BASH PATCH REPORT ================= Bash-Release: 4.4 Patch-ID: bash44-004 Bug-Reported-by: Christian Weisgerber Bug-Reference-ID: <20161101160302.GB54856@lorvorc.mips.inka.de> Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2016-11/msg00004.html Bug-Description: There is a race condition that can result in bash referencing freed memory when freeing data associated with the last process substitution. Patch (apply with `patch -p0'): *** ../bash-4.4/jobs.c 2016-08-23 16:38:44.000000000 -0400 --- jobs.c 2016-11-02 18:24:45.000000000 -0400 *************** *** 454,457 **** --- 454,472 ---- } + void + discard_last_procsub_child () + { + PROCESS *disposer; + sigset_t set, oset; + + BLOCK_CHILD (set, oset); + disposer = last_procsub_child; + last_procsub_child = (PROCESS *)NULL; + UNBLOCK_CHILD (oset); + + if (disposer) + discard_pipeline (disposer); + } + struct pipeline_saver * alloc_pipeline_saver () *** ../bash-4.4/jobs.h 2016-04-27 10:35:51.000000000 -0400 --- jobs.h 2016-11-02 18:25:08.000000000 -0400 *************** *** 191,194 **** --- 191,195 ---- extern void stop_making_children __P((void)); extern void cleanup_the_pipeline __P((void)); + extern void discard_last_procsub_child __P((void)); extern void save_pipeline __P((int)); extern PROCESS *restore_pipeline __P((int)); *** ../bash-4.4/subst.c 2016-08-30 16:46:38.000000000 -0400 --- subst.c 2016-11-02 18:23:24.000000000 -0400 *************** *** 5809,5816 **** #if defined (JOB_CONTROL) if (last_procsub_child) ! { ! discard_pipeline (last_procsub_child); ! last_procsub_child = (PROCESS *)NULL; ! } last_procsub_child = restore_pipeline (0); #endif --- 5834,5838 ---- #if defined (JOB_CONTROL) if (last_procsub_child) ! discard_last_procsub_child (); last_procsub_child = restore_pipeline (0); #endif *** ../bash-4.4/patchlevel.h 2016-06-22 14:51:03.000000000 -0400 --- patchlevel.h 2016-10-01 11:01:28.000000000 -0400 *************** *** 26,30 **** looks for to find the patch level (for the sccs version string). */ ! #define PATCHLEVEL 3 #endif /* _PATCHLEVEL_H_ */ --- 26,30 ---- looks for to find the patch level (for the sccs version string). */ ! #define PATCHLEVEL 4 #endif /* _PATCHLEVEL_H_ */