Path: csiph.com!xmission!news.snarked.org!news.linkpendium.com!news.linkpendium.com!panix!usenet.stanford.edu!not-for-mail From: Bonjour Abracadraba Newsgroups: gnu.bash.bug Subject: crash (unhandled SIGPIPE) on write to closed file descriptor Date: Sat, 20 Jul 2019 20:05:38 +0200 Lines: 91 Approved: bug-bash@gnu.org Message-ID: References: NNTP-Posting-Host: lists.gnu.org Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Trace: usenet.stanford.edu 1563657463 4908 209.51.188.17 (20 Jul 2019 21:17:43 GMT) X-Complaints-To: action@cs.stanford.edu To: bug-bash@gnu.org Envelope-to: bug-bash@gnu.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=qieZXjty8DW3KkbDLw3+iuSRCQ0y+suHl2QR2PlEXSg=; b=Trd/eXoY85rXh+l6cmz6CTRf68lTsK6gfut3w9biKygJH8yG8ieI7I0XMmzfyTdfF/ JO6gEMz7Ksm83XlTaZAkVwuVvGr+S6axLvG3+c4Vj6WY8Uk7AZjppHIsGACAS6DPSHd/ lHIso2wuq7pyNqOK5yy32M0xR/qLr9GlFY0DD+WILvBYnimdHXsuvEL+sR0uc3CW4/zo vwFEUOTjjaOcUgxtGxsi5Hfhud2qCtOnerOMyptiLEk58wWrHXkVk8AL+NY91q2Ak2gM oLbfcXJ/0dgNGo/fe7G2K8Mqbi9pk8iqmnxO4W3ZAz4CDfUjBFmKr2GoEvByU5sCG662 Fl3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=qieZXjty8DW3KkbDLw3+iuSRCQ0y+suHl2QR2PlEXSg=; b=WlHuxW9S/aNUIAgZmmC9af4LGsCg44xkBSsjhqyZ9CpIhAqlrSRW5IW2zs9xUsRcLC yZZHP5BG1sWF0Emeca9IrrB/MCGjFYxHjvBu81Uqo2XeC0915TCMeD6Yx5+0Q6OychXn OpkhtGOrQ/6dTHrj/Ta7keF7T2yq94hA102JOKSeaZPylUDOPBQdYZ9dgAYDz5yZ8nqk 14qjOZeu6HuLAycIDSbCKXDZD3wvKX3K99x2a53TCNlYPXc47jPYNdIkDbCwQDCTFr5B 2WtXfWp8C1U/Fp5brR2Y9q2+AAIa9lLdA+fchZ/dAxV9r9p+DrC2EsuAxszWwDm2fe4P eXGQ== X-Gm-Message-State: APjAAAVN6ErVOSKAWGtzF0X+XJDiLt4Ba87QgGkTFMEiutdegvXikp4E s9GFOwnjNtHUpy7AKNCqS7X30zWw++nYrHDg0UEH+U2k X-Google-Smtp-Source: APXvYqzNEOb2gyBujDe7xqGBMjrGj44bP2JUeAK14zcgi8BStTcaqYnJvuU2tW45WZ14hCjFP+O/cr75Q1il6xeHNCE= X-Received: by 2002:a6b:7606:: with SMTP id g6mr709887iom.288.1563645939502; Sat, 20 Jul 2019 11:05:39 -0700 (PDT) X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4864:20::d33 X-Mailman-Approved-At: Sat, 20 Jul 2019 17:17:42 -0400 X-BeenThere: bug-bash@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Bug reports for the GNU Bourne Again SHell List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Mailman-Original-Message-ID: Xref: csiph.com gnu.bash.bug:15195 Configuration Information [Automatically generated, do not change]: Machine: x86_64 OS: linux-gnu Compiler: gcc Compilation CFLAGS: -g -O2 -fdebug-prefix-map=/build/bash-2bxm7h/bash-5.0=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -Wno-parentheses -Wno-format-security uname output: Linux garegga 4.19.0-2-amd64 #1 SMP Debian 4.19.16-1 (2019-01-17) x86_64 GNU/Linux Machine Type: x86_64-pc-linux-gnu Bash Version: 5.0 Patch Level: 3 Release Status: release Description: Bash 2.04 through 5.0 crash when trying to