[email protected]
[Top] [All Lists]

Bug#291840: marked as forwarded (bash: segfault on variable assignment)

Subject: Bug#291840: marked as forwarded bash: segfault on variable assignment
From: Debian Bug Tracking System
Date: Mon, 22 Aug 2005 13:03:21 -0700
Your message dated Mon, 22 Aug 2005 15:41:08 -0400
with message-id <[email protected]>
has caused the Debian Bug report #291840,
regarding bash: segfault on variable assignment
to be marked as having been forwarded to the upstream software
author(s) [email protected]

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Received: (at 291840-forwarded) by bugs.debian.org; 22 Aug 2005 19:41:12 +0000
>From [email protected] Mon Aug 22 12:41:12 2005
Return-path: <[email protected]>
Received: from ms-smtp-04.nyroc.rr.com [] 
        by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
        id 1E7IAS-0005yA-00; Mon, 22 Aug 2005 12:41:12 -0700
Received: from andromeda (cpe-69-202-136-66.twcny.res.rr.com [])
        by ms-smtp-04.nyroc.rr.com (8.12.10/8.12.10) with ESMTP id 
        Mon, 22 Aug 2005 15:41:10 -0400 (EDT)
Received: from pryzbyj by andromeda with local (Exim 4.52)
        id 1E7IAP-0000s5-4e; Mon, 22 Aug 2005 15:41:09 -0400
Date: Mon, 22 Aug 2005 15:41:08 -0400
To: [email protected]
Cc: [email protected]
Subject: debian bug #291840; bash segfaults on variable assignment
Message-ID: <[email protected]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
From: Justin Pryzby <[email protected]>
X-Virus-Scanned: Symantec AntiVirus Scan Engine
Delivered-To: [email protected]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-1.5 required=4.0 tests=BAYES_00,HTML_MESSAGE 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02

Hello Chet,

I can confirm that bash segfaults on a variable assignment as
indicated here:


The relevent assignment is:

  IFS="$(echo -e "\255")"

and I get the following backtrace:

  #0  0xb7edc07f in memcpy () from /lib/tls/libc.so.6
  #1  0x080867e0 in setifs ()
  #2  0x0807455c in stupidly_hack_special_variables ()
  #3  0x0807f0ba in strip_trailing_ifs_whitespace ()
  #4  0x0807f31a in do_assignment ()
  #5  0x0808715e in expand_words_shellexp ()
  #6  0x080869ba in expand_words ()
  #7  0x0806d9bd in execute_command_internal ()
  #8  0x0806a988 in execute_command_internal ()
  #9  0x0806a4b5 in execute_command ()
  #10 0x0805dd80 in reader_loop ()
  #11 0x0805bb46 in main ()

disassembly of setifs looks like:
0x08086720 <setifs+0>:  push   %ebp
0x08086721 <setifs+1>:  mov    $0x80d1887,%edx
0x08086726 <setifs+6>:  mov    %esp,%ebp
0x08086728 <setifs+8>:  sub    $0x18,%esp
0x0808672b <setifs+11>: mov    0x8(%ebp),%eax
0x0808672e <setifs+14>: test   %eax,%eax
0x08086730 <setifs+16>: mov    %eax,0x80efc24
0x08086735 <setifs+21>: je     0x808673a <setifs+26>
0x08086737 <setifs+23>: mov    0x4(%eax),%edx
0x0808673a <setifs+26>: mov    %edx,0x80efd44
0x08086740 <setifs+32>: mov    $0x100,%eax
0x08086745 <setifs+37>: mov    %eax,0x8(%esp)
0x08086749 <setifs+41>: xor    %eax,%eax
0x0808674b <setifs+43>: mov    %eax,0x4(%esp)
0x0808674f <setifs+47>: movl   $0x80efc40,(%esp)
0x08086756 <setifs+54>: call   0x805b3b8 <unlink+1808>
0x0808675b <setifs+59>: mov    0x80efd44,%ecx
0x08086761 <setifs+65>: test   %ecx,%ecx
0x08086763 <setifs+67>: mov    %ecx,%edx
0x08086765 <setifs+69>: je     0x8086788 <setifs+104>
0x08086767 <setifs+71>: movzbl (%ecx),%eax
0x0808676a <setifs+74>: test   %al,%al
0x0808676c <setifs+76>: je     0x8086784 <setifs+100>
0x0808676e <setifs+78>: mov    %esi,%esi
0x08086770 <setifs+80>: movzbl %al,%eax
0x08086773 <setifs+83>: inc    %edx
0x08086774 <setifs+84>: movb   $0x1,0x80efc40(%eax)
0x0808677b <setifs+91>: je     0x8086784 <setifs+100>
0x0808677d <setifs+93>: movzbl (%edx),%eax
0x08086780 <setifs+96>: test   %al,%al
0x08086782 <setifs+98>: jne    0x8086770 <setifs+80>
0x08086784 <setifs+100>:        test   %ecx,%ecx
0x08086786 <setifs+102>:        jne    0x808679b <setifs+123>
0x08086788 <setifs+104>:        movb   $0x0,0x80efc28
0x0808678f <setifs+111>:        mov    $0x1,%eax
0x08086794 <setifs+116>:        mov    %eax,0x80efd48
0x08086799 <setifs+121>:        leave  
0x0808679a <setifs+122>:        ret    
0x0808679b <setifs+123>:        call   0x805b2e8 <unlink+1600>
0x080867a0 <setifs+128>:        mov    %eax,0x4(%esp)
0x080867a4 <setifs+132>:        mov    0x80efd44,%eax
0x080867a9 <setifs+137>:        mov    %eax,(%esp)
0x080867ac <setifs+140>:        call   0x805b418 <unlink+1904>
0x080867b1 <setifs+145>:        mov    %eax,0x4(%esp)
0x080867b5 <setifs+149>:        mov    0x80efd44,%eax
0x080867ba <setifs+154>:        mov    %eax,(%esp)
0x080867bd <setifs+157>:        call   0x805b408 <unlink+1888>
0x080867c2 <setifs+162>:        mov    %eax,0x80efd48
0x080867c7 <setifs+167>:        mov    %eax,0x8(%esp)
0x080867cb <setifs+171>:        mov    0x80efd44,%eax
0x080867d0 <setifs+176>:        movl   $0x80efc28,(%esp)
0x080867d7 <setifs+183>:        mov    %eax,0x4(%esp)
0x080867db <setifs+187>:        call   0x805b1a8 <unlink+1280>
0x080867e0 <setifs+192>:        jmp    0x8086799 <setifs+121>
0x080867e2 <setifs+194>:        lea    0x0(%esi),%esi
0x080867e9 <setifs+201>:        lea    0x0(%edi),%edi

