diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2019-03-29 13:49:59 +0800 |
---|---|---|
committer | Herbert Xu <herbert@gondor.apana.org.au> | 2020-01-20 17:52:07 +0800 |
commit | b9f8565be338c172c3bd8a96d3fe3e3ab4775120 (patch) | |
tree | f1baa4b71f9736ee50e17c37dd4cad4e75f8adfe | |
parent | 02a00569ba60e502f876c36d894ba0cc2d0682b3 (diff) | |
download | dash-b9f8565be338c172c3bd8a96d3fe3e3ab4775120.tar.gz |
parser: Fix old-style command substitution here-document crash
On Wed, Jul 25, 2018 at 12:38:27PM +0000, project-repo wrote:
> Hi,
> I am working on a project in which I use the honggfuzz fuzzer to fuzz open
> source software and I decided to fuzz dash. In doing so I discovered a
> NULL pointer dereference in src/redir.ch on line 305. Following is a
> backtrace as supplied by the address sanitizer:
>
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==39623==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x0000005768ed bp 0x7ffc00273df0 sp 0x7ffc00273c60 T0)
> ==39623==The signal is caused by a READ memory access.
> ==39623==Hint: address points to the zero page.
> #0 0x5768ec in openhere /home/jfe/dash/src/redir.c:305:29
> #1 0x574d92 in openredirect /home/jfe/dash/src/redir.c:230:7
> #2 0x5737fe in redirect /home/jfe/dash/src/redir.c:121:11
> #3 0x576017 in redirectsafe /home/jfe/dash/src/redir.c:424:3
> #4 0x522326 in evalcommand /home/jfe/dash/src/eval.c:828:11
> #5 0x520010 in evaltree /home/jfe/dash/src/eval.c:288:12
> #6 0x5270da in evaltreenr /home/jfe/dash/src/eval.c:332:2
> #7 0x526f04 in evalbackcmd /home/jfe/dash/src/eval.c:640:3
> #8 0x539020 in expbackq /home/jfe/dash/src/expand.c:522:2
> #9 0x5332d7 in argstr /home/jfe/dash/src/expand.c:343:4
> #10 0x5322f7 in expandarg /home/jfe/dash/src/expand.c:196:2
> #11 0x528118 in fill_arglist /home/jfe/dash/src/eval.c:659:3
> #12 0x5213b6 in evalcommand /home/jfe/dash/src/eval.c:769:13
> #13 0x520010 in evaltree /home/jfe/dash/src/eval.c:288:12
> #14 0x554423 in cmdloop /home/jfe/dash/src/main.c:234:8
> #15 0x553bcc in main /home/jfe/dash/src/main.c:176:3
> #16 0x7f201c2b2a86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
> #17 0x41dfb9 in _start (/home/jfe/dash/src/dash+0x41dfb9)
>
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV /home/jfe/dash/src/redir.c:305:29 in openhere
> ==39623==ABORTING
>
> This bug can be reproduced by running "dash < min" where min is þhe file
> attached. I was able to reproduce this bug with the current git version
> and the current debian version.
>
> cheers
> project-repo
>
> <<A
> `<<A(`
Thanks for the report! This is caused by the recent change to
save/restore here-docment list around command substitutions. In
doing so we must finish existing here-documents prior to restoring
the old here-document list. This is done for new-style command
substitutions but not for old-style.
This patch fixes it by doing it for both.
Reported-by: project-repo <bugs@feusi.co>
Fixes: 51e2d88d6e51 ("parser: Save/restore here-documents in...")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-rw-r--r-- | src/parser.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/parser.c b/src/parser.c index 1f9e8ec..4bda42e 100644 --- a/src/parser.c +++ b/src/parser.c @@ -1451,9 +1451,9 @@ done: if (readtoken() != TRP) synexpect(TRP); setinputstring(nullstr); - parseheredoc(); } + parseheredoc(); heredoclist = saveheredoclist; (*nlpp)->n = n; |