svn commit: r297360 - in head/bin/sh: . tests/builtins

[Jilles Tjoelker]

Author: jilles
Date: Mon Mar 28 18:58:40 2016
New Revision: 297360
URL: https://svnweb.freebsd.org/changeset/base/297360

Log:
  sh: Fix use-after-free if a trap replaces itself.
  
  MFC after:	1 week

Added:
  head/bin/sh/tests/builtins/trap17.0   (contents, props changed)
Modified:
  head/bin/sh/tests/builtins/Makefile
  head/bin/sh/trap.c

Modified: head/bin/sh/tests/builtins/Makefile
==============================================================================
--- head/bin/sh/tests/builtins/Makefile	Mon Mar 28 18:41:48 2016	(r297359)
+++ head/bin/sh/tests/builtins/Makefile	Mon Mar 28 18:58:40 2016	(r297360)
@@ -149,6 +149,7 @@ FILES+=		trap13.0
 FILES+=		trap14.0
 FILES+=		trap15.0
 FILES+=		trap16.0
+FILES+=		trap17.0
 FILES+=		trap2.0
 FILES+=		trap3.0
 FILES+=		trap4.0

Added: head/bin/sh/tests/builtins/trap17.0
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/bin/sh/tests/builtins/trap17.0	Mon Mar 28 18:58:40 2016	(r297360)
@@ -0,0 +1,10 @@
+# $FreeBSD$
+# This use-after-free bug probably needs non-default settings to show up.
+
+v1=nothing v2=nothing
+trap 'trap "echo bad" USR1
+v1=trap_received
+v2=trap_invoked
+:' USR1
+kill -USR1 "$$"
+[ "$v1.$v2" = trap_received.trap_invoked ]

Modified: head/bin/sh/trap.c
==============================================================================
--- head/bin/sh/trap.c	Mon Mar 28 18:41:48 2016	(r297359)
+++ head/bin/sh/trap.c	Mon Mar 28 18:58:40 2016	(r297360)
@@ -412,6 +412,7 @@ onsig(int signo)
 void
 dotrap(void)
 {
+	struct stackmark smark;
 	int i;
 	int savestatus, prev_evalskip, prev_skipcount;
 
@@ -445,7 +446,9 @@ dotrap(void)
 
 					last_trapsig = i;
 					savestatus = exitstatus;
-					evalstring(trap[i], 0);
+					setstackmark(&smark);
+					evalstring(stsavestr(trap[i]), 0);
+					popstackmark(&smark);
 
 					/*
 					 * If such a command was not