From 6c3f73bc536082fec38bd36e6c8a121033c68835 Mon Sep 17 00:00:00 2001
From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Thu, 2 Oct 2014 08:26:06 +0800
Subject: [EVAL] Fix use-after-free in dotrap/evalstring
The function dotrap calls evalstring using the stored trap string.
If evalstring then unsets that exact trap string then we will end
up using freed memory.
This patch fixes it by making evalstring always duplicate the string
before using it.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---
ChangeLog | 4 ++++
src/eval.c | 3 +++
src/histedit.c | 3 +--
3 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index f161a13..a56fc5e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2014-10-02 Herbert Xu <herbert@gondor.apana.org.au>
+
+ * Fix use-after-free in dotrap/evalstring.
+
2014-09-29 Herbert Xu <herbert@gondor.apana.org.au>
* Kill pgetc_macro.
diff --git a/src/eval.c b/src/eval.c
index c7358a6..3cfa1e5 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -160,6 +160,7 @@ evalstring(char *s, int flags)
struct stackmark smark;
int status;
+ s = sstrdup(s);
setinputstring(s);
setstackmark(&smark);
@@ -171,7 +172,9 @@ evalstring(char *s, int flags)
if (evalskip)
break;
}
+ popstackmark(&smark);
popfile();
+ stunalloc(s);
return status;
}
diff --git a/src/histedit.c b/src/histedit.c
index b27d629..94465d7 100644
--- a/src/histedit.c
+++ b/src/histedit.c
@@ -372,8 +372,7 @@ histcmd(int argc, char **argv)
out2str(s);
}
- evalstring(strcpy(stalloc(strlen(s) + 1), s),
- 0);
+ evalstring(s, 0);
if (displayhist && hist) {
/*
* XXX what about recursive and
--
cgit 1.4.1
dccf7b5'/><input type='hidden' name='showmsg' value='1'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/src/log/?id=a069d2def79de1f880b1177976e5dca6cdccf7b5&showmsg=1&follow=1'>root</a>/<a href='/src/log/home?id=a069d2def79de1f880b1177976e5dca6cdccf7b5&showmsg=1&follow=1'>home</a>/<a href='/src/log/home/.config?id=a069d2def79de1f880b1177976e5dca6cdccf7b5&showmsg=1&follow=1'>.config</a>/<a href='/src/log/home/.config/git?id=a069d2def79de1f880b1177976e5dca6cdccf7b5&showmsg=1&follow=1'>git</a>/<a href='/src/log/home/.config/git/ignore?id=a069d2def79de1f880b1177976e5dca6cdccf7b5&showmsg=1&follow=1'>ignore</a> (<a href='/src/log/home/.config/git/ignore?id=a069d2def79de1f880b1177976e5dca6cdccf7b5&showmsg=1'>unfollow</a>)</div><div class='content'><table class='list nowrap'><tr class='nohover'><th></th><th class='left'>Commit message (<a href='/src/log/home/.config/git/ignore?id=a069d2def79de1f880b1177976e5dca6cdccf7b5&follow=1'>Collapse</a>)</th><th class='left'>Author</th></tr>
<tr class='logheader'><td><span title='2022-08-14 09:11:26 -0400'>2022-08-14</span></td><td class='logsubject'><a href='/src/commit/txt/tweets.txt?id=c8c03f5916477570c83599106047de1f73d36f89&follow=1'>Remove tweets text file</a></td><td>June McEnroe</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
Such link rot.
</td></tr>
<tr class='logheader'><td><span title='2022-08-04 18:10:16 -0400'>2022-08-04</span></td><td class='logsubject'><a href='/src/commit/txt/books.txt?id=529b22550e175630bc1be88c6369f58983dc78d9&follow=1'>Add Conversations With Friends</a></td><td>June McEnroe</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
The better of the two, but largely the same. I feel like these books
are a bit too autobiographical, but I don't know if I'm allowed to
accuse an author of that.
My real problem is that I read these books as largely uncritical
of their characters. They behave in nonsense ways, are mostly
uncritical of their own behaviour, and don't really have arcs of
growth or change. I suppose this book had a bit of one, but only
in the last two chapters.
