From 527d78f809b2eefaebc8d40b3b5f02c4d3914e30 Mon Sep 17 00:00:00 2001 From: Vincent Mihalkovic Date: Fri, 9 Feb 2024 22:51:48 +0100 Subject: [PATCH] Re-fix segfault in strdup Resolves: RHEL-11982 --- ksh-20120801-segfault-strdup.patch | 62 +++++++++++++++++------------- ksh.spec | 8 +++- 2 files changed, 41 insertions(+), 29 deletions(-) diff --git a/ksh-20120801-segfault-strdup.patch b/ksh-20120801-segfault-strdup.patch index 292de86..3fce75f 100644 --- a/ksh-20120801-segfault-strdup.patch +++ b/ksh-20120801-segfault-strdup.patch @@ -1,45 +1,53 @@ -From 9a9da2c299a0adcd36b4efd1b1c0ee2883beba7b Mon Sep 17 00:00:00 2001 -From: Johnothan King -Date: Mon, 6 Jul 2020 13:51:44 -0700 -Subject: [PATCH] Fix use of strdup on a NULL pointer (#63) +From 9eb8532ccacf1cfdb7ba18f51eba68776852ef7c Mon Sep 17 00:00:00 2001 +From: Vincent Mihalkovic +Date: Thu, 8 Feb 2024 22:10:58 +0100 +Subject: [PATCH] Re-fix use of strdup on a NULL pointer (re: 9a9da2c2) (#718) -The following set of commands can rarely cause a memory fault -when auditing[*] is enabled, although most of the time it will -simply cause ksh to write '(null)' to the auditing file in place -of a tty name: +Thank you @lzaoral for debugging this issue and creating this +reproducer: -$ [ -e /etc/ksh_audit ] || echo "/tmp/ksh_auditfile;$(id -u)" | sudo tee /etc/ksh_audit; -$ v=$(ksh 2> /dev/null +o rc -ic $'getopts a:bc: opt --man\nprint $?') -$ cat /tmp/ksh_auditfile -1000;1593599493;(null); getopts a:bc: opt --man +$ tty # check that the shell is connected to a pseudoterminal +/dev/pts/4 +$ mkdir /var/tmp/chroottest +$ dnf --releasever=39 --installroot=/var/tmp/chroottest install ksh +$ echo "/dev/udp/127.0.0.1/514;0;104" | + sudo tee /var/tmp/chroottest/etc/ksh_audit +$ sudo chroot /var/tmp/chroottest /bin/ksh -lic 'exit 0' +(ksh segfaults) -This happens because strdup is used unconditionally on the pointer -returned by 'ttyname', which can be NULL if stderr is closed. This -then causes 'hp->tty' to be set to null, as strdup returns NULL. -See https://github.com/att/ast/issues/1028 +Analysis: On Linux, ttyname(3)[*] may fail if: -src/cmd/ksh93/edit/history.c: -- Make strdup duplicate 'notty' instead of NULL to prevent - crashes. +* EBADF Bad file descriptor. +* ENODEV fd refers to a slave pseudoterminal device but the + corresponding pathname could not be found [...]. +* ENOTTY fd does not refer to a terminal device. -[*] https://blog.fpmurphy.com/2008/12/ksh93-auditing-and-accounting.html +Calling isatty(3) before ttyname(3) only prevents the first and +third cases. -Cherry-picked-by: Lukáš Zaoral -Upstream-commit: 9a9da2c299a0adcd36b4efd1b1c0ee2883beba7b +src/cmd/ksh93/edit/history.c: sh_histinit(): +- To catch the second case, let's call ttyname(2) directly, check + for NULL and remove the redundant isatty() call. + +[*] https://man7.org/linux/man-pages/man3/ttyname.3.html --- - src/cmd/ksh93/edit/history.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) + src/cmd/ksh93/edit/history.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/cmd/ksh93/edit/history.c b/src/cmd/ksh93/edit/history.c -index d6737e209ca0..f40f27b4a4d7 100644 +index de5e4a8..222d4bc 100644 --- a/src/cmd/ksh93/edit/history.c +++ b/src/cmd/ksh93/edit/history.c -@@ -395,7 +395,7 @@ int sh_histinit(void *sh_context) +@@ -395,7 +395,8 @@ retry: if(fd>=0) { fcntl(fd,F_SETFD,FD_CLOEXEC); - hp->tty = strdup(ttyname(2)); -+ hp->tty = strdup(isatty(2)?ttyname(2):"notty"); ++ const char* tty = ttyname(2); ++ hp->tty = strdup(tty?tty:"notty"); hp->auditfp = sfnew((Sfio_t*)0,NULL,-1,fd,SF_WRITE); } } +-- +2.43.0 + diff --git a/ksh.spec b/ksh.spec index ed00ebb..893fa05 100644 --- a/ksh.spec +++ b/ksh.spec @@ -6,7 +6,7 @@ Summary: The Original ATT Korn Shell URL: http://www.kornshell.com/ License: EPL-1.0 Version: %{releasedate} -Release: 266%{?dist} +Release: 267%{?dist} Source0: http://www.research.att.com/~gsf/download/tgz/ast-ksh.%{release_date}.tgz Source1: http://www.research.att.com/~gsf/download/tgz/INIT.%{release_date}.tgz Source2: kshcomp.conf @@ -238,7 +238,7 @@ Patch94: ksh-20120801-segfault-long-command.patch Patch95: ksh-20120801-set+r-fix.patch # RHEL-11982 -# upstream commit: https://github.com/ksh93/ksh/commit/9a9da2c299a0adcd36b4efd1b1c0ee2883beba7b.patch +# upstream commit: https://github.com/ksh93/ksh/commit/9eb8532ccacf1cfdb7ba18f51eba68776852ef7c.patch Patch96: ksh-20120801-segfault-strdup.patch # RHEL-12011 @@ -411,6 +411,10 @@ fi %config(noreplace) %{_sysconfdir}/binfmt.d/kshcomp.conf %changelog +* Fri Feb 09 2024 Vincent Mihalkovic - 20120801-267 +- Re-fix segfault in strdup + Resolves: RHEL-11982 + * Thu Jan 25 2024 Lukáš Zaoral - 20120801-266 - fix crashes when interrupting subshells (RHEL-11650)