ksh/ksh-20120801-segfault-strdup.patch

From 9a9da2c299a0adcd36b4efd1b1c0ee2883beba7b Mon Sep 17 00:00:00 2001
From: Johnothan King <johnothanking@protonmail.com>
Date: Mon, 6 Jul 2020 13:51:44 -0700
Subject: [PATCH] Fix use of strdup on a NULL pointer (#63)

The following set of commands can rarely cause a memory fault
when auditing[*] is enabled, although most of the time it will
simply cause ksh to write '(null)' to the auditing file in place
of a tty name:

$ [ -e /etc/ksh_audit ] || echo "/tmp/ksh_auditfile;$(id -u)" | sudo tee /etc/ksh_audit;
$ v=$(ksh  2> /dev/null +o rc -ic $'getopts a:bc: opt --man\nprint $?')
$ cat /tmp/ksh_auditfile
1000;1593599493;(null); getopts a:bc: opt --man

This happens because strdup is used unconditionally on the pointer
returned by 'ttyname', which can be NULL if stderr is closed. This
then causes 'hp->tty' to be set to null, as strdup returns NULL.
See https://github.com/att/ast/issues/1028

src/cmd/ksh93/edit/history.c:
- Make strdup duplicate 'notty' instead of NULL to prevent
  crashes.

[*] https://blog.fpmurphy.com/2008/12/ksh93-auditing-and-accounting.html

Cherry-picked-by: Lukáš Zaoral <lzaoral@redhat.com>
Upstream-commit: 9a9da2c299a0adcd36b4efd1b1c0ee2883beba7b
---
 src/cmd/ksh93/edit/history.c    | 2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/cmd/ksh93/edit/history.c b/src/cmd/ksh93/edit/history.c
index d6737e209ca0..f40f27b4a4d7 100644
--- a/src/cmd/ksh93/edit/history.c
+++ b/src/cmd/ksh93/edit/history.c
@@ -395,7 +395,7 @@ int  sh_histinit(void *sh_context)
 			if(fd>=0)
 			{
 				fcntl(fd,F_SETFD,FD_CLOEXEC);
-				hp->tty = strdup(ttyname(2));
+				hp->tty = strdup(isatty(2)?ttyname(2):"notty");
 				hp->auditfp = sfnew((Sfio_t*)0,NULL,-1,fd,SF_WRITE);
 			}
 		}
Fix segfault in strdup Resolves: RHEL-11982 2023-11-01 12:19:55 +00:00			`From 9a9da2c299a0adcd36b4efd1b1c0ee2883beba7b Mon Sep 17 00:00:00 2001`
			`From: Johnothan King <johnothanking@protonmail.com>`
			`Date: Mon, 6 Jul 2020 13:51:44 -0700`
			`Subject: [PATCH] Fix use of strdup on a NULL pointer (#63)`

			`The following set of commands can rarely cause a memory fault`
			`when auditing[*] is enabled, although most of the time it will`
			`simply cause ksh to write '(null)' to the auditing file in place`
			`of a tty name:`

			`$ [ -e /etc/ksh_audit ] \|\| echo "/tmp/ksh_auditfile;$(id -u)" \| sudo tee /etc/ksh_audit;`
			`$ v=$(ksh 2> /dev/null +o rc -ic $'getopts a:bc: opt --man\nprint $?')`
			`$ cat /tmp/ksh_auditfile`
			`1000;1593599493;(null); getopts a:bc: opt --man`

			`This happens because strdup is used unconditionally on the pointer`
			`returned by 'ttyname', which can be NULL if stderr is closed. This`
			`then causes 'hp->tty' to be set to null, as strdup returns NULL.`
			`See https://github.com/att/ast/issues/1028`

			`src/cmd/ksh93/edit/history.c:`
			`- Make strdup duplicate 'notty' instead of NULL to prevent`
			`crashes.`

			`[*] https://blog.fpmurphy.com/2008/12/ksh93-auditing-and-accounting.html`

			`Cherry-picked-by: Lukáš Zaoral <lzaoral@redhat.com>`
			`Upstream-commit: 9a9da2c299a0adcd36b4efd1b1c0ee2883beba7b`
			`---`
			`src/cmd/ksh93/edit/history.c \| 2 +-`
			`1 files changed, 1 insertions(+), 1 deletions(-)`

			`diff --git a/src/cmd/ksh93/edit/history.c b/src/cmd/ksh93/edit/history.c`
			`index d6737e209ca0..f40f27b4a4d7 100644`
			`--- a/src/cmd/ksh93/edit/history.c`
			`+++ b/src/cmd/ksh93/edit/history.c`
			`@@ -395,7 +395,7 @@ int sh_histinit(void *sh_context)`
			`if(fd>=0)`
			`{`
			`fcntl(fd,F_SETFD,FD_CLOEXEC);`
			`- hp->tty = strdup(ttyname(2));`
			`+ hp->tty = strdup(isatty(2)?ttyname(2):"notty");`
			`hp->auditfp = sfnew((Sfio_t*)0,NULL,-1,fd,SF_WRITE);`
			`}`
			`}`