From patchwork Fri Mar 29 05:49:59 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Herbert Xu <herbert@gondor.apana.org.au>
X-Patchwork-Id: 10876417
X-Patchwork-Delegate: herbert@gondor.apana.org.au
Return-Path: <dash-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DB4ED1805
	for <patchwork-dash@patchwork.kernel.org>;
 Fri, 29 Mar 2019 05:50:06 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C39AD28B38
	for <patchwork-dash@patchwork.kernel.org>;
 Fri, 29 Mar 2019 05:50:06 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id B67D328E9D; Fri, 29 Mar 2019 05:50:06 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AAC1028B38
	for <patchwork-dash@patchwork.kernel.org>;
 Fri, 29 Mar 2019 05:50:05 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727294AbfC2FuF (ORCPT
        <rfc822;patchwork-dash@patchwork.kernel.org>);
        Fri, 29 Mar 2019 01:50:05 -0400
Received: from orcrist.hmeau.com ([104.223.48.154]:35432 "EHLO
        deadmen.hmeau.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725831AbfC2FuE (ORCPT <rfc822;dash@vger.kernel.org>);
        Fri, 29 Mar 2019 01:50:04 -0400
Received: from gondobar.mordor.me.apana.org.au ([192.168.128.4] helo=gondobar)
        by deadmen.hmeau.com with esmtps (Exim 4.89 #2 (Debian))
        id 1h9kOw-0002jW-D2; Fri, 29 Mar 2019 13:50:02 +0800
Received: from herbert by gondobar with local (Exim 4.89)
        (envelope-from <herbert@gondor.apana.org.au>)
        id 1h9kOt-0004Ik-Ha; Fri, 29 Mar 2019 13:49:59 +0800
Date: Fri, 29 Mar 2019 13:49:59 +0800
From: Herbert Xu <herbert@gondor.apana.org.au>
To: project-repo <bugs@feusi.co>
Cc: dash@vger.kernel.org
Subject: parser: Fix old-style command substitution here-document crash
Message-ID: <20190329054959.ins4palb4esuyur2@gondor.apana.org.au>
References: <20180725123827.GB2422@feusi.co>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20180725123827.GB2422@feusi.co>
User-Agent: NeoMutt/20170113 (1.7.2)
Sender: dash-owner@vger.kernel.org
Precedence: bulk
List-ID: <dash.vger.kernel.org>
X-Mailing-List: dash@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

On Wed, Jul 25, 2018 at 12:38:27PM +0000, project-repo wrote:
> Hi,
> I am working on a project in which I use the honggfuzz fuzzer to fuzz open
> source software and I decided to fuzz dash. In doing so I discovered a
> NULL pointer dereference in src/redir.ch on line 305. Following is a
> backtrace as supplied by the address sanitizer:
> 
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==39623==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x0000005768ed bp 0x7ffc00273df0 sp 0x7ffc00273c60 T0)
> ==39623==The signal is caused by a READ memory access.
> ==39623==Hint: address points to the zero page.
>     #0 0x5768ec in openhere /home/jfe/dash/src/redir.c:305:29
>     #1 0x574d92 in openredirect /home/jfe/dash/src/redir.c:230:7
>     #2 0x5737fe in redirect /home/jfe/dash/src/redir.c:121:11
>     #3 0x576017 in redirectsafe /home/jfe/dash/src/redir.c:424:3
>     #4 0x522326 in evalcommand /home/jfe/dash/src/eval.c:828:11
>     #5 0x520010 in evaltree /home/jfe/dash/src/eval.c:288:12
>     #6 0x5270da in evaltreenr /home/jfe/dash/src/eval.c:332:2
>     #7 0x526f04 in evalbackcmd /home/jfe/dash/src/eval.c:640:3
>     #8 0x539020 in expbackq /home/jfe/dash/src/expand.c:522:2
>     #9 0x5332d7 in argstr /home/jfe/dash/src/expand.c:343:4
>     #10 0x5322f7 in expandarg /home/jfe/dash/src/expand.c:196:2
>     #11 0x528118 in fill_arglist /home/jfe/dash/src/eval.c:659:3
>     #12 0x5213b6 in evalcommand /home/jfe/dash/src/eval.c:769:13
>     #13 0x520010 in evaltree /home/jfe/dash/src/eval.c:288:12
>     #14 0x554423 in cmdloop /home/jfe/dash/src/main.c:234:8
>     #15 0x553bcc in main /home/jfe/dash/src/main.c:176:3
>     #16 0x7f201c2b2a86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
>     #17 0x41dfb9 in _start (/home/jfe/dash/src/dash+0x41dfb9)
> 
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV /home/jfe/dash/src/redir.c:305:29 in openhere
> ==39623==ABORTING
> 
> This bug can be reproduced by running "dash < min" where min is þhe file
> attached. I was able to reproduce this bug with the current git version
> and the current debian version.
> 
> cheers
> project-repo
>
> <<A
> `<<A(`

Thanks for the report! This is caused by the recent change to
save/restore here-docment list around command substitutions.  In
doing so we must finish existing here-documents prior to restoring
the old here-document list.  This is done for new-style command
substitutions but not for old-style.

This patch fixes it by doing it for both.

Reported-by: project-repo <bugs@feusi.co>
Fixes: 51e2d88d6e51 ("parser: Save/restore here-documents in...")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/src/parser.c b/src/parser.c
index 1f9e8ec..4bda42e 100644
--- a/src/parser.c
+++ b/src/parser.c
@@ -1451,9 +1451,9 @@ done:
 		if (readtoken() != TRP)
 			synexpect(TRP);
 		setinputstring(nullstr);
-		parseheredoc();
 	}
 
+	parseheredoc();
 	heredoclist = saveheredoclist;
 
 	(*nlpp)->n = n;