Path: csiph.com!xmission!news.glorb.com!usenet.stanford.edu!not-for-mail
From: Chet Ramey <chet.ramey@case.edu>
Newsgroups: gnu.bash.bug
Subject: Re: Bash crash
Date: Wed, 21 Oct 2015 08:50:34 -0400
Lines: 26
Approved: bug-bash@gnu.org
Message-ID: <mailman.727.1445431852.7904.bug-bash@gnu.org>
References: <C2FB93DF99E5FD43B0413EDB326AE2AA2B942E8F@ESGSCMB107.ericsson.se> <56264216.2060606@case.edu> <C2FB93DF99E5FD43B0413EDB326AE2AA2B94421D@ESGSCMB107.ericsson.se>
Reply-To: chet.ramey@case.edu
NNTP-Posting-Host: lists.gnu.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Trace: usenet.stanford.edu 1445431852 8894 208.118.235.17 (21 Oct 2015 12:50:52 GMT)
X-Complaints-To: action@cs.stanford.edu
Cc: chet.ramey@case.edu
To: Kai Wang X <kai.x.wang@ericsson.com>, "bug-bash@gnu.org" <bug-bash@gnu.org>
Envelope-to: bug-bash@gnu.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
In-Reply-To: <C2FB93DF99E5FD43B0413EDB326AE2AA2B94421D@ESGSCMB107.ericsson.se>
X-Junkmail-Status: score=10/60, host=mpv5.cwru.edu
X-Junkmail-Whitelist: YES (by domain whitelist at mpv1.tis.cwru.edu)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.4.x-2.6.x [generic]
X-Received-From: 129.22.105.36
X-BeenThere: bug-bash@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-bash>
List-Post: <mailto:bug-bash@gnu.org>
List-Help: <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
Xref: csiph.com gnu.bash.bug:11730

On 10/20/15 10:29 PM, Kai Wang X wrote:
> Hi Chet,
> 
> Thank you for your response.
> 
> But it does not make sense since sbrk failure will be checked:
> 
>   mp = (union mhead *) sbrk (sbrk_amt);
> 
>   /* Totally out of memory. */
>   if ((long)mp == -1)
>     goto morecore_done;

Sure, sbrk failure is checked, but not whether it returns an invalid value.
The segmentation fault occurs when the bash malloc attempts to dereference
the value returned by sbrk.  If the memory access generates a fault, it's
either 0 or out of bounds.  Either way, sbrk returned a bad value without
raising an error.

Chet

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
		 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet@case.edu    http://cnswww.cns.cwru.edu/~chet/