[git commit] ash: fix use-after-free in pattern substituon code
Denys Vlasenko
vda.linux at googlemail.com
Tue Aug 2 10:41:18 UTC 2022
commit: https://git.busybox.net/busybox/commit/?id=daa66ed62c79684219088cc0361d5b316d5d1295
branch: https://git.busybox.net/busybox/commit/?id=refs/heads/master
Patch by soeren at soeren-tempel.net
The idx variable points to a value in the stack string (as managed
by STPUTC). STPUTC may resize this stack string via realloc(3). If
this happens, the idx pointer needs to be updated. Otherwise,
dereferencing idx may result in a use-after free.
function old new delta
subevalvar 1562 1566 +4
Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
---
shell/ash.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/shell/ash.c b/shell/ash.c
index c731a333b..105edd4c8 100644
--- a/shell/ash.c
+++ b/shell/ash.c
@@ -7324,13 +7324,15 @@ subevalvar(char *start, char *str, int strloc,
if (idx >= end)
break;
STPUTC(*idx, expdest);
+ if (stackblock() != restart_detect)
+ goto restart;
if (quotes && (unsigned char)*idx == CTLESC) {
idx++;
len++;
STPUTC(*idx, expdest);
+ if (stackblock() != restart_detect)
+ goto restart;
}
- if (stackblock() != restart_detect)
- goto restart;
idx++;
len++;
rmesc++;
More information about the busybox-cvs
mailing list