From 07fc64f52b3aae2ceb37be30dc6d5de90bae015b Mon Sep 17 00:00:00 2001 From: Johnothan King Date: Thu, 13 Jan 2022 04:39:45 -0800 Subject: [PATCH] Fix use after free bug in discipline functions (#424) This fixes one of the ASan failures in the variables.sh regression tests. Explanation from : > The problem is caused by this block of code freeing the Namfun_t* > (via the call to chktfree()): > https://github.com/ksh93/ksh/blob/307bc3ed/src/cmd/ksh93/sh/nvdisc.c#L570-L577 >> 570 else >> 571 { >> 572 struct blocked *bp; >> 573 action = vp->disc[type]; >> 574 vp->disc[type] = 0; >> 575 if(!(bp=block_info(np,(struct blocked*)0)) || !isblocked(bp,UNASSIGN)) >> 576 chktfree(np,vp); >> 577 } > That invalidates the value stored in vp which is dereferenced here: > https://github.com/ksh93/ksh/blob/307bc3ed/src/cmd/ksh93/sh/nvdisc.c#L411-L421 >> 419 unblock(bp,type); >> 420 if(!vp->disc[type]) >> 421 chktfree(np,vp); ksh2020 commit: https://github.com/att/ast/commit/df1e8165 src/cmd/ksh93/sh/nvdisc.c: - Block nv_setdisc from freeing the memory associated with the vp pointer. --- src/cmd/ksh93/sh/nvdisc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/cmd/ksh93/sh/nvdisc.c b/src/cmd/ksh93/sh/nvdisc.c index d70990b67..fcc0e5f19 100644 --- a/src/cmd/ksh93/sh/nvdisc.c +++ b/src/cmd/ksh93/sh/nvdisc.c @@ -409,6 +409,7 @@ static char* lookup(Namval_t *np, int type, Sfdouble_t *dp,Namfun_t *handle) nv_setsize(SH_VALNOD,10); } block(bp,type); + block(bp, UNASSIGN); /* make sure nv_setdisc doesn't invalidate 'vp' by freeing it */ sh_pushcontext(&sh, &checkpoint, 1); jmpval = sigsetjmp(checkpoint.buff, 0); if(!jmpval) @@ -416,6 +417,7 @@ static char* lookup(Namval_t *np, int type, Sfdouble_t *dp,Namfun_t *handle) sh_popcontext(&sh, &checkpoint); if(sh.topfd != checkpoint.topfd) sh_iorestore(checkpoint.topfd, jmpval); + unblock(bp,UNASSIGN); unblock(bp,type); if(!vp->disc[type]) chktfree(np,vp);