Path: csiph.com!xmission!news.snarked.org!news.linkpendium.com!news.linkpendium.com!panix!usenet.stanford.edu!not-for-mail
From: Keith Thompson <Keith.S.Thompson@gmail.com>
Newsgroups: gnu.bash.bug
Subject: Seg fault on "echo ~nosuchuser"
Date: Thu, 28 May 2020 15:12:47 -0700
Lines: 90
Approved: bug-bash@gnu.org
Message-ID: <mailman.573.1590703985.2541.bug-bash@gnu.org>
References: <CAAHpriPmaDcTYQLkyGqA6fM_AyVQkfN_f7p1qzkoqj-2-G1xBA@mail.gmail.com>
NNTP-Posting-Host: lists.gnu.org
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
X-Trace: usenet.stanford.edu 1590703986 5509 209.51.188.17 (28 May 2020 22:13:06 GMT)
X-Complaints-To: action@cs.stanford.edu
Cc: Keith Thompson <Keith.S.Thompson@gmail.com>
To: bug-bash@gnu.org
Envelope-to: bug-bash@gnu.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=i3BMf9Gxt9dIjkqsxGxHgIrzMmk4nJFB/gWrJNWSqu8=; b=K+zMKm++uQkiAR9otHjAHiaV611qV9gsracyInwLj84y43I5X20AnPA8jZ27RB3EBk wko/MWSntVWpuL/X+Eb2B7anft4mlOcUi44uv5bexQmxLxIJZC+F2DwCpPlMhJ9cziDs 0Tw0F5tTgganDjY86zT8oEHd2co7KeGbJM2GkO0K4o8M8aZF+UONXwwymFe+CkFqsoRn 0NN7/6kYzdaJBuhE00enJ3mS7f5ig+9faiN/zqCeLUhj8EBFTCvMkHHzMplilxiAHAiQ DU0Od7rBeYFPypk6UYwq0Ve+5EH2hMO2V9gKhhjX6cvFmmGFh4ISoZTMO998fxBhZDbn aMLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=i3BMf9Gxt9dIjkqsxGxHgIrzMmk4nJFB/gWrJNWSqu8=; b=VWvwZkJ5/aVfFsnb2TI9JxOc4T5IIl1tOsiP9tXHpxnk9gDE0lyrldHdRgqS6JW+n6 zuaPFjlMSSLGYo7qSdUz8zAF5IHIOG4OMXKh/oki40SO3w3Y1E7EGY5M1k3jsgOv3S9P hlyHH7pyHufozTsA7oc0BrW59WT0FSrtFSab1RdefR/BS18DZGy9cZWqFr1878f5L6xr vJVfxrN6M9tRAP2yvwYymthTCBv01JwIcI+OwspeJT838pGKbf0bHwaCBcDIgy62oph/ dmjXyo25s7DSamBI0IES7YoWjO9ZxJdXpZcPInsjAOuLVgvJhYwaBMtnKT16Z2iUeCtr CNTw==
X-Gm-Message-State: AOAM530o57eD/TsvVgy9MdN0dbKYgXUKzXI8hoJMRTE0pSkpd+9RbZir Q4jXy2fo6kbOCalKxKtuBFxGGvpu5e/IIH187xTCTJSvpGA=
X-Google-Smtp-Source: ABdhPJzrQGPulC7oclhPadjFwugEIOPr9H/TnEVbzqaJVuMUFIyvv9S4cSN1qngRreyn90/7/fyWEUeHaQgvtU7VgMg=
X-Received: by 2002:aa7:ce17:: with SMTP id d23mr5446691edv.387.1590703978756; Thu, 28 May 2020 15:12:58 -0700 (PDT)
Received-SPF: pass client-ip=2a00:1450:4864:20::541; envelope-from=keithsthompson@gmail.com; helo=mail-ed1-x541.google.com
X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know.
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001 autolearn=_AUTOLEARN
X-Spam_action: no action
X-BeenThere: bug-bash@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-bash>
List-Post: <mailto:bug-bash@gnu.org>
List-Help: <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
X-Mailman-Original-Message-ID: <CAAHpriPmaDcTYQLkyGqA6fM_AyVQkfN_f7p1qzkoqj-2-G1xBA@mail.gmail.com>
Xref: csiph.com gnu.bash.bug:16313

Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -g -Wno-parentheses -Wno-format-security
uname output: Linux bomb20 5.4.0-31-generic #35-Ubuntu SMP Thu May 7
20:20:34 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Machine Type: x86_64-pc-linux-gnu

Bash Version: 5.0
Patch Level: 16
Release Status: release

Description:
bash crashes with a segmentation fault on the command:
    echo ~nosuchuser
(This assumes there is no user named "nosuchuser".  If there
is, pick a different name).

