Bug 1464409 - shp.fdstatus may be accessed with -1 offset, corrupting last element of shp.fdptrs
shp.fdstatus may be accessed with -1 offset, corrupting last element of shp.f...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: ksh (Show other bugs)
27
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: Siteshwar Vashisht
Fedora Extras Quality Assurance
:
Depends On: 1463312
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-23 07:27 EDT by Siteshwar Vashisht
Modified: 2017-08-29 12:43 EDT (History)
5 users (show)

See Also:
Fixed In Version: ksh-20120801-42.fc28
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1463312
Environment:
Last Closed: 2017-08-29 12:43:12 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix memory corruption caused by accessing array with negative index (2.21 KB, patch)
2017-08-28 09:18 EDT, Siteshwar Vashisht
kdudka: review-
Details | Diff
Fix memory corruption caused by accessing array with negative index (2.12 KB, patch)
2017-08-28 12:09 EDT, Siteshwar Vashisht
kdudka: review+
Details | Diff

  None (edit)
Comment 1 Jan Kurik 2017-08-15 04:57:49 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 2 Siteshwar Vashisht 2017-08-28 09:18 EDT
Created attachment 1319079 [details]
Fix memory corruption caused by accessing array with negative index
Comment 3 Kamil Dudka 2017-08-28 11:48:24 EDT
Comment on attachment 1319079 [details]
Fix memory corruption caused by accessing array with negative index

> diff --git a/src/cmd/ksh93/sh/io.c b/src/cmd/ksh93/sh/io.c
> --- a/src/cmd/ksh93/sh/io.c
> +++ b/src/cmd/ksh93/sh/io.c
> @@ -403,38 +403,50 @@ static short		filemapsize;
>  
>  /* ======== input output and file copying ======== */
>  
> -int  sh_iovalidfd(Shell_t *shp, int fd)
> +bool  sh_iovalidfd(Shell_t *shp, int fd)
>  {
>  	Sfio_t		**sftable = shp->sftable;
>  	int		max,n, **fdptrs = shp->fdptrs;
> -	unsigned char	*fdstatus = shp->fdstatus;
> +	unsigned int	*fdstatus = shp->fdstatus;

This looks incorrect to me.  shp->fdstatus is defined as (unsigned char *)
in <ksh93/include/defs.h>.  We should not cast it to an incompatible pointer
type just in this function because it would result in undefined behavior.
Comment 4 Siteshwar Vashisht 2017-08-28 12:09 EDT
Created attachment 1319143 [details]
Fix memory corruption caused by accessing array with negative index
Comment 5 Kamil Dudka 2017-08-28 12:17:10 EDT
Comment on attachment 1319143 [details]
Fix memory corruption caused by accessing array with negative index

Looks good.

Note You need to log in before you can comment on or make changes to this bug.