Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1362705 - ksh crash in memcmp call
Summary: ksh crash in memcmp call
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: ksh
Version: 5.11
Hardware: s390x
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Siteshwar Vashisht
QA Contact: BaseOS QE - Apps
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-02 22:21 UTC by Paulo Andrade
Modified: 2017-04-18 22:03 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-04-18 22:03:51 UTC


Attachments (Terms of Use)

Description Paulo Andrade 2016-08-02 22:21:21 UTC
A small reproducer for the cause of the ksh crash is

---8<---
#include <stdio.h>
#include <string.h>
#include <sys/mman.h>

int
main(int argc, char *argv[])
{
    char *a = "foobarbaz";
    char *b = "foobarb";
    int x;
    int lena = strlen(a);
    int lenb = strlen(b);
    void *mem = mmap(NULL, 8192, PROT_NONE, MAP_PRIVATE | MAP_ANON, -1, 0);
    if (mem == MAP_FAILED)
	perror("mmap");
    mprotect(mem, 4096, PROT_READ | PROT_WRITE);
    strcpy(mem + 4096 - lenb - 1, b);
    x = memcmp(a, mem + 4096 - lenb - 1, lena);
    printf("%d\n", x);
    return 0;
}
---8<---
# gcc -O0 -g3 t.c
# gdb -q a.out 
Reading symbols from /root/a.out...done.
(gdb) r
Starting program: /root/a.out 

Program received signal SIGSEGV, Segmentation fault.
0x0000000080000884 in main (argc=1, argv=0x3ffffd64958) at x.c:18
18	    x = memcmp(a, mem + 4096 - lenb - 1, lena);
---8<--

  If ensuring memcmp is not going to read the non
readable memory, e.g. it works with the pseudo patch:

-    x = memcmp(a, mem + 4096 - lenb - 1, lena);
+    x = memcmp(a, mem + 4096 - lenb - 1, lena<=lenb?lena:lenb);

---8<---
# gcc -O0 -g3 x.c
# gdb -q a.out 
Reading symbols from /root/a.out...done.
(gdb) r
Starting program: /root/a.out 
0

Program exited normally.
---8<---

  So a pseudo patch to fix the crash would be:
ksh-20100621/src/cmd/ksh93/sh/path.c:1451
-			if(memcmp(name,pp->name,len)==0 && (pp->name[len]==':' || pp->name[len]==0))
+			if(len==pp->len && memcmp(name,pp->name,len)==0 && (pp->name[len]==':' || pp->name[len]==0))

Comment 1 Chris Williams 2017-04-18 22:03:51 UTC
Red Hat Enterprise Linux 5 shipped it's last minor release, 5.11, on September 14th, 2014. On March 31st, 2017 RHEL 5 exited Production Phase 3 and entered Extended Life Phase. For RHEL releases in the Extended Life Phase, Red Hat  will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.  If the customer purchases the Extended Life-cycle Support (ELS), certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release will be provided.  For more details please consult the Red Hat Enterprise Linux Life Cycle Page:
https://access.redhat.com/support/policy/updates/errata

This BZ does not appear to meet ELS criteria so is being closed WONTFIX. If this BZ is critical for your environment and you have an Extended Life-cycle Support Add-on entitlement, please open a case in the Red Hat Customer Portal, https://access.redhat.com ,provide a thorough business justification and ask that the BZ be re-opened for consideration of an errata. Please note, only certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release can be considered.


Note You need to log in before you can comment on or make changes to this bug.