I ran bash under valgrind, passing it the relevent assignment command,
and got:

==3020== Invalid read of size 1
==3020==    at 0x1B905B90: memcpy (mac_replace_strmem.c:298)
==3020==    by 0x80867DF: setifs (in /bin/bash)
==3020==    by 0x807455B: stupidly_hack_special_variables (in /bin/bash)
==3020==    by 0x807F0B9: (within /bin/bash)
==3020==    by 0x807F319: do_assignment (in /bin/bash)
==3020==    by 0x808715D: (within /bin/bash)
==3020==    by 0x80869B9: expand_words (in /bin/bash)
==3020==    by 0x806D9BC: (within /bin/bash)
==3020==    by 0x806A987: execute_command_internal (in /bin/bash)
==3020==    by 0x806A4B4: execute_command (in /bin/bash)
==3020==    by 0x805DD7F: reader_loop (in /bin/bash)
==3020==    by 0x805BB45: main (in /bin/bash)
==3020==  Address 0x8233000 is not stack'd, malloc'd or (recently) free'd

==3020== Invalid read of size 4
==3020==    at 0x8087A79: hash_search (in /bin/bash)
==3020==    by 0x80713FD: (within /bin/bash)
==3020==    by 0x807143E: var_lookup (in /bin/bash)
==3020==    by 0x80714A9: find_variable_internal (in /bin/bash)
==3020==    by 0x807152E: find_variable (in /bin/bash)
==3020==    by 0x80715D0: get_string_value (in /bin/bash)
==3020==    by 0x8090D0E: maybe_save_shell_history (in /bin/bash)
==3020==    by 0x808B493: termination_unwind_protect (in /bin/bash)
==3020==    by 0x1B987A17: (within /lib/tls/libc-2.3.2.so)
==3020==    by 0x80867DF: setifs (in /bin/bash)
==3020==    by 0x807455B: stupidly_hack_special_variables (in /bin/bash)
==3020==    by 0x807F0B9: (within /bin/bash)
==3020==  Address 0x1C is not stack'd, malloc'd or (recently) free'd

(followed by some other stuff probably invalidated by a valgrind

This is bash --version:

  GNU bash, version 3.00.16(1)-release (i386-pc-linux-gnu)

  Debian bash 3.0-15

I just compiled a copy locally with gcc-, and got

#0  0xb7ed607f in memcpy () from /lib/tls/libc.so.6
#1  0x080867e0 in setifs (v=0xffffffff) at ../bash/subst.c:6955
#2  0x0807455c in stupidly_hack_special_variables (name=0x810db08 "")
    at ../bash/variables.c:3738
#3  0x0807f0ba in do_assignment_internal (string=0x80f7388 "", expand=1)
    at ../bash/subst.c:2191
#4  0x0807f31a in do_assignment (
    string=0xffffffff <Address 0xffffffff out of bounds>)
    at ../bash/subst.c:2206
#5  0x0808715e in expand_word_list_internal (list=0x80f0048, eflags=136233864)
    at ../bash/subst.c:7460
#6  0x080869ba in expand_words (list=0xffffffff) at ../bash/subst.c:7150
#7  0x0806d9bd in execute_simple_command (simple_command=0x810d8e8, 
    pipe_in=-1, pipe_out=-1, async=0, fds_to_close=0x810da48)
    at ../bash/execute_cmd.c:2793
#8  0x0806a988 in execute_command_internal (command=0x810d8c8, asynchronous=0, 
    pipe_in=-1, pipe_out=-1, fds_to_close=0x810da48)
    at ../bash/execute_cmd.c:660
#9  0x0806a4b5 in execute_command (command=0xffffffff)
    at ../bash/execute_cmd.c:347
#10 0x0805dd80 in reader_loop () at ../bash/eval.c:146
#11 0x0805bb46 in main (argc=1, argv=0xbfffe6e4, env=0xbfffe6ec)
    at ../bash/shell.c:704


To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

<Prev in Thread] Current Thread [Next in Thread>
  • Bug#291840: marked as forwarded (bash: segfault on variable assignment), Debian Bug Tracking System <=