From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 26404 invoked by alias); 13 Jun 2017 14:20:26 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 41283 Received: (qmail 10870 invoked from network); 13 Jun 2017 14:20:25 -0000 X-Qmail-Scanner-Diagnostics: from mailout1.w1.samsung.com by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.99.2/21882. spamassassin: 3.4.1. Clear:RC:0(210.118.77.11):SA:0(-5.0/5.0):. Processed in 3.568966 secs); 13 Jun 2017 14:20:25 -0000 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-5.0 required=5.0 tests=RCVD_IN_DNSWL_HI, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,T_RP_MATCHES_RCVD autolearn=unavailable autolearn_force=no version=3.4.1 X-Envelope-From: p.stephenson@samsung.com X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at _spf.samsung.com designates 210.118.77.11 as permitted sender) X-AuditID: cbfec7f5-f792f6d0000063e9-fc-593ff49df1f6 Date: Tue, 13 Jun 2017 15:20:07 +0100 From: Peter Stephenson To: Branden Archer , zsh-workers@zsh.org Subject: Re: NULL pointer dereference in zsh 5.3.1 with builtin chdir Message-id: <20170613152007.4c87c24b@pwslap01u.europe.root.pri> In-reply-to: Organization: Samsung Cambridge Solution Centre X-Mailer: Claws Mail 3.7.9 (GTK+ 2.22.0; i386-redhat-linux-gnu) MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrCIsWRmVeSWpSXmKPExsWy7djP87pzv9hHGizYI2Dx9+NKVouDzQ+Z HJg8XrbtYPRYdfADUwBTFJdNSmpOZllqkb5dAlfGxxN3WQvWi1Vc3HuPvYHxhmAXIyeHhICJ xNQPT1ghbDGJC/fWs3UxcnEICSxllLi4eDNYQkjgM6PEppXaMA17969kgShaxijR9vg0VMc/ RokvL26xQ3ScYZTYtyoZInGWUeL5qT42kASLgKrEvv7VYEVsAoYSUzfNZgSxRQTsJFa1LWcC sYUFXCUWPPgEZvMK2Eu8fvudBcTmFAiW+Nf5G6yeX0Bf4upfiBoJoJqZV84wQtQLSvyYfA+s nllAR2LbtsfsELa8xOY1b5lBDpIQ6GaXWH/6H1ARB5AjK7HpADPEHBeJWXufskPYwhKvjm+B smUkLk/uZoGw+xklnnT7QsyZwShx+swONoiEtUTf7YuMEMv4JCZtm84MMZ9XoqNNCML0kJhx SxvCdJSY/FhoAqPiLCRHz0Jy9CwkRy9gZF7FKJJaWpybnlpsqlecmFtcmpeul5yfu4kRmBZO /zv+dQfj0mNWhxgFOBiVeHgfvLePFGJNLCuuzD3EKMHBrCTCy/IaKMSbklhZlVqUH19UmpNa fIhRmoNFSZyX69S1CCGB9MSS1OzU1ILUIpgsEwenVAOjV0pCK5NRh98nMw6hvRtnNzXM3vKP ddOvnyn630zi4j4Llhk5LE9QOhVscXDn96dV56QnB6h3CM1Kyvq8/WW68GzhGX4afUuL9Jha Ijabtcbal+mod738YNtQmnxz4kuNY0Ypd1pEcg+HSsl5TYtn5/aRlSxk3xLE837LXOmFTH+W sRp7nlViKc5INNRiLipOBAAeewCsBwMAAA== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrIIsWRmVeSWpSXmKPExsVy+t/xK7pzvthHGvz5LW3x9+NKVouDzQ+Z HJg8XrbtYPRYdfADUwBTlJtNRmpiSmqRQmpecn5KZl66rVJoiJuuhZJCXmJuqq1ShK5vSJCS QlliTimQZ2SABhycA9yDlfTtEtwyPp64y1qwXqzi4t577A2MNwS7GDk5JARMJPbuX8kCYYtJ XLi3nq2LkYtDSGAJo8S+VRugnAYmiZ3z17BDOOcYJeYevcYC4ZxllNizaQ8jSD+LgKrEvv7V 7CA2m4ChxNRNs8HiIgJ2EqvaljOB2MICrhILHnwCs3kF7CVev/0OtptTIFhi5t6/jBBDlzFK TL17G2wQv4C+xNW/EA0SQA0zr5xhhGgWlPgx+R5YM7OAlsTmbU2sELa8xOY1b5lBbCEBdYkb d3ezT2AUnoWkZRaSlllIWhYwMq9iFEktLc5Nzy020itOzC0uzUvXS87P3cQIjK5tx35u2cHY 9S74EKMAB6MSD2/HW/tIIdbEsuLK3EOMEhzMSiK8LK+BQrwpiZVVqUX58UWlOanFhxhNgSEz kVlKNDkfGPl5JfGGJobmloZGxhYW5kZGSuK8Uz9cCRcSSE8sSc1OTS1ILYLpY+LglGpgPBK8 nb99e63xg98TE9dzlU+M+2b/NOvi3DRlWyYH/sDbOxc0vQ3wPLpuMQebcJnTE49Wq/R91TfM LablZ2w/uWvJvuss5Wu/sNyQ9H4oZ+9eGCwnxrbMandW+wtWttOzDnyvyPGOc59fnsYkKzBx 8+9dx0QDvpu31Kzfcu5C5yTBXMGrl/4IKLEUZyQaajEXFScCALaR+ELEAgAA X-MTR: 20000000000000000@CPGS X-CMS-MailID: 20170613142012eucas1p121bb83a06e2fd9e280f10f843e0afc97 X-Msg-Generator: CA X-Sender-IP: 182.198.249.180 X-Local-Sender: =?UTF-8?B?UGV0ZXIgU3RlcGhlbnNvbhtTQ1NDLURhdGEgUGxhbmUb?