Fix segfault in strdup

Resolves: RHEL-25019
2024-02-10 10:21:09 +01:00 · 2024-02-10 10:21:09 +01:00 · 272c0b77b5
commit 272c0b77b5
parent 8b51f18f60
2 changed files with 66 additions and 1 deletions
--- a/ksh-1.0.7-segfault-strdup.patch
+++ b/ksh-1.0.7-segfault-strdup.patch
@ -0,0 +1,58 @@
+From 9eb8532ccacf1cfdb7ba18f51eba68776852ef7c Mon Sep 17 00:00:00 2001
+From: Vincent Mihalkovic <vmihalko@redhat.com>
+Date: Thu, 8 Feb 2024 22:10:58 +0100
+Subject: [PATCH] Re-fix use of strdup on a NULL pointer (re: 9a9da2c2) (#718)
+
+Thank you @lzaoral for debugging this issue and creating this
+reproducer:
+
+$ tty   # check that the shell is connected to a pseudoterminal
+/dev/pts/4
+$ mkdir /var/tmp/chroottest
+$ dnf --releasever=39 --installroot=/var/tmp/chroottest install ksh
+$ echo "/dev/udp/127.0.0.1/514;0;104" |
+        sudo tee /var/tmp/chroottest/etc/ksh_audit
+$ sudo chroot /var/tmp/chroottest /bin/ksh -lic 'exit 0'
+(ksh segfaults)
+
+Analysis: On Linux, ttyname(3)[*] may fail if:
+
+* EBADF  Bad file descriptor.
+* ENODEV fd refers to a slave pseudoterminal device but the
+         corresponding pathname could not be found [...].
+* ENOTTY fd does not refer to a terminal device.
+
+Calling isatty(3) before ttyname(3) only prevents the first and
+third cases.
+
+src/cmd/ksh93/edit/history.c: sh_histinit():
+- To catch the second case, let's call ttyname(2) directly, check
+  for NULL and remove the redundant isatty() call.
+
+[*] https://man7.org/linux/man-pages/man3/ttyname.3.html
+---
+ src/cmd/ksh93/edit/history.c    | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+diff --git a/src/cmd/ksh93/edit/history.c b/src/cmd/ksh93/edit/history.c
+index a7b084e5c16f..25832a59265b 100644
+--- a/src/cmd/ksh93/edit/history.c
+++ b/src/cmd/ksh93/edit/history.c
+@@ -15,6 +15,7 @@
+ *            Johnothan King <johnothanking@protonmail.com>             *
+ *         hyenias <58673227+hyenias@users.noreply.github.com>          *
+ *                Govind Kamat <govind_kamat@yahoo.com>                 *
+*               Vincent Mihalkovic <vmihalko@redhat.com>               *
+ *                                                                      *
+ ***********************************************************************/
+ /*
+@@ -353,7 +354,8 @@ int  sh_histinit(void)
+ 			if(fd>=0)
+ 			{
+ 				fcntl(fd,F_SETFD,FD_CLOEXEC);
+-				hp->tty = sh_strdup(isatty(2)?ttyname(2):"notty");
+				const char* tty = ttyname(2);
+				hp->tty = sh_strdup(tty?tty:"notty");
+ 				hp->auditfp = sfnew(NULL,NULL,-1,fd,SF_WRITE);
+ 			}
+ 		}
--- a/ksh.spec
+++ b/ksh.spec
@ -4,7 +4,7 @@ URL:          http://www.kornshell.com/
 License:      EPL-1.0
 Epoch:        3
 Version:      1.0.6
-Release:      2%{?dist}
+Release:      3%{?dist}
 Source0:      https://github.com/ksh93/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
 Source1:      kshcomp.conf
 Source2:      kshrc.rhs
@ -23,6 +23,9 @@ Patch2:       %{name}-1.0.6-alarm-2.patch
 #https://github.com/ksh93/ksh/commit/2075b2b96208ac8b989ca316dcdd674c3f488e2b
 Patch3:       %{name}-1.0.7-history-trim.patch

+#upstream commit: https://github.com/ksh93/ksh/commit/9eb8532ccacf1cfdb7ba18f51eba68776852ef7c.patch
+Patch4: ksh-1.0.7-segfault-strdup.patch
+
 Conflicts:    pdksh
 Requires: coreutils, diffutils
 BuildRequires: gcc
@ -144,6 +147,10 @@ fi
 %config(noreplace) %{_sysconfdir}/binfmt.d/kshcomp.conf

 %changelog
+* Sat Feb 10 2024 Vincent Mihalkovic <vmihalko@redhat.com> - 3:1.0.6-3
+- Fix segfault in strdup
+  Resolves: RHEL-25019
+
 * Wed Jan 03 2024 Vincent Mihalkovic <vmihalko@redhat.com> - 3:1.0.6-2
 - Fix crash on failure to trim ~/.sh_history (#20345)