From: Chet Ramey Date: Tue, 23 Jan 2024 21:38:15 +0000 (-0500) Subject: fix two bugs with shells started to run executable scripts inheriting shell state... X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=10702735a0eaeb930e79717d370549b73e3df7af;p=thirdparty%2Fbash.git fix two bugs with shells started to run executable scripts inheriting shell state; fix potential buffer overflow in brace expansion; fix crash caused by nofork command substitution not saving enough state --- diff --git a/CWRU/CWRU.chlog b/CWRU/CWRU.chlog index 679abf5eb..9912f7273 100644 --- a/CWRU/CWRU.chlog +++ b/CWRU/CWRU.chlog @@ -8334,3 +8334,40 @@ doc/bash.1 test.c - binary_test: make sure all calls in posix mode use TEST_LOCALE for locale-specific string comparisons + +shell.c + - find_bashrc_file: remove + + 1/20 + ---- +shell.c + - exit_shell: don't try to call rl_deprep_terminal, regardless of the + readline state we inherited, if bash_readline_initialized is 0 + Fixes bug reported by Oguz + - shell_reinitialize: reset startup_state and reading_shell_script to 0; + reset debugging_mode to 0 + + 1/22 + ---- +builtins/shopt.def + - reset_shopt_options: reset debugging_mode to 0 + +builtins/set.def + - reset_shell_options: reset interactive_comments to 1 + +braces.c + - brace_expand: if the first call to brace_gobbler consumes the entire + string, don't try to call it again + - brace_expand: check that i < tlen before checking to see if + expand_seqterm left more of the string unconsumed + - brace_gobbler: if extract_command_subst hits the end of the string + without closing the command substitution, make sure we return 0 as + well as set *i = tlen + From a fuzzing report by Nathan Mills + + 1/23 + ---- +subst.c + - function_substitute: unwind-protect current_builtin and this_shell_builtin + like we do this_shell_function + From a fuzzing report by Nathan Mills diff --git a/braces.c b/braces.c index 467f6a057..bef62ea38 100644 --- a/braces.c +++ b/braces.c @@ -115,6 +115,8 @@ brace_expand (char *text) do { c = brace_gobbler (text, tlen, &i, '{'); /* } */ + if (i >= tlen) + break; c1 = c; /* Verify that c begins a valid brace expansion word. If it doesn't, we go on. Loop stops when there are no more open braces in the word. */ @@ -225,7 +227,7 @@ brace_expand (char *text) tack = expand_seqterm (amble, alen); if (tack) goto add_tack; - else if (text[i + 1]) + else if (i < tlen && text[i + 1]) { /* If the sequence expansion fails (e.g., because the integers overflow), but there is more in the string, try and process @@ -635,6 +637,7 @@ brace_gobbler (char *text, size_t tlen, int *indx, int satisfy) if (i > tlen) { i = tlen; + c = 0; break; } #else @@ -691,6 +694,7 @@ comsub: if (i > tlen) { i = tlen; + c = 0; break; } continue; diff --git a/builtins/set.def b/builtins/set.def index 6e70d4e0e..91cad44f2 100644 --- a/builtins/set.def +++ b/builtins/set.def @@ -643,6 +643,8 @@ reset_shell_options (void) pipefail_opt = 0; ignoreeof = 0; + interactive_comments = 1; + #if defined (STRICT_POSIX) posixly_correct = 1; #else diff --git a/builtins/shopt.def b/builtins/shopt.def index f621ec6bf..e36743c03 100644 --- a/builtins/shopt.def +++ b/builtins/shopt.def @@ -430,6 +430,10 @@ reset_shopt_options (void) xpg_echo = 0; #endif /* DEFAULT_ECHO_TO_XPG */ +#if defined (DEBUGGER) + debugging_mode = 0; +#endif + shopt_login_shell = login_shell; } diff --git a/configure.ac b/configure.ac index e616e2fff..c25a8088e 100644 --- a/configure.ac +++ b/configure.ac @@ -5,7 +5,7 @@ dnl report bugs to chet@po.cwru.edu dnl dnl Process this file with autoconf to produce a configure script. -# Copyright (C) 1987-2024 Free Software Foundation, Inc. +# Copyright (C) 1987-2023 Free Software Foundation, Inc. # # This program is free software: you can redistribute it and/or modify @@ -21,7 +21,7 @@ dnl Process this file with autoconf to produce a configure script. # You should have received a copy of the GNU General Public License # along with this program. If not, see . -AC_REVISION([for Bash 5.3, version 5.060])dnl +AC_REVISION([for Bash 5.3, version 5.059])dnl define(bashvers, 5.3) define(relstatus, devel) @@ -1030,12 +1030,9 @@ fi dnl behavior of system calls and library functions BASH_FUNC_DUP2_CLOEXEC_CHECK +BASH_SYS_PGRP_SYNC BASH_SYS_SIGNAL_VINTAGE -dnl https://lists.gnu.org/archive/html/bug-bash/2024-01/msg00047.html -dnl BASH_SYS_PGRP_SYNC -AC_DEFINE(PGRP_PIPE) - dnl checking for the presence of certain library symbols BASH_SYS_ERRLIST BASH_SYS_SIGLIST diff --git a/lib/readline/doc/history.3 b/lib/readline/doc/history.3 index b0e159770..0ecbe1b46 100644 --- a/lib/readline/doc/history.3 +++ b/lib/readline/doc/history.3 @@ -6,9 +6,9 @@ .