bash crashes often if inputrc contains revert-all-at-newline

Bug #1422795 reported by Sven Mueller on 2015-02-17
30
This bug affects 5 people
Affects Status Importance Assigned to Milestone
bash (Debian)
Fix Released
Unknown
bash (Ubuntu)
High
Unassigned
Trusty
High
Unassigned

Bug Description

Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747341
The Debian bug includes complete reproduction case. Basically:
with .inputrc containing
set revert-all-at-newline On

Go back in the commandline history, edit a command, then submit a different command (may be empty)
Such as:
$ ls something
$ <UP><CTRL+W><DOWN><ENTER>

Attached diff is confirmed to fix the issue.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: bash 4.3-7ubuntu1.5 [origin: goobuntu-trusty-testing-desktop]
ProcVersionSignature: Ubuntu 3.13.0-44.73-generic 3.13.11-ckt12
Uname: Linux 3.13.0-44-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.14.1-0ubuntu3.6
Architecture: amd64
CurrentDesktop: X-Cinnamon
Date: Tue Feb 17 15:49:30 2015
SourcePackage: bash
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.bash.bashrc: [modified]
mtime.conffile..etc.bash.bashrc: 2015-01-27T03:27:18.751405

[Test Case]

Adapted from the Debian bug report:

1. echo "set revert-all-at-newline on" > bug.inputrc
2. INPUTRC=bug.inputrc bash
3. echo hello
4. ^P^U^N^M [Hold down control and type "punm".]

Bash should die immediately with SIGABRT.

[Regression Potential]

Relatively low.

The change has no effect at all unless _rl_revert_all_lines() is called,
which only happens if revert-all-at-newline is set, and then only when a
newline is typed. So, the potential for regression is essentially zero for
non-interactive shells and for anyone not using revert-all-at-newline (which
is not the default).

Further, this change appeared upstream and in both Debian and Ubuntu over
a year ago, so it's had plenty of public testing.

lib/readline/misc.c:_rl_revert_all_lines() contains a loop which iterates
over history entries, reverting changes to each history entry. This patch
causes entry->data, which points to the per-entry undo list, to be cleared
before reverting edits rather than after. At first glance, this shouldn't
make any difference. However, it prevents rl_do_undo() from replacing the
history entry with one reflecting the change. Otherwise, the entry gets
freed, leaving _rl_revert_all_lines() with an invalid pointer.

_Not_ having an invalid pointer and double-free certainly can't be worse
than the current situation. Since we're avoiding is making the pointer
invalid rather than not doing the free, the chance of a new leak is pretty
much nonexistent.

Sven Mueller (smu-u) wrote :
Sven Mueller (smu-u) wrote :

Note that the odd origin is due to the way we mirror. The package is the (unmodified) 4.3-7ubuntu1.5 package as distributed in Ubuntu.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in bash (Ubuntu):
status: New → Confirmed
Sven Mueller (smu-u) on 2015-07-14
tags: added: patch
tags: added: patch-accepted-debian
Margarita Manterola (marga-9) wrote :

This bug is pretty annoying for users that have this setting, and the patch is quite simple (just moving one line of code). Can this please get patched on Trusty?

Jeffrey Hutzelman (jhutz) wrote :

This was reported to the bug-bash mailing list and has been fixed upstream, but there doesn't appear to be a bug tracker.

Jeffrey Hutzelman (jhutz) wrote :

This was fixed in 4.3-8 and so is already fixed in utopic and later. It will require an SRU to fix in trusty. I've attached a debdiff containing the needed change.

description: updated
Changed in bash (Debian):
status: Unknown → Fix Released
Changed in bash (Ubuntu):
importance: Undecided → High
status: Confirmed → Fix Released
affects: gnubash → ubuntu-translations
no longer affects: ubuntu-translations
Jeffrey Hutzelman (jhutz) wrote :

It seems like the ball has been dropped on this, possibly by me. Is there something I need to do to get someone to upload a new version using the debdiff I provided?

Jeffrey Hutzelman (jhutz) wrote :

For those who can't wait, I've built a version with this fix in my PPA.

Sven Mueller (smu-u) wrote :

So what can be done to get a version with this fix into Trusty?

Philipp Kern (pkern) wrote :

https://launchpadlibrarian.net/221500232/bash-readline-revert.debdiff should still be valid to apply to bash as-is on trusty and the problem has been fixed in utopic and up already. Thanks to Laney to accept the bug nomination, which finally caused this bug to enter the sponsoring queue (http://reqorts.qa.ubuntu.com/reports/sponsoring/index.html).

Changed in bash (Ubuntu Trusty):
importance: Undecided → High
Philipp Kern (pkern) on 2016-11-05
Changed in bash (Ubuntu Trusty):
status: New → Confirmed
Changed in bash (Ubuntu Trusty):
status: Confirmed → In Progress

Hello Sven, or anyone else affected,

Accepted bash into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/bash/4.3-7ubuntu1.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in bash (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed
Sven Mueller (smu-u) wrote :

I can confirm that 4.3-7ubuntu1.6 fixes the issue.

While the reproduction steps from the Debian bug report (enable revert-all-at-newline, run bash, "echo something"+RETURN, CTRL-P, CTRL-U, CTRL-N, ENTER) reliably crash 4.3-7unbuntu1.5, they don't crash 4.3-7ubuntu1.6

Philipp Kern (pkern) on 2016-11-18
tags: added: verification-done
removed: verification-needed
Julian Andres Klode (juliank) wrote :

Failed to build on arm64:

../.././builtins/../.././builtins/help.def: In function 'help_builtin':
../.././builtins/../.././builtins/help.def:130:7: error: format not a string literal and no format arguments [-Werror=format-security]

tags: added: verification-failed
removed: verification-done
Julian Andres Klode (juliank) wrote :

The build failure on arm64 is tracked in bug 1644048 now. Moving this to in progress again, until we figured out why it fails (or rather why it does not fail on most platforms) and fixed it.

Changed in bash (Ubuntu Trusty):
status: Fix Committed → In Progress
Julian Andres Klode (juliank) wrote :

Turns out it does not build on arm64 because the internal gettext is used because binutils (ld) crashes during the configure test for the static build.

That's tracked in bug 1644363 and this SRU basically has to wait for that to get fixed...

Julian Andres Klode (juliank) wrote :

I just fixed the binutils bug I think, and it's in the queue for trusty. Just Googled for "segfault iterative_hash" and that turned up a patch ... So I think this should build on arm64 again soon.

Julian Andres Klode (juliank) wrote :

Marking as verification-done again, now that we fixed the build failure on arm64.

tags: added: verification-done
removed: verification-failed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bash - 4.3-7ubuntu1.6

---------------
bash (4.3-7ubuntu1.6) trusty-proposed; urgency=medium

  * When the readline `revert-all-at-newline' option is set, pressing newline
    when the current line is one retrieved from history results in a double
    free and a segmentation fault. LP: #1422795.

 -- Jeffrey Hutzelman <email address hidden> Fri, 16 Oct 2015 17:21:23 -0400

Changed in bash (Ubuntu Trusty):
status: In Progress → Fix Released

The verification of the Stable Release Update for bash has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.