[BUG] Bash does not properly check for return value of tiocgpgrp() or io

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[BUG] Bash does not properly check for return value of tiocgpgrp() or io

From:	Alexey Smirnov
Subject:	[BUG] Bash does not properly check for return value of tiocgpgrp() or ioctl(TIOCGPGRP)
Date:	Tue, 18 Jan 2011 20:02:44 +0500
User-agent:	Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Thunderbird/3.1.7



Machine: i486
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='i486' 
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='i486-pc-linux-gnu' 
-DCONF_VENDOR='pc' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL 
-DHAVE_CONFIG_H   -I.  -I../bash -I../bash/include -I../bash/lib   -g -O2 -Wall
uname output: Linux drone 2.6.32-27-generic #49-Ubuntu SMP Wed Dec 1 23:52:12 
UTC 2010 i686 GNU/Linux
Machine Type: i486-pc-linux-gnu

Bash Version: 4.1
Patch Level: 5
Release Status: release

Sample program that demonstrate this:


-----------8<----------------
#!/usr/bin/python

import sys
import fcntl
import termios
import struct
import os

if os.fork()>  0: sys.exit(1)

os.setsid()
qwe=os.open('/dev/ptmx', os.O_RDWR)
print struct.unpack_from('<I', fcntl.ioctl(qwe,termios.TIOCGPGRP,'qwer'))[0]
-----------8<----------------

This will print 0.

BASH will issue this ioctl and receives zero. After that, it does not check if 
this value is zero. Than it will use this value for kill() for example. PID=0 
mean all process in current process group, so BASH will eventually kills itself


getpid()                                = 31361
getppid()                               = 31305
gettimeofday({1295373161, 716872}, NULL) = 0
getpgrp()                               = 31287
ioctl(2, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbf967c88) = -1 ENOTTY (Inappropriate 
ioctl for device)
open("/dev/tty", O_RDWR|O_NONBLOCK|O_LARGEFILE) = 8
getrlimit(RLIMIT_NOFILE, {rlim_cur=1024, rlim_max=1024}) = 0
fcntl64(255, F_GETFD)                   = -1 EBADF (Bad file descriptor)
dup2(8, 255)                            = 255
close(8)                                = 0
ioctl(255, TIOCGPGRP, [0])              = 0
rt_sigaction(SIGTTIN, {SIG_DFL, [], 0}, {SIG_IGN, [], 0}, 8) = 0
kill(0, SIGTTIN)                        = 0
--- SIGTTIN (Stopped (tty input)) @ 0 (0) ---
rt_sigaction(SIGTTIN, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0
ioctl(255, TIOCGPGRP, [0])              = 0
rt_sigaction(SIGTTIN, {SIG_DFL, [], 0}, {SIG_IGN, [], 0}, 8) = 0
kill(0, SIGTTIN)                        = 0
--- SIGTTIN (Stopped (tty input)) @ 0 (0) ---
rt_sigaction(SIGTTIN, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0
ioctl(255, TIOCGPGRP, [0])              = 0
rt_sigaction(SIGTTIN, {SIG_DFL, [], 0}, {SIG_IGN, [], 0}, 8) = 0
kill(0, SIGTTIN)                        = 0
--- SIGTTIN (Stopped (tty input)) @ 0 (0) ---
....
until I manually kill it with kill -KILL.

[Prev in Thread]

Current Thread

[Next in Thread]

[BUG] Bash does not properly check for return value of tiocgpgrp() or ioctl(TIOCGPGRP), Alexey Smirnov <=

Prev by Date: PS1 expansion of \W incorrect for short paths
Next by Date: question about exit command
Previous by thread: PS1 expansion of \W incorrect for short paths
Next by thread: question about exit command
Index(es):
- Date
- Thread