Skip to content

Commit

Permalink
parser: Fix old-style command substitution here-document crash
Browse files Browse the repository at this point in the history
On Wed, Jul 25, 2018 at 12:38:27PM +0000, project-repo wrote:
> Hi,
> I am working on a project in which I use the honggfuzz fuzzer to fuzz open
> source software and I decided to fuzz dash. In doing so I discovered a
> NULL pointer dereference in src/redir.ch on line 305. Following is a
> backtrace as supplied by the address sanitizer:
>
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==39623==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x0000005768ed bp 0x7ffc00273df0 sp 0x7ffc00273c60 T0)
> ==39623==The signal is caused by a READ memory access.
> ==39623==Hint: address points to the zero page.
>     #0 0x5768ec in openhere /home/jfe/dash/src/redir.c:305:29
>     #1 0x574d92 in openredirect /home/jfe/dash/src/redir.c:230:7
>     #2 0x5737fe in redirect /home/jfe/dash/src/redir.c:121:11
>     #3 0x576017 in redirectsafe /home/jfe/dash/src/redir.c:424:3
>     #4 0x522326 in evalcommand /home/jfe/dash/src/eval.c:828:11
>     #5 0x520010 in evaltree /home/jfe/dash/src/eval.c:288:12
>     #6 0x5270da in evaltreenr /home/jfe/dash/src/eval.c:332:2
>     #7 0x526f04 in evalbackcmd /home/jfe/dash/src/eval.c:640:3
>     #8 0x539020 in expbackq /home/jfe/dash/src/expand.c:522:2
>     #9 0x5332d7 in argstr /home/jfe/dash/src/expand.c:343:4
>     #10 0x5322f7 in expandarg /home/jfe/dash/src/expand.c:196:2
>     #11 0x528118 in fill_arglist /home/jfe/dash/src/eval.c:659:3
>     #12 0x5213b6 in evalcommand /home/jfe/dash/src/eval.c:769:13
>     #13 0x520010 in evaltree /home/jfe/dash/src/eval.c:288:12
>     #14 0x554423 in cmdloop /home/jfe/dash/src/main.c:234:8
>     #15 0x553bcc in main /home/jfe/dash/src/main.c:176:3
>     #16 0x7f201c2b2a86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
>     #17 0x41dfb9 in _start (/home/jfe/dash/src/dash+0x41dfb9)
>
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV /home/jfe/dash/src/redir.c:305:29 in openhere
> ==39623==ABORTING
>
> This bug can be reproduced by running "dash < min" where min is þhe file
> attached. I was able to reproduce this bug with the current git version
> and the current debian version.
>
> cheers
> project-repo
>
> <<A
> `<<A(`

Thanks for the report! This is caused by the recent change to
save/restore here-docment list around command substitutions.  In
doing so we must finish existing here-documents prior to restoring
the old here-document list.  This is done for new-style command
substitutions but not for old-style.

This patch fixes it by doing it for both.

Reported-by: project-repo <[email protected]>
Fixes: 51e2d88 ("parser: Save/restore here-documents in...")
Signed-off-by: Herbert Xu <[email protected]>
  • Loading branch information
herbertx committed Jan 20, 2020
1 parent 02a0056 commit b9f8565
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/parser.c
Original file line number Diff line number Diff line change
Expand Up @@ -1451,9 +1451,9 @@ parsebackq: {
if (readtoken() != TRP)
synexpect(TRP);
setinputstring(nullstr);
parseheredoc();
}

parseheredoc();
heredoclist = saveheredoclist;

(*nlpp)->n = n;
Expand Down

0 comments on commit b9f8565

Please sign in to comment.