[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: [PATCH] ash: another use-after-free in bash pattern substitution
From: Karsten Sperling <ksperling () apple ! com>
Date: 2023-03-15 0:19:14
Message-ID: 74D96B8E-C0A5-41E9-9008-1DF8CA3D0B07 () apple ! com
[Download RAW message or body]
Re-sending this fix for a use-after-free in the bash pattern substitution code in \
ash, I'm not sure the mailing list software liked my original attachment.
Thanks, Karsten
["busybox-ash-another-uaf.patch.txt" (busybox-ash-another-uaf.patch.txt)]
diff --git a/shell/ash.c b/shell/ash.c
index 5f8c8ea19..38368f590 100644
--- a/shell/ash.c
+++ b/shell/ash.c
@@ -7374,6 +7374,8 @@ subevalvar(char *start, char *str, int strloc,
char *restart_detect = stackblock();
if (quotes && *loc == '\\') {
STPUTC(CTLESC, expdest);
+ if (stackblock() != restart_detect)
+ goto restart;
len++;
}
STPUTC(*loc, expdest);
> On 8/03/2023, at 4:23 PM, Karsten Sperling <ksperling@apple.com> wrote:
>
> Hi,
>
> This is a fix for a use-after-free issue in the bash pattern substitution code in \
> ash (related to STPUTC potentially causing the buffer to be reallocated). Most of \
> these were fixed in 1.36.0 however one unguarded STPUTC remained which is fixed in \
> the attached patch.
> Thanks, Karsten
>
> <busybox-ash-another-uaf.patch>
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic