rpms/ksh
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Re-fix segfault in strdup

Browse Source 
Resolves: RHEL-11982
This commit is contained in:
Vincent Mihalkovic 2024-02-09 22:51:48 +01:00
parent 916efa1a46
commit 527d78f809
2 changed files with 41 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
ksh-20120801-segfault-strdup.patch
View File

@ -1,45 +1,53 @@
From 9a9da2c299a0adcd36b4efd1b1c0ee2883beba7b Mon Sep 17 00:00:00 2001 From 9eb8532ccacf1cfdb7ba18f51eba68776852ef7c Mon Sep 17 00:00:00 2001
From: Johnothan King <johnothanking@protonmail.com> From: Vincent Mihalkovic <vmihalko@redhat.com>
Date: Mon, 6 Jul 2020 13:51:44 -0700 Date: Thu, 8 Feb 2024 22:10:58 +0100
Subject: [PATCH] Fix use of strdup on a NULL pointer (#63) Subject: [PATCH] Re-fix use of strdup on a NULL pointer (re: 9a9da2c2) (#718)
The following set of commands can rarely cause a memory fault Thank you @lzaoral for debugging this issue and creating this
when auditing[*] is enabled, although most of the time it will reproducer:
simply cause ksh to write '(null)' to the auditing file in place
of a tty name:
$ [ -e /etc/ksh_audit ] || echo "/tmp/ksh_auditfile;$(id -u)" | sudo tee /etc/ksh_audit; $ tty # check that the shell is connected to a pseudoterminal
$ v=$(ksh 2> /dev/null +o rc -ic $'getopts a:bc: opt --man\nprint $?') /dev/pts/4
$ cat /tmp/ksh_auditfile $ mkdir /var/tmp/chroottest
1000;1593599493;(null); getopts a:bc: opt --man $ dnf --releasever=39 --installroot=/var/tmp/chroottest install ksh
$ echo "/dev/udp/127.0.0.1/514;0;104" |
sudo tee /var/tmp/chroottest/etc/ksh_audit
$ sudo chroot /var/tmp/chroottest /bin/ksh -lic 'exit 0'
(ksh segfaults)
This happens because strdup is used unconditionally on the pointer Analysis: On Linux, ttyname(3)[*] may fail if:
returned by 'ttyname', which can be NULL if stderr is closed. This
then causes 'hp->tty' to be set to null, as strdup returns NULL.
See https://github.com/att/ast/issues/1028
src/cmd/ksh93/edit/history.c: * EBADF Bad file descriptor.
- Make strdup duplicate 'notty' instead of NULL to prevent * ENODEV fd refers to a slave pseudoterminal device but the
crashes. corresponding pathname could not be found [...].
* ENOTTY fd does not refer to a terminal device.
[*] https://blog.fpmurphy.com/2008/12/ksh93-auditing-and-accounting.html Calling isatty(3) before ttyname(3) only prevents the first and
third cases.
Cherry-picked-by: Lukáš Zaoral <lzaoral@redhat.com> src/cmd/ksh93/edit/history.c: sh_histinit():
Upstream-commit: 9a9da2c299a0adcd36b4efd1b1c0ee2883beba7b - To catch the second case, let's call ttyname(2) directly, check
for NULL and remove the redundant isatty() call.
[*] https://man7.org/linux/man-pages/man3/ttyname.3.html
--- ---
src/cmd/ksh93/edit/history.c | 2 +- src/cmd/ksh93/edit/history.c | 3 ++-
1 files changed, 1 insertions(+), 1 deletions(-) 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/cmd/ksh93/edit/history.c b/src/cmd/ksh93/edit/history.c diff --git a/src/cmd/ksh93/edit/history.c b/src/cmd/ksh93/edit/history.c
index d6737e209ca0..f40f27b4a4d7 100644 index de5e4a8..222d4bc 100644
--- a/src/cmd/ksh93/edit/history.c --- a/src/cmd/ksh93/edit/history.c
+++ b/src/cmd/ksh93/edit/history.c +++ b/src/cmd/ksh93/edit/history.c
@@ -395,7 +395,7 @@ int sh_histinit(void *sh_context) @@ -395,7 +395,8 @@ retry:
if(fd>=0) if(fd>=0)
{ {
fcntl(fd,F_SETFD,FD_CLOEXEC); fcntl(fd,F_SETFD,FD_CLOEXEC);
- hp->tty = strdup(ttyname(2)); - hp->tty = strdup(ttyname(2));
+ hp->tty = strdup(isatty(2)?ttyname(2):"notty"); + const char* tty = ttyname(2);
+ hp->tty = strdup(tty?tty:"notty");
hp->auditfp = sfnew((Sfio_t*)0,NULL,-1,fd,SF_WRITE); hp->auditfp = sfnew((Sfio_t*)0,NULL,-1,fd,SF_WRITE);
} }
} }
--
2.43.0

8
ksh.spec
View File

@ -6,7 +6,7 @@ Summary: The Original ATT Korn Shell
URL: http://www.kornshell.com/ URL: http://www.kornshell.com/
License: EPL-1.0 License: EPL-1.0
Version: %{releasedate} Version: %{releasedate}
Release: 266%{?dist} Release: 267%{?dist}
Source0: http://www.research.att.com/~gsf/download/tgz/ast-ksh.%{release_date}.tgz Source0: http://www.research.att.com/~gsf/download/tgz/ast-ksh.%{release_date}.tgz
Source1: http://www.research.att.com/~gsf/download/tgz/INIT.%{release_date}.tgz Source1: http://www.research.att.com/~gsf/download/tgz/INIT.%{release_date}.tgz
Source2: kshcomp.conf Source2: kshcomp.conf
@ -238,7 +238,7 @@ Patch94: ksh-20120801-segfault-long-command.patch
Patch95: ksh-20120801-set+r-fix.patch Patch95: ksh-20120801-set+r-fix.patch
# RHEL-11982 # RHEL-11982
# upstream commit: https://github.com/ksh93/ksh/commit/9a9da2c299a0adcd36b4efd1b1c0ee2883beba7b.patch # upstream commit: https://github.com/ksh93/ksh/commit/9eb8532ccacf1cfdb7ba18f51eba68776852ef7c.patch
Patch96: ksh-20120801-segfault-strdup.patch Patch96: ksh-20120801-segfault-strdup.patch
# RHEL-12011 # RHEL-12011
@ -411,6 +411,10 @@ fi
%config(noreplace) %{_sysconfdir}/binfmt.d/kshcomp.conf %config(noreplace) %{_sysconfdir}/binfmt.d/kshcomp.conf
%changelog %changelog
* Fri Feb 09 2024 Vincent Mihalkovic <vmihalko@redhat.com> - 20120801-267
- Re-fix segfault in strdup
Resolves: RHEL-11982
* Thu Jan 25 2024 Lukáš Zaoral <lzaoral@redhat.com> - 20120801-266 * Thu Jan 25 2024 Lukáš Zaoral <lzaoral@redhat.com> - 20120801-266
- fix crashes when interrupting subshells (RHEL-11650) - fix crashes when interrupting subshells (RHEL-11650)