Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 26 Mar 2018 13:30:12 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 226948] [PATCH] usr.bin/apply: segmentation fault with blank magic character
Message-ID:  <bug-226948-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226948

            Bug ID: 226948
           Summary: [PATCH] usr.bin/apply: segmentation fault with blank
                    magic character
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: tobias@stoeckmann.org

Created attachment 191838
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=191838&action=edit
Patch to fix the issue

I have encountered and fixed an issue when the magic character ' ' is used.

apply(1) checks for magic numbers to substitue. These magic numbers are used
for argument substitution. You could write a command like

$ apply '2to3 %1 %2' test1.py test2.py

Which would run "2to3 test1.py test2.py". The magic character '%' can be
replaced with the option -a. In my case, I replace it with ' '.

The issue is that check for magic numbers and actual replacement happen in two
different parts of the code. Between them, the command is prepended with "exec
", which is used for the shell invocation later on.

The bug is triggered with an invocation like this:

$ apply -a ' ' 2to3 test.py
Segmentation fault (core dumped)
$ _

The check for magic numbers is negative, because "2to3" has no magic number.
But right after the check, it's extended to "exec 2to3". As I changed the magic
character from '%' to ' ', suddenly it DOES contain a magic number.

The code does not properly verify afterwards if enough arguments have been
supplied and tries to access argv[2], which is NULL. The command crashes.

This patch is based on my merge attempt of a previous FreeBSD bug into OpenBSD.
You can see the discussion and OpenBSD's version of the patch here:

https://marc.info/?l=openbsd-tech&m=152180028615405&w=2

-- 
You are receiving this mail because:
You are the assignee for the bug.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-226948-8>