WIP: Scope variables to the subshell before running their discipline

The crash in tilde.sh under ASan occurs because .sh.tilde is given its discipline function before it's scoped to the subshell it's inside of. This causes sh_subshell to free it via an nv_delete call, but due to the improper scoping .sh.tilde in the parent function now has an np->nvfun which points to freed memory. To avoid this, create a scope for the target variable when inside of a subshell to ensure the subshell's discipline function doesn't leak out and cause a use after free.
JohnoKing · Dec 27, 2024 · f9b193e · f9b193e
1 parent c692ee1
commit f9b193e
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/src/cmd/ksh93/sh/xec.c b/src/cmd/ksh93/sh/xec.c
@@ -2485,7 +2485,18 @@ int sh_exec(const Shnode_t *t, int flags)
 			if(npv)
 			{
 				if(!sh.mktype)
+				{
+					if(sh.subshell && !sh.subshare)
+					{
+						/*
+						 * When a variable is given a discipline function in
+						 * a subshell, the variable must be scoped to the
+						 * subshell before nvfun is set to the discipline.
+						 */
+						sh_assignok(npv, 1);
+					}
 					cp = nv_setdisc(npv,cp,np,(Namfun_t*)npv);
+				}
 				if(!cp)
 				{
 					errormsg(SH_DICT,ERROR_exit(1),e_baddisc,fname);