From nobody Sun Feb  1 14:29:23 2026
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4f3sZX0VdXz6QR53
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Sun, 01 Feb 2026 14:29:24 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4f3sZW70hDz3R7H
	for <dev-commits-src-all@FreeBSD.org>; Sun, 01 Feb 2026 14:29:23 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1769956164;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=2ru3ZHEaj27eWD7rQgFwxfSNpkWEKxKhtwm2dJxItJI=;
	b=IsxybEysiI6ofHz9IlVt8otHVjUxiMfdU7kS12MdPYf5HYK2LJ9Ge/lo3pVdV9PO4lICr0
	AM4okW36oSf7Mq84K0GaG0CBsNRUcrxz4azmZJ+izHE2QMm1YVDT9fS0CFRrN3GN05QWFn
	N0zTcGuJfapD4u8SYnDqlyYJmKCMDnxwjdcb2tyxCR8uQ7gzkjxmlVtqnu9+AbmuKAHggC
	YXkJD59mACVmRzKN6sissdZxRMSHzNbhMX+SqvZ2s7D72MxTpuS3tgwrzy/SY5T/Kr3MeY
	9HErQEwWkTTWT+HMcQM+Ot20tEVP3mwpz4XCOd1RWsYPe16fzqaDm5caF1KREA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1769956164; a=rsa-sha256; cv=none;
	b=kMcUGCULJ89Gj5e0fHPAYB261D6SntV73n2Xj6Jf4f7wjaEHwiZT3y1UiPSozABq0sxNxE
	EArVO+F1LlggG5chQc6+ii9dJqI9P4niUEME9xlmyxtvSYQO5p1m+ZHpHsOxyZYEhSsNS4
	zZM23TIiZOVtvSfvLphcRHo1YqdkZ4ylcGXHVMkUUldw7JhEq42o1SV3gQMomVdTiGtElG
	sowg6FL+UbASjO9q4x5VIKz4truEU6eIWMiMrpvEim7gXX6feeObH6nhmqMwG1UkYKpcMx
	RLA9kEhdM+n2zbNMNBqMFbq3Haro+LLnpvRx+WperBXXkWW1sCcUkuLdAcL+XQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1769956164;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=2ru3ZHEaj27eWD7rQgFwxfSNpkWEKxKhtwm2dJxItJI=;
	b=b6G7M3FrNT8mv5zV5TIPG1iFMe26adF342vB28yGUVMwLJQ3hGjAW74Czr+2Xd7c9u+ydn
	QHNCZ64ZcLlTwJo82Q/fl2SG/+CKbYMp5cye+5YCkC7ylo230ckwQ740IroymuH4L3sKLr
	ZzCA921QstPJ8hlHDvDMg4QH8NsrhWxYM/zPMkZcgy3+MqoofaKQf9weVugFbCfVElwPRF
	AaCb1OBs0Mf2VvG7k9q3NqSbePsIxcDG/injhKeJnHP/SHBhq0bwR2Th5EWxZ7cVlOnRyZ
	4bqU87/SOGbG3IWnggf2T2baIWa3YM8s259OrO4C1NVCWJ4cCv8v/DUYVol7Hg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4f3sZW6ZpKzkVc
	for <dev-commits-src-all@FreeBSD.org>; Sun, 01 Feb 2026 14:29:23 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 36dd0
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Sun, 01 Feb 2026 14:29:23 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Jilles Tjoelker <jilles@FreeBSD.org>
Subject: git: 6c24c795487d - stable/15 - sh: Fix a double free in a rare scenario with pipes
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jilles
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/15
X-Git-Reftype: branch
X-Git-Commit: 6c24c795487d29defef87bf586eea748274b7758
Auto-Submitted: auto-generated
Date: Sun, 01 Feb 2026 14:29:23 +0000
Message-Id: <697f6343.36dd0.34d56d3d@gitrepo.freebsd.org>

The branch stable/15 has been updated by jilles:

