external/cde
1
0
Fork 0
mirror of git://git.code.sf.net/p/cdesktopenv/code synced 2025-03-09 15:50:02 +00:00
Code Issues Releases Wiki Activity

Fix use after free bug in discipline functions (#424)

Browse source 
This fixes one of the ASan failures in the variables.sh regression
tests. Explanation from <https://github.com/att/ast/issues/1268>:

> The problem is caused by this block of code freeing the Namfun_t*
> (via the call to chktfree()):
> 307bc3ed/src/cmd/ksh93/sh/nvdisc.c (L570-L577)
>> 570  else
>> 571  {
>> 572          struct blocked *bp;
>> 573          action = vp->disc[type];
>> 574          vp->disc[type] = 0;
>> 575          if(!(bp=block_info(np,(struct blocked*)0)) || !isblocked(bp,UNASSIGN))
>> 576                  chktfree(np,vp);
>> 577  }
> That invalidates the value stored in vp which is dereferenced here:
> 307bc3ed/src/cmd/ksh93/sh/nvdisc.c (L411-L421)
>> 419          unblock(bp,type);
>> 420          if(!vp->disc[type])
>> 421                  chktfree(np,vp);

ksh2020 commit:
df1e8165

src/cmd/ksh93/sh/nvdisc.c:
- Block nv_setdisc from freeing the memory associated with the vp pointer.
This commit is contained in:
Johnothan King 2022-01-13 04:39:45 -08:00 committed by Martijn Dekker
parent 307bc3edce
commit 07fc64f52b
1 changed files with 2 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/cmd/ksh93/sh/nvdisc.c
View file

@ -409,6 +409,7 @@ static char* lookup(Namval_t *np, int type, Sfdouble_t *dp,Namfun_t *handle)
nv_setsize(SH_VALNOD,10);
}
block(bp,type);
block(bp, UNASSIGN); /* make sure nv_setdisc doesn't invalidate 'vp' by freeing it */
sh_pushcontext(&sh, &checkpoint, 1);
jmpval = sigsetjmp(checkpoint.buff, 0);
if(!jmpval)
@ -416,6 +417,7 @@ static char* lookup(Namval_t *np, int type, Sfdouble_t *dp,Namfun_t *handle)
sh_popcontext(&sh, &checkpoint);
if(sh.topfd != checkpoint.topfd)
sh_iorestore(checkpoint.topfd, jmpval);
unblock(bp,UNASSIGN);
unblock(bp,type);
if(!vp->disc[type])
chktfree(np,vp);