From cd64abaa92e13d6a82000b85f02bcccf12d9073b Mon Sep 17 00:00:00 2001
From: AlmaLinux RelEng Bot <eabdullin@almalinux.org>
Date: Mon, 30 Mar 2026 10:36:42 -0400
Subject: [PATCH] import CS ksh-1.0.6-15.el9

---
 SOURCES/ksh-1.0.11-devfd-memory-fault.patch | 305 ++++++++++++++++++++
 SPECS/ksh.spec                              |   9 +-
 2 files changed, 313 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/ksh-1.0.11-devfd-memory-fault.patch

diff --git a/SOURCES/ksh-1.0.11-devfd-memory-fault.patch b/SOURCES/ksh-1.0.11-devfd-memory-fault.patch
new file mode 100644
index 0000000..08bb2f4
--- /dev/null
+++ b/SOURCES/ksh-1.0.11-devfd-memory-fault.patch
@@ -0,0 +1,305 @@
+From aa75399b030dfb0efc39be6d07c627aedbc2d2c1 Mon Sep 17 00:00:00 2001
+From: Johnothan King <johnothanking@protonmail.com>
+Date: Thu, 29 Jan 2026 16:23:45 -0800
+Subject: [PATCH] Fix /dev/fd/1 memory fault and $0 for /dev/fd scripts
+
+Changes:
+
+- sh_init(): Don't set $0 to the path to ksh. The correct behavior
+  is to always use the script name, even when it's a /dev/fd file.
+  The behavior of ksh93 should match that of bash and other shells.
+  Please read:
+  https://github.com/ksh93/ksh/pull/866#issuecomment-2968762167
+  https://github.com/ksh93/ksh/issues/874#issuecomment-2977615731
+
+- sh_main(): Do not attempt to optimize away sh_open() for the
+  stdio fds (0, 1, 2) because that can cause buggy behavior. Ksh's
+  handling of /dev/fd/1 and /dev/stdin should not differ. See:
+  https://github.com/ksh93/ksh/pull/879#issuecomment-2989729921
+
+- exfile(): Don't dup or close fds for /dev/fd scripts with a file
+  descriptor > 2. Those should be left open pursuant to the $0 name
+  of the script. (This cannot be done safely for fds 1 and 2, so
+  the stdio fds are all dup'ed, but not closed.)
+
+- sh_main(): If the fd obtained for the script by sh_open() is
+  <= 2, that means the shell was opened with one of the stdio fds
+  closed, so for correct behavior use sh_iomovefd() to keep the
+  stdio fd closed.
+
+- sh_iomovefd(): As an optimization, move the fd to a number that's
+  either >= 3 or >= 10, depending on what is most appropriate. This
+  avoids a possible inefficient scenario of dup'ing an fd from
+  0 -> 3 -> 10 (less syscalls is better for performance).
+
+- sh_main(): Use O_CLOEXEC in advance for the fd (which is
+  guaranteed to get close-on-exec via a later fcntl call; if we
+  don't end up calling fcntl for whatever reason O_CLOEXEC will
+  help avoid an extra syscall).
+
+- basic.sh: Add regression tests for $0 and its associated fd. For
+  the time being I've omitted a /dev/fd/1 regression test because I
+  can't get one to work correctly with the pty tool.
