funct(): Fix another use after free bug (re: f24040e, 69d37d5) (#519)

JohnoKing · McDutchie · commit bee2e1c13b20 · 2022-08-19T21:57:25.000+01:00
The ASan crash in basic.sh when sourcing multiple files is caused by a bug that is similar to the crash fixed in f24040e. This is the trace for the regression test crash (note that in order to see the trace, the 2>/dev/null redirect must be disabled): ==1899388==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150000005b0 at pc 0x55a5e3f9432a bp 0x7ffeb91ea110 sp 0x7ffeb91ea100 WRITE of size 8 at 0x6150000005b0 thread T0 #0 0x55a5e3f94329 in funct /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/parse.c:967 ksh-community#1 0x55a5e3f96f77 in item /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/parse.c:1349 ksh-community#2 0x55a5e3f90c9f in term /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/parse.c:642 ksh-community#3 0x55a5e3f90ac1 in list /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/parse.c:613 ksh-community#4 0x55a5e3f90845 in sh_cmd /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/parse.c:561 ksh-community#5 0x55a5e3f909e0 in sh_cmd /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/parse.c:586 ksh-community#6 0x55a5e3f8fd5e in sh_parse /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/parse.c:438 ksh-community#7 0x55a5e3fc43c1 in sh_eval /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/xec.c:635 ksh-community#8 0x55a5e4012172 in b_dot_cmd /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/bltins/misc.c:318 ksh-community#9 0x55a5e3fca3cb in sh_exec /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/xec.c:1254 ksh-community#10 0x55a5e3fd01d4 in sh_exec /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/xec.c:1932 ksh-community#11 0x55a5e3fc4544 in sh_eval /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/xec.c:651 ksh-community#12 0x55a5e4012172 in b_dot_cmd /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/bltins/misc.c:318 ksh-community#13 0x55a5e3fca3cb in sh_exec /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/xec.c:1254 ksh-community#14 0x55a5e3ecc1cd in exfile /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/main.c:604 ksh-community#15 0x55a5e3ec9e7f in sh_main /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/main.c:369 ksh-community#16 0x55a5e3ec801d in main /home/johno/GitRepos/KornShell/ksh/src/cmd/ksh93/sh/pmain.c:41 ksh-community#17 0x7f637b4db2cf (/usr/lib/libc.so.6+0x232cf) ksh-community#18 0x7f637b4db389 in __libc_start_main (/usr/lib/libc.so.6+0x23389) ksh-community#19 0x55a5e3ec7f24 in _start ../sysdeps/x86_64/start.S:115 Code in question: https://github.com/ksh93/ksh/blob/8d57369b0cb39074437dd82924b604155e30e1e0/src/cmd/ksh93/sh/parse.c#L963-L968 To avoid any more similar crashes, all of the fixes introduced in 69d37d5 that set slp->slptr to null have been improved with the fix in f24040e.
