Fix history expansion buffer overflow (#434)

History expansion currently crashes under ASan due to a buffer overflow. Reproducer: $ set -H $ !!:s/old/new/ Explanation from <https://github.com/att/ast/issues/1369>: > The problem is the code assumes the buffer allocated for a string > stream is zero initialized. But the SFIO code uses malloc() to > allocate the buffer and does not explicitly initialize it with > memset(). That it works at all, even without ASAN enabled, is > purely accidental. It will fail if that malloc() returns a block > that had been previously allocated, used, and freed. Under ASAN > the buffer is initialized (at least on my system) to a sequence > of 0xBE bytes. So the strdup() happily tries to duplicate a > string that is the size of that buffer and fails when it reads > past the end of the buffer looking for the terminating zero byte. src/cmd/ksh93/edit/hexpand.c: - Backport ksh2020 bugfix that avoids assuming the string stream has been initialized to zeros: cf16bcca (minus the incorrect change to the static wm variable).
2025-03-09 15:50:02 +00:00 · 2022-01-20 14:30:02 -08:00 · 2022-01-20 14:30:02 -08:00 · eaf7662daa
commit eaf7662daa
parent 5a1ec3c9ff
3 changed files with 13 additions and 3 deletions
--- a/4
+++ b/4
@ -3,6 +3,10 @@ For full details, see the git log at: https://github.com/ksh93/ksh/tree/1.0

 Any uppercase BUG_* names are modernish shell bug IDs.

+2022-01-20:
+
+- Fixed a potential crash in history expansion due to a buffer overflow.
+
 2022-01-12:

 - Added bash-inspired --histreedit and --histverify options that modify history
--- a/src/cmd/ksh93/edit/hexpand.c
+++ b/src/cmd/ksh93/edit/hexpand.c
@ -2,7 +2,7 @@
 *                                                                      *
 *               This software is part of the ast package               *
 *          Copyright (c) 1982-2011 AT&T Intellectual Property          *
-*          Copyright (c) 2020-2021 Contributors to ksh 93u+m           *
+*          Copyright (c) 2020-2022 Contributors to ksh 93u+m           *
 *                      and is licensed under the                       *
 *                 Eclipse Public License, Version 1.0                  *
 *                    by AT&T Intellectual Property                     *
@ -590,7 +590,13 @@ getsel:
 				{
 					/* preset old with match from !?string? */
 					if(!sb.str[0] && wm)
-						sb.str[0] = sh_strdup(sfsetbuf(wm, (void*)1, 0));
+					{
+						char *sbuf = sfsetbuf(wm, (void*)1, 0);
+						int n = sftell(wm);
+						sb.str[0] = sh_malloc(n + 1);
+						sb.str[0][n] = '\0';
+						memcpy(sb.str[0], sbuf, n);
+					}
 					cp = parse_subst(cp, &sb);
 				}

--- a/src/cmd/ksh93/include/version.h
+++ b/src/cmd/ksh93/include/version.h
@ -21,7 +21,7 @@

 #define SH_RELEASE_FORK	"93u+m"		/* only change if you develop a new ksh93 fork */
 #define SH_RELEASE_SVER	"1.0.0-beta.2"	/* semantic version number: https://semver.org */
-#define SH_RELEASE_DATE	"2022-01-12"	/* must be in this format for $((.sh.version)) */
+#define SH_RELEASE_DATE	"2022-01-20"	/* must be in this format for $((.sh.version)) */
 #define SH_RELEASE_CPYR	"(c) 2020-2022 Contributors to ksh " SH_RELEASE_FORK

 /* Scripts sometimes field-split ${.sh.version}, so don't change amount of whitespace. */