klibc - Jan 2019 - [klibc:update-dash] [EVAL] Fix use-after-free in dotrap/evalstring

Commit-ID:  91912a4156a5e5e51cc54a3c69ce0b3b87df7720
Gitweb:    
http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=91912a4156a5e5e51cc54a3c69ce0b3b87df7720
Author:     Herbert Xu <herbert at gondor.apana.org.au>
AuthorDate: Thu, 2 Oct 2014 08:26:06 +0800
Committer:  Ben Hutchings <ben at decadent.org.uk>
CommitDate: Fri, 25 Jan 2019 02:57:21 +0000

[klibc] [EVAL] Fix use-after-free in dotrap/evalstring

The function dotrap calls evalstring using the stored trap string.
If evalstring then unsets that exact trap string then we will end
up using freed memory.

This patch fixes it by making evalstring always duplicate the string
before using it.

Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben at decadent.org.uk>

---
 usr/dash/eval.c     | 3 +++
 usr/dash/histedit.c | 3 +--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/usr/dash/eval.c b/usr/dash/eval.c
index da39136d..755136e2 100644
--- a/usr/dash/eval.c
+++ b/usr/dash/eval.c
@@ -160,6 +160,7 @@ evalstring(char *s, int flags)
 	struct stackmark smark;
 	int status;
 
+	s = sstrdup(s);
 	setinputstring(s);
 	setstackmark(&smark);
 
@@ -171,7 +172,9 @@ evalstring(char *s, int flags)
 		if (evalskip)
 			break;
 	}
+	popstackmark(&smark);
 	popfile();
+	stunalloc(s);
 
 	return status;
 }
diff --git a/usr/dash/histedit.c b/usr/dash/histedit.c
index b27d6294..94465d78 100644
--- a/usr/dash/histedit.c
+++ b/usr/dash/histedit.c
@@ -372,8 +372,7 @@ histcmd(int argc, char **argv)
 					out2str(s);
 				}
 
-				evalstring(strcpy(stalloc(strlen(s) + 1), s),
-					   0);
+				evalstring(s, 0);
 				if (displayhist && hist) {
 					/*
 					 *  XXX what about recursive and