diff --git a/src/cmd/ksh93/sh/name.c b/src/cmd/ksh93/sh/name.c
@@ -2466,8 +2466,9 @@ void	_nv_unset(register Namval_t *np,int flags)
 			}
 			if(slp->slptr)
 			{
-				stakdelete(slp->slptr);
+				Stak_t *sp = slp->slptr;
 				slp->slptr = NIL(Stak_t*);
+				stakdelete(sp);
 			}
 			free((void*)np->nvalue.ip);
 			np->nvalue.ip = 0;
diff --git a/src/cmd/ksh93/sh/parse.c b/src/cmd/ksh93/sh/parse.c
@@ -963,8 +963,9 @@ static Shnode_t *funct(Lex_t *lexp)
 		if(slp && slp->slptr)
 		{
 			sh.st.staklist = slp->slnext;
-			stakdelete(slp->slptr);
+			Stak_t *slptr_save = slp->slptr;
 			slp->slptr = NIL(Stak_t*);
+			stakdelete(slptr_save);
 		}
 		siglongjmp(*sh.jmplist,jmpval);
 	}
diff --git a/src/cmd/ksh93/sh/xec.c b/src/cmd/ksh93/sh/xec.c
@@ -1411,8 +1411,9 @@ int sh_exec(register const Shnode_t *t, int flags)
 					sh_funstaks(slp->slchild,-1);
 					if(slp->slptr)
 					{
-						stakdelete(slp->slptr);
+						Stak_t *sp = slp->slptr;
 						slp->slptr = NIL(Stak_t*);
+						stakdelete(sp);
 					}
 					if(jmpval > SH_JMPFUN || (io && jmpval > SH_JMPIO))
 						siglongjmp(*sh.jmplist,jmpval);
@@ -2462,8 +2463,9 @@ int sh_exec(register const Shnode_t *t, int flags)
 				sh_funstaks(slp->slchild,-1);
 				if(slp->slptr)
 				{
-					stakdelete(slp->slptr);
+					Stak_t *sp = slp->slptr;
 					slp->slptr = NIL(Stak_t*);
+					stakdelete(sp);
 				}
 				if(rp->sdict)
 				{

Original file line number	Diff line number	Diff line change
`@@ -2466,8 +2466,9 @@ void _nv_unset(register Namval_t *np,int flags)`
`2466`	`2466`	`}`
`2467`	`2467`	`if(slp->slptr)`
`2468`	`2468`	`{`
`2469`		`- stakdelete(slp->slptr);`
	`2469`	`+ Stak_t *sp = slp->slptr;`
`2470`	`2470`	`slp->slptr = NIL(Stak_t*);`
	`2471`	`+ stakdelete(sp);`
`2471`	`2472`	`}`
`2472`	`2473`	`free((void*)np->nvalue.ip);`
`2473`	`2474`	`np->nvalue.ip = 0;`
Original file line number	Diff line number	Diff line change
`@@ -963,8 +963,9 @@ static Shnode_t funct(Lex_t lexp)`
`963`	`963`	`if(slp && slp->slptr)`
`964`	`964`	`{`
`965`	`965`	`sh.st.staklist = slp->slnext;`
`966`		`- stakdelete(slp->slptr);`
	`966`	`+ Stak_t *slptr_save = slp->slptr;`
`967`	`967`	`slp->slptr = NIL(Stak_t*);`
	`968`	`+ stakdelete(slptr_save);`
`968`	`969`	`}`
`969`	`970`	`siglongjmp(*sh.jmplist,jmpval);`
`970`	`971`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1411,8 +1411,9 @@ int sh_exec(register const Shnode_t *t, int flags)`
`1411`	`1411`	`sh_funstaks(slp->slchild,-1);`
`1412`	`1412`	`if(slp->slptr)`
`1413`	`1413`	`{`
`1414`		`- stakdelete(slp->slptr);`
	`1414`	`+ Stak_t *sp = slp->slptr;`
`1415`	`1415`	`slp->slptr = NIL(Stak_t*);`
	`1416`	`+ stakdelete(sp);`
`1416`	`1417`	`}`
`1417`	`1418`	`if(jmpval > SH_JMPFUN \|\| (io && jmpval > SH_JMPIO))`
`1418`	`1419`	`siglongjmp(*sh.jmplist,jmpval);`
`@@ -2462,8 +2463,9 @@ int sh_exec(register const Shnode_t *t, int flags)`
`2462`	`2463`	`sh_funstaks(slp->slchild,-1);`
`2463`	`2464`	`if(slp->slptr)`
`2464`	`2465`	`{`
`2465`		`- stakdelete(slp->slptr);`
	`2466`	`+ Stak_t *sp = slp->slptr;`
`2466`	`2467`	`slp->slptr = NIL(Stak_t*);`
	`2468`	`+ stakdelete(sp);`
`2467`	`2469`	`}`
`2468`	`2470`	`if(rp->sdict)`
`2469`	`2471`	`{`