\" Case Western Reserve University .\" chet.ramey@case.edu .\" -.\" Last Change: Thu Jan 18 11:05:09 EST 2024 +.\" Last Change: Fri Jan 19 11:53:57 EST 2024 .\" -.TH HISTORY 3 "2023 January 18" "GNU History 8.3" +.TH HISTORY 3 "2024 January 19" "GNU History 8.3" .\" .\" File Name macro. This used to be `.PN', for Path Name, .\" but Sun doesn't seem to like that very much. @@ -645,8 +645,23 @@ string, in addition to space, tab, \fI:\fP and \fI?\fP in the case of a substring search. The default is empty. .Vb int history_quotes_inhibit_expansion -If non-zero, double-quoted words are not scanned for the history expansion -character or the history comment character. The default value is 0. +If non-zero, the history expansion code implements shell-like quoting: +single-quoted words are not scanned for the history expansion +character or the history comment character, and double-quoted words may +have history expansion performed, since single quotes are not special +within double quotes. +The default value is 0. + +.Vb int history_quoting_state +An application may set this variable to indicate that the current line +being expanded is subject to existing quoting. If set to \fI\(aq\fP, the +history expansion function will assume that the line is single-quoted and +inhibit expansion until it reads an unquoted closing single quote; if set +to \fI\(dq\fP, history expansion will assume the line is double quoted until +it reads an unquoted closing double quote. If set to zero, the default, +the history expansion function will assume the line is not quoted and +treat quote characters within the line as described above. +This is only effective if \fBhistory_quotes_inhibit_expansion\fP is set. .Vb "rl_linebuf_func_t *" history_inhibit_expansion_function This should be set to the address of a function that takes two arguments: diff --git a/shell.c b/shell.c index 82c450fea..7fb300ac0 100644 --- a/shell.c +++ b/shell.c @@ -984,8 +984,11 @@ exit_shell (int s) /* Clean up the terminal if we are in a state where it's been modified. */ #if defined (READLINE) - if (RL_ISSTATE (RL_STATE_TERMPREPPED) && rl_deprep_term_function) + if (bash_readline_initialized && RL_ISSTATE (RL_STATE_TERMPREPPED) && rl_deprep_term_function) +{ +itrace("exit_shell: calling rl_deprep_term_function"); (*rl_deprep_term_function) (); +} #endif if (read_tty_modified ()) read_tty_cleanup (); @@ -1121,15 +1124,6 @@ execute_profile_file (void) maybe_execute_file ("~/.profile", 1); } -/* Return the name of the default interactive shell startup file. We just - return the name of the historical bash startup file, but we could look - at a BASHRC variable or some more elaborate scheme. */ -static inline char * -find_bashrc_file (void) -{ - return DEFAULT_BASHRC; -} - static void execute_bashrc_file (void) { @@ -1144,12 +1138,7 @@ execute_bashrc_file (void) if (bashrc_file) maybe_execute_file (bashrc_file, 1); else - { - char *fn; - - if (fn = find_bashrc_file ()) - maybe_execute_file (fn, 1); /* don't have to free this yet */ - } + maybe_execute_file (DEFAULT_BASHRC, 1); } static void @@ -2004,13 +1993,25 @@ shell_reinitialize (void) no_rc = no_profile = 1; /* Things that get 0. */ - login_shell = make_login_shell = interactive = executing = 0; - debugging = do_version = line_number = last_command_exit_value = 0; - forced_interactive = interactive_shell = 0; + login_shell = make_login_shell = executing = 0; + debugging = debugging_mode = 0; + do_version = line_number = last_command_exit_value = 0; + forced_interactive = interactive_shell = interactive = 0; subshell_environment = running_in_background = 0; expand_aliases = expaliases_flag = 0; bash_argv_initialized = 0; + /* 20240120 */ + startup_state = reading_shell_script = 0; + /* XXX - inherit posixly_correct? */ + + /* The shell has never done this. Should it? */ +#if 0 + reset_shell_flags (); + reset_shell_options (); + reset_shopt_options (); +#endif + /* XXX - should we set jobs_m_flag to 0 here? */ #if defined (HISTORY) diff --git a/subst.c b/subst.c index 87b196233..331e2995d 100644 --- a/subst.c +++ b/subst.c @@ -49,6 +49,7 @@ #include "flags.h" #include "jobs.h" #include "execute_cmd.h" +#include "builtins.h" #include "filecntl.h" #include "trap.h" #include "pathexp.h" @@ -6914,6 +6915,8 @@ function_substitute (char *string, int quoted, int flags) unwind_protect_pointer (subst_assign_varlist); unwind_protect_pointer (temporary_env); unwind_protect_pointer (this_shell_function); + unwind_protect_pointer (this_shell_builtin); + unwind_protect_pointer (current_builtin); unwind_protect_int (eof_encountered); add_unwind_protect (uw_pop_var_context, 0); add_unwind_protect (uw_maybe_restore_getopt_state, gs);