</td></tr>
<tr class='logheader'><td><span title='2022-07-30 10:49:56 -0400'>2022-07-30</span></td><td class='logsubject'><a href='/src/commit/txt/books.txt?id=447e80791fc95e51f9fd67d9b6a55a0308d00ceb&follow=1'>Add Normal People</a></td><td>June McEnroe</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
Unbearably straight. Eyerolls and sighs per page off the charts.
Shout out to Joanna, I guess.
I kinda like the lack of quotation marks though to be honest.
After half of the Ruth Ozeki novel and now this, I need to get back
to some genre fiction.
</td></tr>
<tr class='logheader'><td><span title='2022-07-26 22:04:17 -0400'>2022-07-26</span></td><td class='logsubject'><a href='/src/commit/bin/glitch.c?id=7b3bf60d9f8002b6085ef1b1d99ce382f79d64a1&follow=1'>Rewrite glitch from new pngo</a></td><td>June McEnroe</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
</td></tr>
<tr class='logheader'><td><span title='2022-07-26 16:07:59 -0400'>2022-07-26</span></td><td class='logsubject'><a href='/src/commit/www/text.causal.agency/037-care.7?id=94a437f5107bfc69ecb2ac4fc4e7d5ebc7a1c1a5&follow=1'>Update Care with time-to-ID and piercings</a></td><td>June McEnroe</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
</td></tr>
<tr class='logheader'><td><span title='2022-07-26 14:51:54 -0400'>2022-07-26</span></td><td class='logsubject'><a href='/src/commit/bin/up.sh?id=e3aa1f1416e24e40b545a42c38f2568055cb886c&follow=1'>Add -w to up</a></td><td>June McEnroe</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
</td></tr>
<tr class='logheader'><td><span title='2022-07-13 16:27:22 -0400'>2022-07-13</span></td><td class='logsubject'><a href='/src/commit/home/.config/git/config?id=f7af3791d661fd780b8da773499c10ee05d03569&follow=1'>Set push.autoSetupRemote</a></td><td>June McEnroe</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
</td></tr>
<tr class='logheader'><td><span title='2022-07-08 17:22:36 -0400'>2022-07-08</span></td><td class='logsubject'><a href='/src/commit/TOUR.7?id=f1e82f57838bb337478b255682bc3a33c035e94a&follow=1'>Remove TOUR</a></td><td>June McEnroe</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
There is not that much distinct stuff here anymore.
</td></tr>
<tr class='logheader'><td><span title='2022-07-03 08:21:05 -0400'>2022-07-03</span></td><td class='logsubject'><a href='/src/commit/txt/books.txt?id=a37fc29df3d52e5cabc693292840016171c92217&follow=1'>Add The Bone Shard Emperor</a></td><td>June McEnroe</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
Suffers a little bit from middle book but I really enjoyed it. Read
it faster than the first one too, despite its length.
</td></tr>
<tr class='logheader'><td><span title='2022-06-25 17:39:13 -0400'>2022-06-25</span></td><td class='logsubject'><a href='/src/commit/home/.config/X/resources?id=f7e8b61cdc5033afbcf0198b9a3b58c7a397cc3a&follow=1'>Bump xterm font size to 12</a></td><td>June McEnroe</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
</td></tr>
<tr class='logheader'><td><span title='2022-06-10 21:57:20 -0400'>2022-06-10</span></td><td class='logsubject'><a href='/src/commit/bin/sh.l?id=9298fe810211ea3cd5bf6fdbb76b115f28ae2491&follow=1'>Handle subshells (and functions) inside substitutions</a></td><td>June McEnroe</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
</td></tr>
<tr class='logheader'><td><span title='2022-06-10 15:41:21 -0400'>2022-06-10</span></td><td class='logsubject'><a href='/src/commit/install.sh?id=1e9ed406a664ad0cae0973b31f8abe878e017813&follow=1'>Switch to jorts Install script</a></td><td>June McEnroe</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
</td></tr>
<tr class='logheader'><td><span title='2022-06-08 15:01:08 -0400'>2022-06-08</span></td><td class='logsubject'><a href='/src/commit/bin/qf.c?id=c1fe77108117eb95b5960e765bdbdd6a21a8caf9&follow=1'>Indicate if still reading or no results</a></td><td>June McEnroe</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
</td></tr>
<tr class='logheader'><td><span title='2022-06-08 09:07:06 -0400'>2022-06-08</span></td><td class='logsubject'><a href='/src/commit/txt/books.txt?id=77a6a77700a79a8f0859934b900e0c8ad76f2707&follow=1'>Add Maiden, Mother, Crone</a></td><td>June McEnroe</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
Mixed bag like most collections of short stories. Some of them are
pretty good. The author of the worst written story also has the
worst written bio.
