to:references:references;
	bh=ROV937ri5HIefkePiQR6dKljg/QkQ/Lj1ypu32ebZBU=;
	b=gEmSUgXilU8R23xSvEXcxtgcuWW2aGdKGhd4tsXj3c1JIYFyc7eNK6Qey42OUG8taAOCNP
	lXXdAjnAUcIUOiSOwxrVISEBrrbhTDxGBHyl24sMsI4RDEch34AlQGJXkOhSbLBgPdTWcX
	UdLOKGHi+czS9Fr1yx9aAT0H3NCc86smJUQNiAugstObA17ILczh7yVzC5dmUirZ6vwnWe
	R9i/dv85pPUsQIJyDtcwvkAc+gadZF44QrgX+SZ4Cvp3t8Tp/2O3YYdn6Lr3pL3ScpC/9+
	tbzNb4MpANwC+F6a4WbdK342WXrgk0QGa8gT/vYx7GkOoK5ifvvVDf3iUMj8vQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1763404438;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=ROV937ri5HIefkePiQR6dKljg/QkQ/Lj1ypu32ebZBU=;
	b=TC8TOWQTw078JivFpvZY+VZ4eYI/cF4cGCLq0RgZLw6CPJ4jc0Oa1rypN71CI8EAhyABan
	/lNZAOoqQlGIqshJoDFoHMS80WQMPQZn/rl9QHQ3Nmo2DtlxNmO0gZ1WqMI8qhV3u064nQ
	9gO3xaNeVKjBIBxFiFAbFNoG++GFY8Npl6jvNHrv93rRSk0u/wZyuBkvfJ4WY2WEIA10SR
	QmgPOy6oh80kaMrK+I6WnMkpZfWsu8WuaCEJk/Ey82ZmUmN+aCJdMHjjD9QGLodtQXmNYF
	CsZ7KlgDJnxaDvbxGnB8yBmjULFPyQKKXomrJg+QYth0Vhc5Zf0Cs5YtsjTPzA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1763404438; a=rsa-sha256; cv=none;
	b=njpXJzajROLV7Q7Nzq4ACBHNlr++aOvq7y7MoE+yn8gyBfKJpItmXoIUmUR/MoJi4NPTS6
	+mqJsdNpax3ZwTR8nkUipmCanbLw2qyvWFR0PGmITz+F8QHKznisuva7eM5RJQRiab94sK
	FlFLg1wOz9sA2SxbNxD8PsE50YI3TU3onfyNzNbwCb9D8KUC1P56daMHojwqlkj88hzx35
	yHN76jF8wVpi1iECadoP6fS1vWwTZUYxK1DWb2HJrEyWJ/VRvIvPAJVbdFX7gpUAXuidmq
	PEbkqtr9enX0rIAL2h4dJnTJhX4EBBOqAlOnGD+1auFunI4tPWeipq6MxWizNg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4d9Gbp2Lxhz510
	for <bugs@FreeBSD.org>; Mon, 17 Nov 2025 18:33:58 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 5AHIXwfi038221
	for <bugs@FreeBSD.org>; Mon, 17 Nov 2025 18:33:58 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from bugzilla@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 5AHIXw0M038220
	for bugs@FreeBSD.org; Mon, 17 Nov 2025 18:33:58 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 290330] /bin/sh crash in freejob
Date: Mon, 17 Nov 2025 18:33:58 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: bin
X-Bugzilla-Version: Unspecified
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: commit-hook@FreeBSD.org
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-290330-227-Kw7xBH1Vts@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-290330-227@https.bugs.freebsd.org/bugzilla/>
References: <bug-290330-227@https.bugs.freebsd.org/bugzilla/>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-bugs
List-Help: <mailto:freebsd-bugs+help@freebsd.org>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Subscribe: <mailto:freebsd-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-bugs@FreeBSD.org
MIME-Version: 1.0

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D290330

--- Comment #4 from commit-hook@FreeBSD.org ---
A commit in branch main references this bug:

URL:
https://cgit.FreeBSD.org/src/commit/?id=3D75a6c38e4d5c651b7398bf2bea5baa41a=
0939e92

commit 75a6c38e4d5c651b7398bf2bea5baa41a0939e92
Author:     Jilles Tjoelker <jilles@FreeBSD.org>
AuthorDate: 2025-11-15 16:43:03 +0000
Commit:     Jilles Tjoelker <jilles@FreeBSD.org>
CommitDate: 2025-11-17 18:32:38 +0000

    sh: Fix a double free in a rare scenario with pipes

    The command
      sh -c 'sleep 3 | sleep 2 & sleep 3 & kill %1; wait %1'
    crashes (with appropriate sanitization such as putting
    MALLOC_CONF=3Dabort:true,junk:true in the environment or compiling with
    -fsanitize=3Daddress).

    What happens here is that waitcmdloop() calls dowait() with a NULL job
    pointer, instructing dowait() to freejob() if it's a non-interactive
    shell and $! was not and cannot be referenced for it. However,
    waitcmdloop() then uses fields possibly freed by freejob() and calls
    freejob() again.

    This only occurs if the job being waited for is identified via % syntax
    ($! has never been referenced for it), it is a pipeline with two or more
    elements and another background job has been started before the wait
    command. That seems special enough for a bug to remain. Test scripts
    written by Jilles would almost always use $! and not % syntax.

    We can instead make waitcmdloop() pass its job pointer to dowait(),
    fixing up things for that (waitcmdloop() will have to call deljob() if
    it does not call freejob()).

    The crash from
    https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D290330#c2 appears to
    be the same bug.

    PR:             290330
    Reported by:    bdrewery
    Reviewed by:    bdrewery
    Differential Revision:  https://reviews.freebsd.org/D53773

 bin/sh/jobs.c                        | 3 ++-
 bin/sh/tests/builtins/Makefile       | 1 +
 bin/sh/tests/builtins/wait11.0 (new) | 6 ++++++
 3 files changed, 9 insertions(+), 1 deletion(-)

--=20
You are receiving this mail because:
You are the assignee for the bug.=