From f9b193e9419c1b079d66bf0d60c6c0652ca97e4c Mon Sep 17 00:00:00 2001 From: Johnothan King Date: Fri, 27 Dec 2024 02:52:32 -0800 Subject: [PATCH] WIP: Scope variables to the subshell before running their discipline The crash in tilde.sh under ASan occurs because .sh.tilde is given its discipline function before it's scoped to the subshell it's inside of. This causes sh_subshell to free it via an nv_delete call, but due to the improper scoping .sh.tilde in the parent function now has an np->nvfun which points to freed memory. To avoid this, create a scope for the target variable when inside of a subshell to ensure the subshell's discipline function doesn't leak out and cause a use after free. --- src/cmd/ksh93/sh/xec.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/cmd/ksh93/sh/xec.c b/src/cmd/ksh93/sh/xec.c index e7cb7046eec3..e4467c91bc57 100644 --- a/src/cmd/ksh93/sh/xec.c +++ b/src/cmd/ksh93/sh/xec.c @@ -2485,7 +2485,18 @@ int sh_exec(const Shnode_t *t, int flags) if(npv) { if(!sh.mktype) + { + if(sh.subshell && !sh.subshare) + { + /* + * When a variable is given a discipline function in + * a subshell, the variable must be scoped to the + * subshell before nvfun is set to the discipline. + */ + sh_assignok(npv, 1); + } cp = nv_setdisc(npv,cp,np,(Namfun_t*)npv); + } if(!cp) { errormsg(SH_DICT,ERROR_exit(1),e_baddisc,fname);