+
+Resolves: https://github.com/ksh93/ksh/issues/874
+Resolves: https://github.com/ksh93/ksh/issues/877
+Resolves: https://github.com/ksh93/ksh/pull/879
+---
+diff --git a/src/cmd/ksh93/include/io.h b/src/cmd/ksh93/include/io.h
+index 3003254..bdc1455 100644
+--- a/src/cmd/ksh93/include/io.h
++++ b/src/cmd/ksh93/include/io.h
+@@ -66,7 +66,7 @@
+ 
+ extern int	sh_iocheckfd(int);
+ extern void 	sh_ioinit(void);
+-extern int 	sh_iomovefd(int);
++extern int 	sh_iomovefd(int,int);
+ extern int	sh_iorenumber(int,int);
+ extern void 	sh_pclose(int[]);
+ extern int	sh_rpipe(int[]);
+diff --git a/src/cmd/ksh93/sh/init.c b/src/cmd/ksh93/sh/init.c
+index 58c4e09..cdb821f 100644
+--- a/src/cmd/ksh93/sh/init.c
++++ b/src/cmd/ksh93/sh/init.c
+@@ -1435,10 +1435,7 @@ Shell_t *sh_init(int argc,char *argv[], Shinit_f userinit)
+ 	else
+ 		sh_offoption(SH_PRIVILEGED);
+ 	/* shname for $0 in profiles and . scripts */
+-	if(sh_isdevfd(argv[1]))
+-		sh.shname = sh_strdup(argv[0]);
+-	else
+-		sh.shname = sh_strdup(sh.st.dolv[0]);
++	sh.shname = sh_strdup(sh.st.dolv[0]);
+ 	/*
+ 	 * return here for shell script execution
+ 	 * but not for parenthesis subshells
+diff --git a/src/cmd/ksh93/sh/io.c b/src/cmd/ksh93/sh/io.c
+index 130b036..f86181b 100644
+--- a/src/cmd/ksh93/sh/io.c
++++ b/src/cmd/ksh93/sh/io.c
+@@ -897,16 +897,16 @@ int sh_chkopen(const char *name)
+ }
+ 
+ /*
+- * move open file descriptor to a number > 2
++ * move open file descriptor to a number >= minfd
+  */
+-int sh_iomovefd(int fdold)
++int sh_iomovefd(int fdold, int minfd)
+ {
+ 	int fdnew;
+ 	if(fdold >= sh.lim.open_max)
+ 		sh_iovalidfd(fdold);
+-	if(fdold<0 || fdold>2)
++	if(fdold<0 || fdold>=minfd)
+ 		return fdold;
+-	fdnew = sh_iomovefd(dup(fdold));
++	fdnew = sh_iomovefd(fcntl(fdold,F_DUPFD,minfd),minfd);
+ 	sh.fdstatus[fdnew] = (sh.fdstatus[fdold]&~IOCLEX);
+ 	close(fdold);
+ 	sh.fdstatus[fdold] = IOCLOSE;
+@@ -928,8 +928,8 @@ int	sh_pipe(int pv[])
+ 		errormsg(SH_DICT,ERROR_system(1),e_pipe);
+ 		UNREACHABLE();
+ 	}
+-	pv[0] = sh_iomovefd(pv[0]);
+-	pv[1] = sh_iomovefd(pv[1]);
++	pv[0] = sh_iomovefd(pv[0],3);
++	pv[1] = sh_iomovefd(pv[1],3);
+ 	sh.fdstatus[pv[0]] = IONOSEEK|IOREAD;
+ 	sh.fdstatus[pv[1]] = IONOSEEK|IOWRITE;
+ 	sh_subsavefd(pv[0]);
+@@ -953,8 +953,8 @@ int	sh_pipe(int pv[])
+ 		errormsg(SH_DICT,ERROR_system(1),e_pipe);
+ 		UNREACHABLE();
+ 	}
+-	pv[0] = sh_iomovefd(pv[0]);
+-	pv[1] = sh_iomovefd(pv[1]);
++	pv[0] = sh_iomovefd(pv[0],3);
++	pv[1] = sh_iomovefd(pv[1],3);
+ 	sh.fdstatus[pv[0]] = IONOSEEK|IOREAD;
+ 	sh.fdstatus[pv[1]] = IONOSEEK|IOWRITE;
+ 	sh_subsavefd(pv[0]);
+@@ -1492,7 +1492,7 @@ int	sh_redirect(struct ionod *iop, int flag)
+ 				sh_close(fn);
+ 			}
+ 			if(flag==3)
+-				return sh_iomovefd(fd);  /* ensure FD > 2 to make $(<file) work with std{in,out,err} closed */
++				return sh_iomovefd(fd,3);  /* ensure FD > 2 to make $(<file) work with std{in,out,err} closed */
+ 			if(fd>=0)
+ 			{
+ 				if(np)
+@@ -1519,7 +1519,7 @@ int	sh_redirect(struct ionod *iop, int flag)
+ 				}
+ 				else
+ 				{
+-					fd = sh_iorenumber(sh_iomovefd(fd),fn);
++					fd = sh_iorenumber(sh_iomovefd(fd,3),fn);
+ 					if(fn>2 && fn<10)
+ 						sh.inuse_bits |= (1<<fn);