write to a closed socket. It is expected for bash to give an user error, but it exits instead. Using the socket opening feature in the redirection code, opening a socket, assigning it to a file descriptor, then having that socket close and try to write to it again will crash. This bug works on version 2.04 (when writing to sockets was first introduced) through 5.0. Backtrace: Program received signal SIGPIPE, Broken pipe. 0x00007ffff7eab504 in __GI___libc_write (fd=1, buf=0x5555559f0c08, nbytes=1) at ../sysdeps/unix/sysv/linux/write.c:26 26 ../sysdeps/unix/sysv/linux/write.c: Aucun fichier ou dossier de ce type. (gdb) where #0 0x00007ffff7eab504 in __GI___libc_write (fd=1, buf=0x5555559f0c08, nbytes=1) at ../sysdeps/unix/sysv/linux/write.c:26 #1 0x00007ffff7e3c3bd in _IO_new_file_write (f=0x7ffff7f7d760 <_IO_2_1_stdout_>, data=0x5555559f0c08, n=1) at fileops.c:1183 #2 0x00007ffff7e3b75f in new_do_write (fp=0x7ffff7f7d760 <_IO_2_1_stdout_>, fp@entry=0x1, data=0x5555559f0c08 "\n\n", '\337' , ..., to_do=to_do@entry=1) at libioP.h:839 #3 0x00007ffff7e3d509 in _IO_new_do_write (to_do=1, data=, fp=0x1) at fileops.c:430 #4 _IO_new_do_write (fp=fp@entry=0x7ffff7f7d760 <_IO_2_1_stdout_>, data=, to_do=1) at fileops.c:430 #5 0x00007ffff7e3d8f3 in _IO_new_file_overflow (f=0x7ffff7f7d760 <_IO_2_1_stdout_>, ch=10) at fileops.c:791 #6 0x00005555557cf1e5 in putchar (__c=10) at /usr/include/x86_64-linux-gnu/bits/stdio.h:84 #7 echo_builtin (list=) at ./echo.def:199 #8 0x00005555555efc9b in execute_builtin (builtin=builtin@entry=0x5555557ce6d0 , flags=flags@entry=0, subshell=subshell@entry=0, words=) at execute_cmd.c:4708 #9 0x00005555555fc819 in execute_builtin_or_function (flags=, fds_to_close=0x555555a5f2e8, redirects=, var=0x0, builtin=0x5555557ce6d0 , words=0x555555a069c8) at execute_cmd.c:5216 #10 execute_simple_command (simple_command=, pipe_in=pipe_in@entry=-1, pipe_out=pipe_out@entry=-1, async=async@entry=0, fds_to_close=fds_to_close@entry=0x555555a5f2e8) at execute_cmd.c:4478 #11 0x000055555560310e in execute_command_internal (command=0x555555a5f388, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x555555a5f2e8) at execute_cmd.c:841 #12 0x0000555555609b31 in execute_command (command=0x555555a5f388) at execute_cmd.c:394 #13 0x000055555558d8a9 in reader_loop () at eval.c:175 #14 0x000055555558896d in main (argc=1, argv=0x7fffffffe3d8, env=0x7fffffffe3e8) at shell.c:805 Repeat-By: 1. Open bash. 2. Open any kind of socket and assign it to a file descriptor: exec 3<>/dev/tcp/www.google.com/80 3. Have the socket close, for example sending garbage to close the socket: echo "a" >&3; echo "a" >&3 4. Try to write to the socket again: echo "" >&3 5. Bash crashes. -- xy2_ (Hugo Elhaj-Lahsen) www.xy2.dev