busybox/shell
Denys Vlasenko 8e2bc47d62 ash: [EVAL] Fix use-after-free in dotrap/evalstring
From upstream:

    [EVAL] Fix use-after-free in dotrap/evalstring

    The function dotrap calls evalstring using the stored trap string.
    If evalstring then unsets that exact trap string then we will end
    up using freed memory.

    This patch fixes it by making evalstring always duplicate the string
    before using it.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-09-28 23:02:57 +02:00
..
ash_test ash: eval: Return status in eval functions 2016-09-28 19:41:57 +02:00
hush_test ash: eval: Return status in eval functions 2016-09-28 19:41:57 +02:00
msh_test whitespace fixes 2010-01-25 13:39:24 +01:00
ash_doc.txt ash: fix TRACE commands 2009-03-19 23:09:58 +00:00
ash_ptr_hack.c *: make GNU licensing statement forms more regular 2010-08-16 20:14:46 +02:00
ash.c ash: [EVAL] Fix use-after-free in dotrap/evalstring 2016-09-28 23:02:57 +02:00
brace.txt hush: wait for cmd to complete, and immediately store its exitcode in $? 2009-11-15 19:58:19 +01:00
Config.src config: disentangle PREFER_APPLETS from SH_STANDALONE and SH_NOFORK 2016-07-22 18:48:38 +02:00
cttyhack.c cttyhack: handle multiple consoles found in sysfs 2012-02-04 21:55:01 +01:00
hush_doc.txt hush: implement break and continue 2008-07-28 23:04:34 +00:00
hush_leaktool.sh hush: fix "export not_yet_defined_var", fix parsing of "cmd | }" 2009-04-19 23:07:51 +00:00
hush.c hush: document better where bad redirect syntax is detected 2016-09-20 16:22:24 +02:00
Kbuild.src *: make GNU licensing statement forms more regular 2010-08-16 20:14:46 +02:00
match.c shell/match.c: shrink by dropping double bool inversion 2010-09-12 15:06:42 +02:00
match.h hush: optimize #[#] and %[%] for speed. size -2 bytes. 2010-09-04 21:21:07 +02:00
math.c typo fix in comment 2014-11-20 01:43:30 +01:00
math.h move endofname() to libbb 2013-02-26 00:36:53 +01:00
random.c ash,hush: fix a thinko about 2^64-1 factorization 2014-03-15 09:25:46 +01:00
random.h ash,hush: improve randomness of $RANDOM, add easy-ish way to test it 2014-03-13 12:52:43 +01:00
README update shell/README 2010-05-20 12:56:14 +02:00
README.job hush: small code shrink; style fixes 2007-04-20 08:35:45 +00:00
shell_common.c *: slap on a few ALIGN1/2s where appropriate 2016-04-22 18:09:21 +02:00
shell_common.h *: declare strings with ALIGN1, as appropriate 2012-07-24 15:56:37 +02:00

http://www.opengroup.org/onlinepubs/9699919799/
Open Group Base Specifications Issue 7


http://www.opengroup.org/onlinepubs/9699919799/utilities/V3_chap01.html
Shell & Utilities

It says that any of the standard utilities may be implemented
as a regular shell built-in. It gives a list of utilities which
are usually implemented that way (and some of them can only
be implemented as built-ins, like "alias"):

alias
bg
cd
command
false
fc
fg
getopts
jobs
kill
newgrp
pwd
read
true
umask
unalias
wait


http://www.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html
Shell Command Language

It says that shell must implement special built-ins. Special built-ins
differ from regular ones by the fact that variable assignments
done on special builtin are *PRESERVED*. That is,

VAR=VAL special_builtin; echo $VAR

should print VAL.

(Another distinction is that an error in special built-in should
abort the shell, but this is not such a critical difference,
and moreover, at least bash's "set" does not follow this rule,
which is even codified in autoconf configure logic now...)

List of special builtins:

. file
: [argument...]
break [n]
continue [n]
eval [argument...]
exec [command [argument...]]
exit [n]
export name[=word]...
export -p
readonly name[=word]...
readonly -p
return [n]
set [-abCefhmnuvx] [-o option] [argument...]
set [+abCefhmnuvx] [+o option] [argument...]
set -- [argument...]
set -o
set +o
shift [n]
times
trap n [condition...]
trap [action condition...]
unset [-fv] name...

In practice, no one uses this obscure feature - none of these builtins
gives any special reasons to play such dirty tricks.

However. This section also says that *function invocation* should act
similar to special built-in. That is, variable assignments
done on function invocation should be preserved after function invocation.

This is significant: it is not unthinkable to want to run a function
with some variables set to special values. But because of the above,
it does not work: variable will "leak" out of the function.