+ 				}
+diff --git a/src/cmd/ksh93/sh/main.c b/src/cmd/ksh93/sh/main.c
+index 712310e..48b1316 100644
+--- a/src/cmd/ksh93/sh/main.c
++++ b/src/cmd/ksh93/sh/main.c
+@@ -66,6 +66,9 @@ static void	chkmail(char*);
+ static struct stat lastmail;
+ static time_t	mailtime;
+ static char	beenhere = 0;
++#if SHOPT_DEVFD
++#define GOT_DEVFD	2
++#endif
+ 
+ #ifdef _lib_sigvec
+     void clearsigmask(int sig)
+@@ -150,7 +153,7 @@ int sh_main(int ac, char *av[], Shinit_f userinit)
+ #endif
+ 	if(!beenhere)
+ 	{
+-		beenhere++;
++		beenhere = 1;
+ 		sh_onstate(SH_PROFILE);
+ 		sh.sigflag[SIGTSTP] |= SH_SIGIGNORE;
+ 		/* decide whether shell is interactive */
+@@ -243,11 +246,10 @@ int sh_main(int ac, char *av[], Shinit_f userinit)
+ 				fdin = 0;
+ 			else
+ 			{
+-				char *sp;
+ 				/* open stream should have been passed into shell */
+-				if(strmatch(name,e_devfdNN))
++#if SHOPT_DEVFD
++				if(strmatch(name,e_devfdNN) && (fdin=(int)strtol(name+8, NULL, 10)) > 2)
+ 				{
+-					fdin = (int)strtol(name+8, NULL, 10);
+ 					if(fstat(fdin,&statb)<0)
+ 					{
+ 						errormsg(SH_DICT,ERROR_system(1),e_open,name);
+@@ -256,11 +258,14 @@ int sh_main(int ac, char *av[], Shinit_f userinit)
+ 					name = av[0];
+ 					sh_offoption(SH_VERBOSE);
+ 					sh_offoption(SH_XTRACE);
++					beenhere = GOT_DEVFD;
+ 				}
+ 				else
++#endif
+ 				{
++					char *sp;
+ 					int isdir = 0;
+-					if((fdin=sh_open(name,O_RDONLY,0))>=0 &&(fstat(fdin,&statb)<0 || S_ISDIR(statb.st_mode)))
++					if((fdin=sh_open(name,O_RDONLY|O_cloexec,0))>=0 &&(fstat(fdin,&statb)<0 || S_ISDIR(statb.st_mode)))
+ 					{
+ 						close(fdin);
+ 						isdir = 1;
+@@ -275,7 +280,7 @@ int sh_main(int ac, char *av[], Shinit_f userinit)
+ 							sp = stkptr(sh.stk,PATH_OFFSET);
+ 						if(sp)
+ 						{
+-							if((fdin=sh_open(sp,O_RDONLY,0))>=0)
++							if((fdin=sh_open(sp,O_RDONLY|O_cloexec,0))>=0)
+ 								sh.st.filename = path_fullname(sp);
+ 						}
+ 					}
+@@ -297,8 +302,14 @@ int sh_main(int ac, char *av[], Shinit_f userinit)
+ 							strcopy(name," \"$@\"");
+ 						goto shell_c;
+ 					}
+-					if(fdin==0)
+-						fdin = sh_iomovefd(fdin);
++					/*
++					 * Note: fdin could wind up being zero or some such if the
++					 *       shell was opened with stdin/stdout/stderr closed
++					 *       (i.e. 0>&-), so we move the fd in such a case to
++					 *       keep that file descriptor closed.
++					 */
++					if(fdin<=2)
++						fdin = sh_iomovefd(fdin,10);
+ 				}
+ 				sh.readscript = sh.shname;
+ 			}
+@@ -368,15 +379,27 @@ static void	exfile(Sfio_t *iop,int fno)
+ 	{
+ 		if(fno > 0)
+ 		{
+-			int r;
+-			if(fno < 10 && ((r=sh_fcntl(fno,F_DUPFD,10))>=10))
++#if SHOPT_DEVFD
++			if(beenhere == GOT_DEVFD)
++				; /* leave the inherited /dev/fd as is */
++			else
++#endif
+ 			{
+-				sh.fdstatus[r] = sh.fdstatus[fno];
+-				sh_close(fno);
+-				fno = r;
++				if(fno < 10)
++				{
++					int r = sh_fcntl(fno,F_DUPFD,10);
++					if(r >= 10)
++					{
++						sh.fdstatus[r] = sh.fdstatus[fno];
++						/* leave std* fds open when they're not explicitly closed */
++						if(fno > 2)
++							sh_close(fno);
++						fno = r;
++					}
++				}
