https://bugzilla.novell.com/show_bug.cgi?id=763591 https://bugzilla.novell.com/show_bug.cgi?id=763591#c0 Summary: Bash Crash (double free or corruption) Expanding Number Sequence Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: x86-64 OS/Version: openSUSE 12.1 Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: scotty.mcmillan+novell@gmail.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1128.0 Safari/536.11 SUSE/20.0.1128.0 Entering the following into the bash prompt crashes bash on my openSUSE 12.1 systems: echo {9223372036854775805..9223372036854775807} What actually matters for reproducing the crash is that the second number of the two has the value (2^63)-1. If either value is higher than this no expansion is performed (presumably because it's using signed 64 bit integers in the implementation). I notice that in older versions (e.g., on an openSUSE 11.1 system, and a CentOS 5.4 system) the output of the above is -3, -2, -1, which is also incorrect. The following is example output: ^C*** glibc detected *** /bin/bash: double free or corruption (!prev): 0x000000000070b310 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x766d6)[0x7ff1105546d6] /bin/bash(reset_parser+0x47)[0x41e2c7] /bin/bash(throw_to_top_level+0x84)[0x44fd24] /bin/bash(brace_expand+0x807)[0x455b17] /bin/bash[0x44a6ca] /bin/bash(execute_command_internal+0x42f)[0x42d2bf] /bin/bash(execute_command+0x49)[0x430cb9] /bin/bash(reader_loop+0xcd)[0x41d22d] /bin/bash(main+0xbc3)[0x41bae3] /lib64/libc.so.6(__libc_start_main+0xed)[0x7ff1104ff23d] /bin/bash[0x41c731] ======= Memory map: ======== 00400000-0049a000 r-xp 00000000 08:02 2509616 /bin/bash 00699000-0069a000 r--p 00099000 08:02 2509616 /bin/bash 0069a000-0069e000 rw-p 0009a000 08:02 2509616 /bin/bash 0069e000-108faa000 rw-p 00000000 00:00 0 [heap] 7ff1102c8000-7ff1102dd000 r-xp 00000000 08:02 655563 /lib64/libgcc_s.so.1 7ff1102dd000-7ff1104dc000 ---p 00015000 08:02 655563 /lib64/libgcc_s.so.1 7ff1104dc000-7ff1104dd000 r--p 00014000 08:02 655563 /lib64/libgcc_s.so.1 7ff1104dd000-7ff1104de000 rw-p 00015000 08:02 655563 /lib64/libgcc_s.so.1 7ff1104de000-7ff110665000 r-xp 00000000 08:02 655670 /lib64/libc-2.14.1.so 7ff110665000-7ff110864000 ---p 00187000 08:02 655670 /lib64/libc-2.14.1.so 7ff110864000-7ff110868000 r--p 00186000 08:02 655670 /lib64/libc-2.14.1.so 7ff110868000-7ff110869000 rw-p 0018a000 08:02 655670 /lib64/libc-2.14.1.so 7ff110869000-7ff11086e000 rw-p 00000000 00:00 0 7ff11086e000-7ff110870000 r-xp 00000000 08:02 655666 /lib64/libdl-2.14.1.so 7ff110870000-7ff110a70000 ---p 00002000 08:02 655666 /lib64/libdl-2.14.1.so 7ff110a70000-7ff110a71000 r--p 00002000 08:02 655666 /lib64/libdl-2.14.1.so 7ff110a71000-7ff110a72000 rw-p 00003000 08:02 655666 /lib64/libdl-2.14.1.so 7ff110a72000-7ff110abd000 r-xp 00000000 08:02 655387 /lib64/libncurses.so.5.8 7ff110abd000-7ff110cbc000 ---p 0004b000 08:02 655387 /lib64/libncurses.so.5.8 7ff110cbc000-7ff110cc0000 r--p 0004a000 08:02 655387 /lib64/libncurses.so.5.8 7ff110cc0000-7ff110cc6000 rw-p 0004e000 08:02 655387 /lib64/libncurses.so.5.8 7ff110cc6000-7ff110d04000 r-xp 00000000 08:02 655589 /lib64/libreadline.so.6.2 7ff110d04000-7ff110f03000 ---p 0003e000 08:02 655589 /lib64/libreadline.so.6.2 7ff110f03000-7ff110f05000 r--p 0003d000 08:02 655589 /lib64/libreadline.so.6.2 7ff110f05000-7ff110f0b000 rw-p 0003f000 08:02 655589 /lib64/libreadline.so.6.2 7ff110f0b000-7ff110f0d000 rw-p 00000000 00:00 0 7ff110f0d000-7ff110f2d000 r-xp 00000000 08:02 690812 /lib64/ld-2.14.1.so 7ff110f7e000-7ff110f81000 rw-p 00000000 00:00 0 7ff110f81000-7ff110fc0000 r--p 00000000 08:02 2496095 /usr/lib/locale/en_US.utf8/LC_CTYPE 7ff110fc0000-7ff1110f0000 r--p 00000000 08:02 2496096 /usr/lib/locale/en_US.utf8/LC_COLLATE 7ff1110f0000-7ff1110f4000 rw-p 00000000 00:00 0 7ff11111b000-7ff11111c000 r--p 00000000 08:02 2496073 /usr/lib/locale/en_US.utf8/LC_NUMERIC 7ff11111c000-7ff11111d000 r--p 00000000 08:02 2624016 /usr/lib/locale/en_US.utf8/LC_TIME 7ff11111d000-7ff11111e000 r--p 00000000 08:02 2624015 /usr/lib/locale/en_US.utf8/LC_MONETARY 7ff11111e000-7ff11111f000 r--p 00000000 08:02 2636444 /usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES 7ff11111f000-7ff111120000 r--p 00000000 08:02 2636451 /usr/lib/locale/en_US.utf8/LC_PAPER 7ff111120000-7ff111121000 r--p 00000000 08:02 2622011 /usr/lib/locale/en_US.utf8/LC_NAME 7ff111121000-7ff111122000 r--p 00000000 08:02 2623784 /usr/lib/locale/en_US.utf8/LC_ADDRESS 7ff111122000-7ff111123000 r--p 00000000 08:02 2622047 /usr/lib/locale/en_US.utf8/LC_TELEPHONE 7ff111123000-7ff111124000 r--p 00000000 08:02 2636452 /usr/lib/locale/en_US.utf8/LC_MEASUREMENT 7ff111124000-7ff11112b000 r--s 00000000 08:02 568092 /usr/lib64/gconv/gconv-modules.cache 7ff11112b000-7ff11112c000 r--p 00000000 08:02 2624014 /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION 7ff11112c000-7ff11112d000 rw-p 00000000 00:00 0 7ff11112d000-7ff11112e000 r--p 00020000 08:02 690812 /lib64/ld-2.14.1.so 7ff11112e000-7ff11112f000 rw-p 00021000 08:02 690812 /lib64/ld-2.14.1.so 7ff11112f000-7ff111130000 rw-p 00000000 00:00 0 7fff780ea000-7fff7810b000 rw-p 00000000 00:00 0 [stack] 7fff78181000-7fff78182000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Warning: Program '/bin/bash' crashed. Reproducible: Always Steps to Reproduce: 1.Enter the following command into a bash prompt: echo {9223372036854775805..9223372036854775807} 2.Wait for it to crash. Maybe you will have to enter control-c. The result won't be good, in any case. 3.Profit. Actual Results: Crashing, usually with a stack trace printed as given in the description. Sometimes it just hangs. Expected Results: Output: 9223372036854775805 9223372036854775806 9223372036854775807 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.