</td></tr>
<tr class='logheader'><td><span title='2022-06-05 00:44:07 -0400'>2022-06-05</span></td><td class='logsubject'><a href='/src/commit/txt/shows.txt?id=4f405376ae6b5d46b37b7a7ada4e0dd70d08f652&follow=1'>FIRST SHOW IN 2.5 YEARS BABEY!!!</a></td><td>June McEnroe</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
</td></tr>
<tr class='logheader'><td><span title='2022-06-03 11:03:24 -0400'>2022-06-03</span></td><td class='logsubject'><a href='/src/commit/bin/qf.c?id=90b47ca285a6fa0b970e338afa723606cfe68c53&follow=1'>Set line number on File lines</a></td><td>June McEnroe</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
</td></tr>
<tr class='logheader'><td><span title='2022-06-03 10:34:51 -0400'>2022-06-03</span></td><td class='logsubject'><a href='/src/commit/bin/qf.c?id=ae064a619bb3972f0c12840e7d8950ac025fea1c&follow=1'>Stop polling stdin after EOF</a></td><td>June McEnroe</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
</td></tr>
<tr class='logheader'><td><span title='2022-06-02 23:17:38 -0400'>2022-06-02</span></td><td class='logsubject'><a href='/src/commit/bin/qf.c?id=956c25d98c3c7af4ff78c3175630b281c780b3c7&follow=1'>Set TABSIZE=4</a></td><td>June McEnroe</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
Absolutely indiscriminately.
</td></tr>
<tr class='logheader'><td><span title='2022-06-02 22:40:41 -0400'>2022-06-02</span></td><td class='logsubject'><a href='/src/commit/bin/qf.c?id=07596633a2d95ff24de1a7a6b9df64534cd9e82e&follow=1'>Do basic match highlighting</a></td><td>June McEnroe</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
</td></tr>
<tr class='logheader'><td><span title='2022-06-02 21:45:47 -0400'>2022-06-02</span></td><td class='logsubject'><a href='/src/commit/bin/qf.c?id=557f1deb2b1a18ede48950b5421b71f662ea309d&follow=1'>Clean up parsing a little</a></td><td>June McEnroe</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
</td></tr>
<tr class='logheader'><td><span title='2022-06-02 21:30:03 -0400'>2022-06-02</span></td><td class='logsubject'><a href='/src/commit/bin/qf.c?id=77113cf667e1f4fbccc337b508d0f81b1f4b7563&follow=1'>Don't duplicate path string</a></td><td>June McEnroe</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
</td></tr>
<tr class='logheader'><td><span title='2022-06-02 20:53:17 -0400'>2022-06-02</span></td><td class='logsubject'><a href='/src/commit/bin/qf.c?id=1da6e2b522a624c1056f4f6cd61f977fded83a37&follow=1'>Use stderr instead of /dev/tty, realloc buffer if lines too long</a></td><td>June McEnroe</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
For some reason I haven't been able to figure out, trying to poll
/dev/tty returns POLLNVAL (and this was using 100% CPU looping),
but using stderr instead works fine.
</td></tr>
<tr class='logheader'><td><span title='2022-06-02 20:14:26 -0400'>2022-06-02</span></td><td class='logsubject'><a href='/src/commit/bin/qf.c?id=a8ca43a9dd52ba36aae52fa4345aa0af942803d7&follow=1'>Add initial working version of qf</a></td><td>June McEnroe</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
</td></tr>
<tr class='logheader'><td><span title='2022-05-29 22:20:51 -0400'>2022-05-29</span></td><td class='logsubject'><a href='/src/commit/home/.shrc?id=282a40a8ecedc78b87dc74672fde9e0f50d36ba7&follow=1'>Set prompt for oksh</a></td><td>June McEnroe