= =?UTF-8?B?7IK87ISx7KCE7J6QG1ByaW5jaXBhbCBFbmdpbmVlciwgU29mdHdhcmU=?= X-Global-Sender: =?UTF-8?B?UGV0ZXIgU3RlcGhlbnNvbhtTQ1NDLURhdGEgUGxhbmUbU2Ft?= =?UTF-8?B?c3VuZyBFbGVjdHJvbmljcxtQcmluY2lwYWwgRW5naW5lZXIsIFNvZnR3YXJl?= X-Sender-Code: =?UTF-8?B?QzEwG0VIURtDMTBDRDA1Q0QwNTAwNTg=?= CMS-TYPE: 201P X-HopCount: 7 X-CMS-RootMailID: 20170613132811epcas1p416411899b1aacc5eb8ae319ca0ff711f X-RootMTR: 20170613132811epcas1p416411899b1aacc5eb8ae319ca0ff711f References: On Tue, 13 Jun 2017 09:26:32 -0400 Branden Archer wrote: > A NULL pointer dereference has been discovered in zsh 5.3.1 when built for > x86. The details are as follows: > > - A script starts with #!/bin/sh , but /bin/sh is a symlink to /bin/zsh > - The script is executed with execve() by invoking "/bin/sh -c script", and > no environment variables are added. This results in only the following > environment variables being present inside of the script: > > LOGNAME=root > SHLVL=1 > PWD=/usr/share > OLDPWD=/home/root > _=/usr/bin/env > > - The script cd's into another directory then invokes 'cd' by itself to > change directories to the home directory. > - If the top of the script is #!/bin/zsh the issue does not happen Thanks, it was very easy to reproduce, after I guessed what "feature" this was related to --- we've had trouble with HOME not being set in sh compatibility mode before. You need to be in zsh for the ARGV0 trick to work: (unset HOME; ARGV0=sh zsh -c cd) > - The issue also does not happen on bash Presumably this isn't really relevant? I have a hard time imagining why null dereferences in one shell should be connected with those in another. There's no code in common, but maybe that wasn't obvious. The following includes a specific fix for HOME not being set and a catch-all lower down if dir isn't set for some other reason (paranoia). diff --git a/Src/builtin.c b/Src/builtin.c index 0b39494..4144e80 100644 --- a/Src/builtin.c +++ b/Src/builtin.c @@ -880,8 +880,11 @@ cd_get_dest(char *nam, char **argv, int hard, int func) dir = nextnode(firstnode(dirstack)); if (dir) zinsertlinknode(dirstack, dir, getlinknode(dirstack)); - else if (func != BIN_POPD) + else if (func != BIN_POPD) { + if (!home) + zwarnnam(nam, "HOME not set"); zpushnode(dirstack, ztrdup(home)); + } } else if (!argv[1]) { int dd; char *end; @@ -936,6 +939,10 @@ cd_get_dest(char *nam, char **argv, int hard, int func) if (!dir) { dir = firstnode(dirstack); } + if (!dir || !getdata(dir)) { + DPUTS(1, "Directory not set, not detected early enough"); + return NULL; + } if (!(dest = cd_do_chdir(nam, getdata(dir), hard))) { if (!target) zsfree(getlinknode(dirstack)); diff --git a/Test/B01cd.ztst b/Test/B01cd.ztst index 94447e7..8d4f095 100644 --- a/Test/B01cd.ztst +++ b/Test/B01cd.ztst @@ -137,6 +137,10 @@ F:something is broken. But you already knew that. 0: ?(eval):cd:3: not a directory: link_to_nonexistent + (unset HOME; ARGV0=sh $ZTST_testdir/../Src/zsh -c cd) +1:Implicit cd with unset HOME. +?zsh:cd:1: HOME not set + %clean # This optional section cleans up after the test, if necessary, # e.g. killing processes etc. This is in addition to the removal of *.tmp