[Bug 290330] /bin/sh crash in freejob

[bugzilla-noreply]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290330

--- Comment #2 from Bryan Drewery <bdrew...@freebsd.org> ---
Slightly different but easily reproducible with `make
DEBUG_FLAGS=-fsanitize=address` in bin/sh.

~/git/freebsd/main2/bin/sh # obj/sh -c 'set -m; sleep 300 | sleep 200 & sleep
300 & kill %1; wait %1'
=================================================================
==64152==ERROR: AddressSanitizer: heap-use-after-free on address 0x503000001344
at pc 0x000001115488 bp 0x7fffffffdb80 sp 0x7fffffffdb78
READ of size 4 at 0x503000001344 thread T0
    #0 0x000001115487 in getjobstatus
/root/git/freebsd/main2/bin/sh/jobs.c:343:34
    #1 0x000001115487 in waitcmdloop
/root/git/freebsd/main2/bin/sh/jobs.c:567:14
    #2 0x000001114ebc in waitcmd /root/git/freebsd/main2/bin/sh/jobs.c:546:13
    #3 0x0000010fe136 in evalcommand
/root/git/freebsd/main2/bin/sh/eval.c:1099:16
    #4 0x0000010fb209 in evaltree /root/git/freebsd/main2/bin/sh/eval.c:281:4
    #5 0x0000010faa2d in evalstring /root/git/freebsd/main2/bin/sh/eval.c
    #6 0x00000111b969 in main /root/git/freebsd/main2/bin/sh/main.c:164:3
    #7 0x00080132133e in __libc_start1
/usr/src/lib/libc/csu/libc_start1.c:180:7
    #8 0x000001050300 in _start /usr/src/lib/csu/amd64/crt1_s.S:80

0x503000001344 is located 20 bytes inside of 32-byte region
[0x503000001330,0x503000001350)
freed by thread T0 here:
    #0 0x0000010c0836 in free
/usr/src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
    #1 0x000001114cc5 in freejob /root/git/freebsd/main2/bin/sh/jobs.c:521:3
    #2 0x000001118666 in dowait /root/git/freebsd/main2/bin/sh/jobs.c:1233:8
    #3 0x000001114fcd in waitcmdloop
/root/git/freebsd/main2/bin/sh/jobs.c:602:11
    #4 0x000001114ebc in waitcmd /root/git/freebsd/main2/bin/sh/jobs.c:546:13
    #5 0x0000010fe136 in evalcommand
/root/git/freebsd/main2/bin/sh/eval.c:1099:16
    #6 0x0000010fb209 in evaltree /root/git/freebsd/main2/bin/sh/eval.c:281:4
    #7 0x0000010faa2d in evalstring /root/git/freebsd/main2/bin/sh/eval.c
    #8 0x00000111b969 in main /root/git/freebsd/main2/bin/sh/main.c:164:3
    #9 0x00080132133e in __libc_start1
/usr/src/lib/libc/csu/libc_start1.c:180:7
    #10 0x000001050300 in _start /usr/src/lib/csu/amd64/crt1_s.S:80
    #11 0x000801197007  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x0000010c095f in malloc
/usr/src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
    #1 0x00000111c7ae in ckmalloc
/root/git/freebsd/main2/bin/sh/memalloc.c:63:6
    #2 0x0000011169f7 in makejob /root/git/freebsd/main2/bin/sh/jobs.c:800:12
    #3 0x0000010fb310 in evalpipe /root/git/freebsd/main2/bin/sh/eval.c:573:7
    #4 0x0000010fb310 in evaltree /root/git/freebsd/main2/bin/sh/eval.c:277:4
    #5 0x0000010fb283 in evaltree /root/git/freebsd/main2/bin/sh/eval.c:204:4
    #6 0x0000010faa2d in evalstring /root/git/freebsd/main2/bin/sh/eval.c
    #7 0x00000111b969 in main /root/git/freebsd/main2/bin/sh/main.c:164:3
    #8 0x00080132133e in __libc_start1
/usr/src/lib/libc/csu/libc_start1.c:180:7
    #9 0x000001050300 in _start /usr/src/lib/csu/amd64/crt1_s.S:80
    #10 0x000801197007  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free
/root/git/freebsd/main2/bin/sh/jobs.c:343:34 in getjobstatus
Shadow bytes around the buggy address:
  0x503000001080: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x503000001100: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x503000001180: fd fd fd fa fa fa 00 00 00 00 fa fa 00 00 00 00
  0x503000001200: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x503000001280: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 07 fa fa
=>0x503000001300: 00 00 00 04 fa fa fd fd[fd]fd fa fa 00 00 00 06
  0x503000001380: fa fa 00 00 00 05 fa fa 00 00 00 05 fa fa fa fa
  0x503000001400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x503000001480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x503000001500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x503000001580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==64152==ABORTING


This avoids it:

diff --git bin/sh/jobs.c bin/sh/jobs.c
index 1328ae50edef..bb059b44c466 100644
--- bin/sh/jobs.c
+++ bin/sh/jobs.c
@@ -562,7 +562,7 @@ waitcmdloop(struct job *job)
         */

        do {
-               if (job != NULL) {
+               if (job != NULL && job->used != 0) {
                        if (job->state == JOBDONE) {
                                status = getjobstatus(job);
                                if (WIFEXITED(status))

-- 
You are receiving this mail because:
You are the assignee for the bug.