Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

bash dies with a SEGV if it has to guess a mail spool file

1 view
Skip to first unread message

rj...@cam.ac.uk

unread,
Feb 4, 1998, 3:00:00 AM2/4/98
to

Configuration Information [Automatically generated, do not change]:
Machine: sparc
OS: solaris2.5
Compiler: cc
Compilation CFLAGS: -DPROGRAM='bash' -DHOSTTYPE='sparc' -DOSTYPE='solaris2.5' -DMACHTYPE='sparc-sun-solaris2.5' -DSHELL -DHAVE_CONFIG_H -DSunOS5 -I. -I. -I./lib -g
uname output: SunOS ursa.cus.cam.ac.uk 5.5 Generic_103093-14 sun4d sparc SUNW,SPARCserver-1000
Machine Type: sparc-sun-solaris2.5

Bash Version: 2.01
Patch Level: 1
Release Status: release

Description:
If MAIL and MAILCHECK are both upset, bash resorts to
make_default_mailpath() in mailcheck.c. However, under certain
circumstances the current_user structure is not fully initialized and
strlen dies with a SEGV.

Repeat-By:
[ This is not exactly how it arose in practice, but is the
simplest demo case we can find that manifests the bug. ]

$ ./bash -c 'MAIL=60;unset MAIL'
Segmentation Fault (core dumped)

$ dbx bash core
...
program terminated by signal SEGV (no mapping at the fault address)
Current function is make_default_mailpath
294 mp = xmalloc (2 + sizeof (DEFAULT_MAIL_DIRECTORY) + strlen (current_user.user_name));
(dbx) where
[1] strlen(0x0, 0x0, 0xffffffff, 0x7efefeff, 0x81010100, 0x17f330), at 0xdf622e94
=>[2] make_default_mailpath(), line 294 in "mailcheck.c"
[3] remember_mail_dates(), line 322 in "mailcheck.c"
[4] sv_mail(name = 0x17f1cc "MAIL"), line 5749 in "subst.c"
[5] stupidly_hack_special_variables(name = 0x17f1cc "MAIL"), line 5718 in "subst.c"
[6] makunbound(name = 0x17f2ac "MAIL", hash_list = 0x175c8c), line 1740 in "variables.c"
[7] unset_builtin(list = 0x17f3ac), at 0xa833c
[8] execute_builtin(builtin = &unset_builtin(WORD_LIST *list) at 0xa7ea8, words = 0x17f34c, flags = 0, subshell = 0), line 2486 in "execute_cmd.c"
[9] execute_builtin_or_function(words = 0x17f34c, builtin = &unset_builtin(WORD_LIST *list) at 0xa7ea8, var = (nil), redirects = (nil), fds_to_close = 0x17f10c, flags = 0), line 2721 in "execute_cmd.c"
[10] execute_simple_command(simple_command = 0x17f08c, pipe_in = -1, pipe_out = -1, async = 0, fds_to_close = 0x17f10c), line 2376 in "execute_cmd.c"
[11] execute_command_internal(command = 0x17f58c, asynchronous = 0, pipe_in = -1, pipe_out = -1, fds_to_close = 0x17f10c), line 742 in "execute_cmd.c"
[12] execute_connection(command = 0x17f5cc, asynchronous = 0, pipe_in = -1, pipe_out = -1, fds_to_close = 0x17f10c), line 1450 in "execute_cmd.c"
[13] execute_command_internal(command = 0x17f5cc, asynchronous = 0, pipe_in = -1, pipe_out = -1, fds_to_close = 0x17f10c), line 879 in "execute_cmd.c"
[14] parse_and_execute(string = 0x176e0c "MAIL=60;unset MAIL", from_file = 0x15a23c "-c", flags = 4), line 206 in "evalstring.c"
[15] run_one_command(command = 0xdffffc92 "MAIL=60;unset MAIL"), line 926 in "shell.c"
[16] main(argc = 3, argv = 0xdffffb8c, env = 0xdffffb9c), line 496 in "shell.c"


Fix:
Put a call to get_current_user_info() at the start of
make_default_mailpath(). get_current_user_info() starts with a test
to make sure it's not being run on a completed user_info structure so
I'm not too worried about unnecessary work burning the CPU. It might
be better to make sure that current_user is correctly initialized just
once earlier on, though.

$ diff bash-2.01.1/mailcheck.c bash-2.01.1.bob/mailcheck.c
293a294,295
> /* Added the call to get_current_user_info() - RJD 1998-02-04 */
> get_current_user_info();

--
Bob Dowling: UNIX Support, University of Cambridge Computing Service,
rj...@cam.ac.uk New Museums Site, Pembroke Street, Cambridge, UK. CB2 3QG
+44 1223 334728 http://www-uxsup.csx.cam.ac.uk/
--- Those who do not learn from Dilbert are doomed to repeat it. ---

0 new messages