Steps to reproduce the segmentation fault:
$ tmux -L bug new-session -d
$ tmux -L bug attach-session
(we are now inside the client)
$ tmux suspend-client
(we are now outside the client)
$ kill -HUP %
[lost server]
$ tmux -L bug attach-session
no sessions
By sending SIGHUP to the suspended client followed by a (implicit)
SIGCONT, we crash the server.
Analysis of bug:
When a suspended client receives a SIGHUP signal followed by a SIGCONT
signal, the client's signal handler then sends to the server a
MSG_EXITING message followed by a MSG_WAKEUP message. When the server
receives MSG_EXITING, it closes the client's tty (via tty_close).
Afterwards when the server receives MSG_WAKEUP, it attempts to write to
the client's closed tty (via tty_start_tty). This attempt to write to a
closed tty eventually results in a segfault.
Backtrace:
0 __memcpy_sse2_unaligned () at
../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:167
1 0x00007fe9bfd37c82 in evbuffer_add () from
/usr/lib/x86_64-linux-gnu/libevent-2.0.so.5
2 0x00007fe9bfd3a3b0 in bufferevent_write () from
/usr/lib/x86_64-linux-gnu/libevent-2.0.so.5
3 0x0000000000434c33 in tty_puts (tty=0x2123420, s=0x2145be0 "\260[\024\002")
at tty.c:403
4 0x0000000000435274 in tty_puts (s=<optimized out>, tty=<optimized out>) at
tty.c:365
5 tty_putcode (tty=<optimized out>, code=<optimized out>) at tty.c:364
6 0x0000000000435561 in tty_start_tty (tty=tty@entry=0x2123420) at tty.c:208
7 0x000000000042a4f9 in server_client_msg_dispatch (c=0x2113300) at
server-client.c:892
8 0x000000000042a6d5 in server_client_callback (fd=-1044207592, events=23520,
data=0x4) at server-client.c:236
9 0x00007fe9bfd31184 in event_base_loop () from
/usr/lib/x86_64-linux-gnu/libevent-2.0.so.5
10 0x000000000042bfda in server_loop () at server.c:207
11 0x000000000042c657 in server_start (lockfd=lockfd@entry=5,
lockfile=<optimized out>) at server.c:198
12 0x000000000040572a in client_connect (path=0x67fec0 <socket_path>
"/tmp/tmux-1000/bug", start_server=1) at client.c:129
13 0x0000000000405b0c in client_main (argc=argc@entry=0,
argv=argv@entry=0x7fffaefa1bf0, flags=flags@entry=65536) at client.c:237
14 0x0000000000403a80 in main (argc=0, argv=0x7fffaefa1bf0) at tmux.c:388
Possible solution:
When handling a MSG_WAKEUP on the server side, do not write to the
client's tty if the tty has been closed (by an earlier MSG_EXITING
message or otherwise). The below patch takes this approach. With the
patch, I can no longer trigger the segmentation fault.
---
server-client.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/server-client.c b/server-client.c
index e225de3..e952246 100644
--- a/server-client.c
+++ b/server-client.c
@@ -889,6 +889,8 @@ server_client_msg_dispatch(struct client *c)
if (c->session != NULL)
session_update_activity(c->session);
+ if (!(c->tty.flags & TTY_OPENED))
+ break;
tty_start_tty(&c->tty);
server_redraw_client(c);
recalculate_sizes();
--
2.1.0.rc0.52.gaa544bf
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
tmux-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/tmux-users