++				fcntl(fno,F_SETFD,FD_CLOEXEC);
++				sh.fdstatus[fno] |= IOCLEX;
+ 			}
+-			fcntl(fno,F_SETFD,FD_CLOEXEC);
+-			sh.fdstatus[fno] |= IOCLEX;
+ 			iop = sh_iostream(fno);
+ 		}
+ 		else
+@@ -384,6 +407,7 @@ static void	exfile(Sfio_t *iop,int fno)
+ 	}
+ 	else
+ 		fno = -1;
++	beenhere = 1;
+ 	sh.infd = fno;
+ 	if(sh_isstate(SH_INTERACTIVE))
+ 	{
+diff --git a/src/cmd/ksh93/sh/path.c b/src/cmd/ksh93/sh/path.c
+index 7728df0..e22e764 100644
+--- a/src/cmd/ksh93/sh/path.c
++++ b/src/cmd/ksh93/sh/path.c
+@@ -481,7 +481,7 @@ static int	opentype(const char *name, Pathcomp_t *pp, int fun)
+ 		}
+ 	}
+ 	while(fd<0 && nextpp);
+-	if(fd>=0 && (fd = sh_iomovefd(fd)) > 0)
++	if(fd>=0 && (fd = sh_iomovefd(fd,10)) > 0)
+ 	{
+ 		fcntl(fd,F_SETFD,FD_CLOEXEC);
+ 		sh.fdstatus[fd] |= IOCLEX;
+@@ -1291,7 +1291,7 @@ static noreturn void exscript(char *path,char *argv[],char **envp)
+ 		errormsg(SH_DICT,ERROR_system(ERROR_NOEXEC),e_exec,path);
+ 		UNREACHABLE();
+ 	}
+-	sh.infd = sh_iomovefd(sh.infd);
++	sh.infd = sh_iomovefd(sh.infd,10);
+ #if SHOPT_ACCT
+ 	sh_accbegin(path) ;  /* reset accounting */
+ #endif	/* SHOPT_ACCT */
+diff --git a/src/cmd/ksh93/tests/basic.sh b/src/cmd/ksh93/tests/basic.sh
+index 0b02f7c..fa3e301 100755
+--- a/src/cmd/ksh93/tests/basic.sh
++++ b/src/cmd/ksh93/tests/basic.sh
+@@ -1047,5 +1047,15 @@ unset bindir
+ [[ $exp == $got ]] || err_exit 'ksh93 shebang-less scripts are vulnerable to being hijacked for arbitrary code execution' \
+ 	"(exp $(printf %q "$exp"), got $(printf %q "$got"))"
+ 
++# ======
++# $0 should be the /dev/fd path for scripts executed from a /dev/fd file
++# https://github.com/ksh93/ksh/issues/874
++# https://github.com/ksh93/ksh/pull/879
++if	((SHOPT_DEVFD))
++then	got=$("$SHELL" <(echo 'echo $0'))
++	[[ ${got:0:7} != '/dev/fd' ]] && err_exit '$0 is wrong for process substitution scripts' \\
++		"(expected a /dev/fd file name, got $(printf %q "$got"))"
++fi
++
+ # ======
+ exit $((Errors<125?Errors:125))
diff --git a/SPECS/ksh.spec b/SPECS/ksh.spec
index fb3e6e0..9206817 100644
--- a/SPECS/ksh.spec
+++ b/SPECS/ksh.spec
@@ -4,7 +4,7 @@ URL:          http://www.kornshell.com/
 License:      EPL-1.0
 Epoch:        3
 Version:      1.0.6
-Release:      14%{?dist}
+Release:      15%{?dist}
 Source0:      https://github.com/ksh93/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
 Source1:      kshcomp.conf
 Source2:      kshrc.rhs
@@ -60,6 +60,9 @@ Patch14: ksh-1.0.10-sigpipe.patch
 # https://github.com/ksh93/ksh/commit/970812e39c236ff385e440ac6d458d196c237667
 Patch15: ksh-1.0.12-security.patch
 
+# upstream commit: https://github.com/ksh93/ksh/commit/c2cfcfc6f4b2d63472b2290debb9d0bb84c932df
+Patch16: ksh-1.0.11-devfd-memory-fault.patch
+
 Conflicts:    pdksh
 Requires: coreutils, diffutils
 BuildRequires: gcc
@@ -181,6 +184,10 @@ fi
 %config(noreplace) %{_sysconfdir}/binfmt.d/kshcomp.conf
 
 %changelog
+* Wed Feb 04 2026 Vincent Mihalkovic <vmihalko@redhat.com> - 3:1.0.6-15
+- Fix /dev/fd/1 memory fault and $0 for /dev/fd scripts
+  Resolves: RHEL-146564
+
 * Wed Aug 06 2025 Vincent Mihalkovic <vmihalko@redhat.com> - 3:1.0.6-14
 - Fix arbitrary command execution/code injection bugs
   Resolves: RHEL-99063