYCLED(p) == 0) 
|| PALIVE(p)))
(gdb) p last_procsub_child
$1 = (PROCESS *) 0x1c9d2b698ca0
(gdb) p *last_procsub_child
$2 = {next = 0xdfdfdfdfdfdfdfdf, pid = -538976289, status = -538976289,
  running = -538976289,
  command = 0xdfdfdfdfdfdfdfdf <Address 0xdfdfdfdfdfdfdfdf out of bounds>}
(gdb) p /x last_procsub_child->pid 
$3 = 0xdfdfdfdf

This looks like a use after free() since OpenBSD's malloc fills
some of the freed memory with 0xdf.

-- 
Christian "naddy" Weisgerber                          naddy@mips.inka.de

[Prev in Thread]

Current Thread

[Next in Thread]

4.4: crash in redir10 test; use after free?, Christian Weisgerber <=
- Re: 4.4: crash in redir10 test; use after free?, Chet Ramey, 2016/11/02
  - Re: 4.4: crash in redir10 test; use after free?, Christian Weisgerber, 2016/11/02
    - Re: 4.4: crash in redir10 test; use after free?, Chet Ramey, 2016/11/02

Prev by Date: Re: [PATCH] Add-rm-rf-as-examples-loadables-rm.c
Next by Date: out-of-bound read in brackmatch function in "sm_loop.c"
Previous by thread: Re: [PATCH] Add-rm-rf-as-examples-loadables-rm.c
Next by thread: Re: 4.4: crash in redir10 test; use after free?
Index(es):
- Date
- Thread