From eaf7662daa8a66494c62b4ff2d2105a0877b08b7 Mon Sep 17 00:00:00 2001 From: Johnothan King Date: Thu, 20 Jan 2022 14:30:02 -0800 Subject: [PATCH] Fix history expansion buffer overflow (#434) History expansion currently crashes under ASan due to a buffer overflow. Reproducer: $ set -H $ !!:s/old/new/ Explanation from : > The problem is the code assumes the buffer allocated for a string > stream is zero initialized. But the SFIO code uses malloc() to > allocate the buffer and does not explicitly initialize it with > memset(). That it works at all, even without ASAN enabled, is > purely accidental. It will fail if that malloc() returns a block > that had been previously allocated, used, and freed. Under ASAN > the buffer is initialized (at least on my system) to a sequence > of 0xBE bytes. So the strdup() happily tries to duplicate a > string that is the size of that buffer and fails when it reads > past the end of the buffer looking for the terminating zero byte. src/cmd/ksh93/edit/hexpand.c: - Backport ksh2020 bugfix that avoids assuming the string stream has been initialized to zeros: https://github.com/att/ast/commit/cf16bcca (minus the incorrect change to the static wm variable). --- NEWS | 4 ++++ src/cmd/ksh93/edit/hexpand.c | 10 ++++++++-- src/cmd/ksh93/include/version.h | 2 +- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/NEWS b/NEWS index 9f305ca35..f38dcf510 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,10 @@ For full details, see the git log at: https://github.com/ksh93/ksh/tree/1.0 Any uppercase BUG_* names are modernish shell bug IDs. +2022-01-20: + +- Fixed a potential crash in history expansion due to a buffer overflow. + 2022-01-12: - Added bash-inspired --histreedit and --histverify options that modify history diff --git a/src/cmd/ksh93/edit/hexpand.c b/src/cmd/ksh93/edit/hexpand.c index e1aa6ebab..aa945060a 100644 --- a/src/cmd/ksh93/edit/hexpand.c +++ b/src/cmd/ksh93/edit/hexpand.c @@ -2,7 +2,7 @@ * * * This software is part of the ast package * * Copyright (c) 1982-2011 AT&T Intellectual Property * -* Copyright (c) 2020-2021 Contributors to ksh 93u+m * +* Copyright (c) 2020-2022 Contributors to ksh 93u+m * * and is licensed under the * * Eclipse Public License, Version 1.0 * * by AT&T Intellectual Property * @@ -590,7 +590,13 @@ getsel: { /* preset old with match from !?string? */ if(!sb.str[0] && wm) - sb.str[0] = sh_strdup(sfsetbuf(wm, (void*)1, 0)); + { + char *sbuf = sfsetbuf(wm, (void*)1, 0); + int n = sftell(wm); + sb.str[0] = sh_malloc(n + 1); + sb.str[0][n] = '\0'; + memcpy(sb.str[0], sbuf, n); + } cp = parse_subst(cp, &sb); } diff --git a/src/cmd/ksh93/include/version.h b/src/cmd/ksh93/include/version.h index 73a26de77..c193b88ba 100644 --- a/src/cmd/ksh93/include/version.h +++ b/src/cmd/ksh93/include/version.h @@ -21,7 +21,7 @@ #define SH_RELEASE_FORK "93u+m" /* only change if you develop a new ksh93 fork */ #define SH_RELEASE_SVER "1.0.0-beta.2" /* semantic version number: https://semver.org */ -#define SH_RELEASE_DATE "2022-01-12" /* must be in this format for $((.sh.version)) */ +#define SH_RELEASE_DATE "2022-01-20" /* must be in this format for $((.sh.version)) */ #define SH_RELEASE_CPYR "(c) 2020-2022 Contributors to ksh " SH_RELEASE_FORK /* Scripts sometimes field-split ${.sh.version}, so don't change amount of whitespace. */