URL: https://cgit.FreeBSD.org/src/commit/?id=6c24c795487d29defef87bf586eea748274b7758

commit 6c24c795487d29defef87bf586eea748274b7758
Author:     Jilles Tjoelker <jilles@FreeBSD.org>
AuthorDate: 2025-11-15 16:43:03 +0000
Commit:     Jilles Tjoelker <jilles@FreeBSD.org>
CommitDate: 2026-02-01 14:26:41 +0000

    sh: Fix a double free in a rare scenario with pipes
    
    The command
      sh -c 'sleep 3 | sleep 2 & sleep 3 & kill %1; wait %1'
    crashes (with appropriate sanitization such as putting
    MALLOC_CONF=abort:true,junk:true in the environment or compiling with
    -fsanitize=address).
    
    What happens here is that waitcmdloop() calls dowait() with a NULL job
    pointer, instructing dowait() to freejob() if it's a non-interactive
    shell and $! was not and cannot be referenced for it. However,
    waitcmdloop() then uses fields possibly freed by freejob() and calls
    freejob() again.
    
    This only occurs if the job being waited for is identified via % syntax
    ($! has never been referenced for it), it is a pipeline with two or more
    elements and another background job has been started before the wait
    command. That seems special enough for a bug to remain. Test scripts
    written by Jilles would almost always use $! and not % syntax.
    
    We can instead make waitcmdloop() pass its job pointer to dowait(),
    fixing up things for that (waitcmdloop() will have to call deljob() if
    it does not call freejob()).
    
    The crash from
    https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290330#c2 appears to
    be the same bug.
    
    PR:             290330
    Reported by:    bdrewery
    Reviewed by:    bdrewery
    Differential Revision:  https://reviews.freebsd.org/D53773
    
    (cherry picked from commit 75a6c38e4d5c651b7398bf2bea5baa41a0939e92)
---
 bin/sh/jobs.c                  | 3 ++-
 bin/sh/tests/builtins/Makefile | 1 +
 bin/sh/tests/builtins/wait11.0 | 6 ++++++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/bin/sh/jobs.c b/bin/sh/jobs.c
index 1328ae50edef..0aaff5e1e140 100644
--- a/bin/sh/jobs.c
+++ b/bin/sh/jobs.c
@@ -573,6 +573,7 @@ waitcmdloop(struct job *job)
 					freejob(job);
 				else {
 					job->remembered = 0;
+					deljob(job);
 					if (job == bgjob)
 						bgjob = NULL;
 				}
@@ -599,7 +600,7 @@ waitcmdloop(struct job *job)
 					break;
 			}
 		}
-	} while (dowait(DOWAIT_BLOCK | DOWAIT_SIG, (struct job *)NULL) != -1);
+	} while (dowait(DOWAIT_BLOCK | DOWAIT_SIG, job) != -1);
 
 	sig = pendingsig_waitcmd;
 	pendingsig_waitcmd = 0;
diff --git a/bin/sh/tests/builtins/Makefile b/bin/sh/tests/builtins/Makefile
index b3e353024969..0246009cce81 100644
--- a/bin/sh/tests/builtins/Makefile
+++ b/bin/sh/tests/builtins/Makefile
@@ -189,5 +189,6 @@ ${PACKAGE}FILES+=		wait7.0
 ${PACKAGE}FILES+=		wait8.0
 ${PACKAGE}FILES+=		wait9.127
 ${PACKAGE}FILES+=		wait10.0
+${PACKAGE}FILES+=		wait11.0
 
 .include <bsd.test.mk>
diff --git a/bin/sh/tests/builtins/wait11.0 b/bin/sh/tests/builtins/wait11.0
new file mode 100644
index 000000000000..d5fab26fb677
--- /dev/null
+++ b/bin/sh/tests/builtins/wait11.0
@@ -0,0 +1,6 @@
+sleep 3 | sleep 2 &
+sleep 3 &
+kill %1
+wait %1
+r=$?
+[ "$r" -gt 128 ] && [ "$(kill -l "$r")" = TERM ]