It's likely this isn't a bug in bash itself, but I haven't
been able to figure out what's going on.

I see this problem on copies of bash 5.0.16 and 5.0.17 built from
sourced on Ubuntu 20.04 LTS.  It does *not* occur with the /bin/bash
    GNU bash, version 5.0.16(1)-release (x86_64-pc-linux-gnu)
provided by the distribution.  I haven't verified how far
back this goes.

I built another copy of bash 5.0.16 from source with "CFLAGS=-g".
When I reproduce the seg fault under gdb, I got the following traceback:

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff777eddb in ?? () from /lib/x86_64-linux-gnu/libnss_systemd.so.2
(gdb) where
#0  0x00007ffff777eddb in ?? () from /lib/x86_64-linux-gnu/libnss_systemd.so.2
#1  0x00007ffff77721c8 in ?? () from /lib/x86_64-linux-gnu/libnss_systemd.so.2
#2  0x00007ffff7773009 in ?? () from /lib/x86_64-linux-gnu/libnss_systemd.so.2
#3  0x00007ffff77883e7 in _nss_systemd_getpwnam_r () from
/lib/x86_64-linux-gnu/libnss_systemd.so.2
#4  0x00007ffff7e53f03 in __getpwnam_r (name=name@entry=0x555555722368
"nosuchuser", resbuf=resbuf@entry=0x7ffff7f5e140 <resbuf>,
buffer=0x555555777808 "systemd-coredump",
    buflen=buflen@entry=1024, result=result@entry=0x7fffffffddb0) at
../nss/getXXbyYY_r.c:315
#5  0x00007ffff7e537ec in getpwnam (name=0x555555722368 "nosuchuser")
at ../nss/getXXbyYY.c:134
#6  0x0000555555663dc9 in tilde_expand_word (filename=0x55555571dba8
"~nosuchuser") at ./tilde.c:386
#7  0x0000555555663a73 in tilde_expand (string=0x55555571d493 "") at
./tilde.c:234
#8  0x0000555555598456 in bash_tilde_expand (s=0x55555571d488
"~nosuchuser", assign_p=0) at general.c:1196
#9  0x00005555555d773c in expand_word_internal (word=0x55555571ffe8,
quoted=0, isexp=0, contains_dollar_at=0x7fffffffe018,
expanded_something=0x7fffffffe014) at subst.c:9963
#10 0x00005555555daccd in shell_expand_word_list
(tlist=0x55555571d4e8, eflags=31) at subst.c:11339
#11 0x00005555555db047 in expand_word_list_internal
(list=0x555555722448, eflags=31) at subst.c:11463
#12 0x00005555555da09f in expand_words (list=0x555555722448) at subst.c:10983
#13 0x00005555555a5692 in execute_simple_command
(simple_command=0x5555557225c8, pipe_in=-1, pipe_out=-1, async=0,
fds_to_close=0x55555571fd88) at execute_cmd.c:4323
#14 0x000055555559ee36 in execute_command_internal
(command=0x555555721288, asynchronous=0, pipe_in=-1, pipe_out=-1,
fds_to_close=0x55555571fd88) at execute_cmd.c:842
#15 0x000055555559e3bf in execute_command (command=0x555555721288) at
execute_cmd.c:394
#16 0x0000555555586e21 in reader_loop () at eval.c:175
#17 0x00005555555846cf in main (argc=1, argv=0x7fffffffe498,
env=0x7fffffffe4a8) at shell.c:805

If I understand this correctly, it died in getpwnam().
The call appears to be valid; it should simply return a null
pointer.  Other tests indicate that getpwnam() works correctly.
(Dereferencing the null pointer could of course cause a seg
fault, but the application doesn't get a chance to do that.)

Repeat-By:
Given that there is no user account called "nosuchuser", either:

    echo ~nosuchuser

or

    bash -c 'echo ~nosuchuser'