Scope variables to their subshell before assigning their discipline #811
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently, running the tilde.sh tests under ASan will fail with a
use after free. Stacktrace below (with irrelevant parts cut out):
test tilde(C.UTF-8) begins at 2024-12-28+20:08:53
=================================================================
==189441==ERROR: AddressSanitizer: heap-use-after-free on address 0x5070000069a8 at pc 0x7b65d030bd77 bp 0x7ffc12db7390 sp 0x7ffc12db7380
READ of size 2 at 0x5070000069a8 thread T0
#0 0x7b65d030bd76 in simple /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/parse.c:1484
ksh93#1 0x7b65d030a209 in item /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/parse.c:1374
ksh93#2 0x7b65d02fc516 in term /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/parse.c:655
---CUT 1---
0x5070000069a8 is located 24 bytes inside of 78-byte region [0x507000006990,0x5070000069de)
freed by thread T0 here:
#0 0x7b65d0d53ef2 in free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
ksh93#1 0x7b65d02bd246 in nv_delete /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/name.c:1329
ksh93#2 0x7b65d03621d3 in sh_subshell /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/subshell.c:807
ksh93#3 0x7b65d029902b in comsubst /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/macro.c:2268
---CUT 2---
previously allocated by thread T0 here:
#0 0x7b65d0d555da in calloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:77
ksh93#1 0x7b65d01dd012 in sh_calloc /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/init.c:255
ksh93#2 0x7b65d0135140 in newnode /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/nvdisc.c:823
ksh93#3 0x7b65d0138da4 in nv_search /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/nvdisc.c:1022
ksh93#4 0x7b65d02c0552 in nv_open /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/name.c:1486
ksh93#5 0x7b65d039d356 in sh_exec /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/xec.c:2484
---CUT 3---
The crash occurs because the discipline function is assigned
before .sh.tilde is scoped to the currently active virtual subshell.
After this, sh_subshell frees the discipline function by calling
nv_delete upon subshell completion, but because of improper scoping
.sh.tilde in the parent subshell now has an np->nvfun which points to
freed memory. (As a side note, I'll note that this bug can be reproduced
for any variable assigned a discipline function, not just .sh.tilde.)
src/cmd/ksh93/sh/xec.c: sh_exec():
- Use sh_assignok to scope variables to subshells before assigning
a new discipline function to them.
JohnoKing
changed the title
|
That's well analysed, thanks for finding the fix. This one has been bugging me for ages. |
McDutchie
force-pushed
the
fix-tilde-discipline-use-after-free
branch
from
cc1fb49 to
b4d411c
Compare
McDutchie
pushed a commit
that referenced
this pull request
Jan 5, 2025
Currently, running the tilde.sh tests under ASan will fail with a use after free. The crash occurs because the discipline function is assigned before .sh.tilde is scoped to the currently active virtual subshell. After this, sh_subshell() frees the discipline function by calling nv_delete() upon subshell completion, but because of improper scoping, .sh.tilde in the parent subshell now has an np->nvfun which points to freed memory. (As a side note, I'll note that this bug can be reproduced for any variable assigned a discipline function, not just .sh.tilde.) src/cmd/ksh93/sh/xec.c: sh_exec(): - Use sh_assignok to scope variables to subshells before assigning a new discipline function to them.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, running the tilde.sh tests under ASan will fail with a use after free. Stacktrace below (with irrelevant parts cut out):
The crash occurs because the discipline function is assigned before
.sh.tildeis scoped to the currently active virtual subshell. After this,sh_subshellfrees the discipline function by callingnv_deleteupon subshell completion, but because of improper scoping.sh.tildein the parent subshell now has annp->nvfunwhich points to freed memory. (As a side note, I'll note that this bug can be reproduced for any variable assigned a discipline function, not just.sh.tilde.)src/cmd/ksh93/sh/xec.c: sh_exec():
sh_assignokto scope variables to subshells before assigning a new discipline function to them.