busybox/shell
Denys Vlasenko daa66ed62c ash: fix use-after-free in pattern substituon code
Patch by soeren@soeren-tempel.net

The idx variable points to a value in the stack string (as managed
by STPUTC). STPUTC may resize this stack string via realloc(3). If
this happens, the idx pointer needs to be updated. Otherwise,
dereferencing idx may result in a use-after free.

function                                             old     new   delta
subevalvar                                          1562    1566      +4

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2022-08-02 12:41:18 +02:00
..
ash_test ash: fix ifs cleanup on error paths 2022-08-02 11:18:11 +02:00
hush_test ash: fix ifs cleanup on error paths 2022-08-02 11:18:11 +02:00
ash_doc.txt
ash_ptr_hack.c
ash_remove_unnecessary_code_in_backquote_expansion.patch ash: save Ron's patch from oblivion 2021-06-06 13:01:25 +02:00
ash.c ash: fix use-after-free in pattern substituon code 2022-08-02 12:41:18 +02:00
brace.txt
Config.src nologin: make it possible to build it as single applet 2020-06-24 15:05:22 +02:00
cttyhack.c config: update size information 2018-12-28 03:20:17 +01:00
hush_doc.txt
hush_leaktool.sh
hush.c ash,hush: use HOME for tab completion and prompts 2022-06-26 18:05:50 +02:00
Kbuild.src
match.c style fix 2022-05-01 17:06:00 +02:00
match.h
math.c shell: fix parsing of $(( (v)++ + NUM )) 2021-09-26 13:29:25 +02:00
math.h shell: move all definitions of strto_arith_t() together 2019-05-26 14:02:10 +02:00
random.c whitespace fixes 2018-07-17 15:04:17 +02:00
random.h
README
README.job
shell_common.c shell: add comments about SIGINT-related problems 2022-01-16 23:54:46 +01:00
shell_common.h hush: fix "export PS1=xyz" and "local PS1=xyz" messing up prompt 2019-05-14 18:56:04 +02:00

http://www.opengroup.org/onlinepubs/9699919799/
Open Group Base Specifications Issue 7


http://www.opengroup.org/onlinepubs/9699919799/utilities/V3_chap01.html
Shell & Utilities

It says that any of the standard utilities may be implemented
as a regular shell built-in. It gives a list of utilities which
are usually implemented that way (and some of them can only
be implemented as built-ins, like "alias"):

alias
bg
cd
command
false
fc
fg
getopts
jobs
kill
newgrp
pwd
read
true
umask
unalias
wait


http://www.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html
Shell Command Language

It says that shell must implement special built-ins. Special built-ins
differ from regular ones by the fact that variable assignments
done on special builtin are *PRESERVED*. That is,

VAR=VAL special_builtin; echo $VAR

should print VAL.

(Another distinction is that an error in special built-in should
abort the shell, but this is not such a critical difference,
and moreover, at least bash's "set" does not follow this rule,
which is even codified in autoconf configure logic now...)

List of special builtins:

. file
: [argument...]
break [n]
continue [n]
eval [argument...]
exec [command [argument...]]
exit [n]
export name[=word]...
export -p
readonly name[=word]...
readonly -p
return [n]
set [-abCefhmnuvx] [-o option] [argument...]
set [+abCefhmnuvx] [+o option] [argument...]
set -- [argument...]
set -o
set +o
shift [n]
times
trap n [condition...]
trap [action condition...]
unset [-fv] name...

In practice, no one uses this obscure feature - none of these builtins
gives any special reasons to play such dirty tricks.

However. This section also says that *function invocation* should act
similar to special built-in. That is, variable assignments
done on function invocation should be preserved after function invocation.

This is significant: it is not unthinkable to want to run a function
with some variables set to special values. But because of the above,
it does not work: variable will "leak" out of the function.