From 1477b5fff7b85433cdf9a580a529a8759547ccee Mon Sep 17 00:00:00 2001 From: Martijn Dekker Date: Tue, 29 Sep 2020 05:21:50 +0200 Subject: [PATCH] Fix possible out-of-bounds write in xec.c:iousepipe (rhbz#1506344) Discussion/analysis: https://bugzilla.redhat.com/1506344 iousepipe() might write out of bounds, causing a crash, if subpipe[2] is set to a value >= sh.gd.lim.open_max. src/cmd/ksh93/sh/xec.c: iousepipe(): - Validate the FD using sh_iovalidfd() before the write. --- src/cmd/ksh93/sh/xec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/cmd/ksh93/sh/xec.c b/src/cmd/ksh93/sh/xec.c index b0fbca6b1..a1aa3259c 100644 --- a/src/cmd/ksh93/sh/xec.c +++ b/src/cmd/ksh93/sh/xec.c @@ -170,6 +170,7 @@ static int iousepipe(Shell_t *shp) return(1); } subpipe[2] = sh_fcntl(fd,F_dupfd_cloexec,10); + sh_iovalidfd(shp,subpipe[2]); shp->fdstatus[subpipe[2]] = shp->fdstatus[1]; while(close(fd)<0 && errno==EINTR) errno = err;