From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+ml==a==inbox.vuxu.org==zsh-workers@zsh.org>
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham autolearn_force=no
	version=3.4.4
Received: from zero.zsh.org (zero.zsh.org [IPv6:2a02:898:31:0:48:4558:7a:7368])
	by inbox.vuxu.org (Postfix) with ESMTP id 2D50D20C4D
	for <ml@inbox.vuxu.org>; Tue,  2 Jul 2024 12:28:29 +0200 (CEST)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=zsh.org; s=rsa-20210803; t=1719916109;
	 b=r5c4KeVuHL9ptGCv0iuW3u59F9UZ6pGOoPLxuelNP7kZ/TtN+HELJP87FXcr73hPd4mXSFHwmo
	  K8NeUo7WnpZ3L/366iK5I1jqJGHtHCR429NAFn/9Mgo64cWBtP4eCngAITezyNmY+xaVbEB2kw
	  U/eNmBThvo8p4xkIT7Scx2DW6uoERLzpZ/40TlEP3RHreTBwTU7/ifoa+aPalOtC+kDOhma+dz
	  zLdkm8RT988gSN/h5j3wtbwhn40naSZZmd5W1vDDuYWM0mSPKquXBD5xOQ81I3nz+KvBOovSAi
	  +YwRvggb/4KrJt9TlOTzdLrbaNP6gDCfTd9eUG3up+LXIQ==;
ARC-Authentication-Results: i=1; zsh.org;
	iprev=pass (mta-snd-w08.biglobe.ne.jp) smtp.remote-ip=27.86.113.24;
	dkim=pass header.d=kba.biglobe.ne.jp header.s=default-1th84yt82rvi header.a=rsa-sha256;
	dmarc=none header.from=kba.biglobe.ne.jp;
	arc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed; d=zsh.org; s=rsa-20210803; t=1719916109;
	bh=NWSeZncjJfJqQ6v5fOWZspjUStlh0JsP70aGGoyuIQY=;
	h=List-Archive:List-Owner:List-Post:List-Unsubscribe:List-Subscribe:List-Help:
	  List-Id:Sender:DKIM-Signature:To:References:Message-ID:
	  Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:MIME-Version:
	  Content-Type:DKIM-Signature;
	b=NHogx8/+L9BuGRgd9sFHyrzkS2NLI9CZHRP+w55zmsaD41qNI4yA5v27gxyxvNYm6+EmQ7ofJJ
	  mVw1xNTE2AZM+1ApLQNQrjxQixxWWz1mlmXAbGALka6ZvOuykRaPiKsvQ1+sgdCn44oZAt0NQv
	  rQT88JyVn26mLyrw+pNUyk1hKsZNYLLNk6+csIXzqzbZXQ7Jvf2Q8fmm5m4cNUeimeFdhUt3i+
	  n69hFTbKeRTT1mfVTEEoKgyzaajdkbfaE9bViNctB48oIDI2cSWgloyX5uXOx83LuhqGyrzTxW
	  4pRCLe76DtmgbEWZw5gdryziKFflRkQ8oNUEdPKz34GGVA==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zsh.org;
	s=rsa-20210803; h=List-Archive:List-Owner:List-Post:List-Unsubscribe:
	List-Subscribe:List-Help:List-Id:Sender:To:References:Message-Id:
	Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version:
	Content-Type:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID;
	bh=uhqxp+BV3ia68+4zRbotAE2R1YGrcr+mLa2Pfboc5cQ=; b=qufatQB8qzWGfecjvcGFSix2CF
	nSRxibIix4F6p3DbEhOI4UEgStKwWP1Y7zUB8Kiganbt9L5Y0QlipspqEUTN7C8DP7l+iTMCPL4tJ
	Bo2/K8Y3/qb7u7yRIoHvIbxG0KzkdFyvNL3qWaNW1kgRUE3NLNAFKuj+PgYySy9NaFKDZsabsCVdR
	AO3u6V1dhsPxS6SKwsaw8G+Ubw4lnhlqnFwa8TqLi2qAGbapGrf6vVGDL9TZ357/YDWri2HQSIbvU
	DH6vdtWowGbRRT+zVVOulrw6YLh9y3HZ9TUKUDR5hz/8OI+7XR1Phjd11NIM4zGCq+ajNDwRPE89e
	HLHKjy+w==;
Received: by zero.zsh.org with local
	id 1sOakO-000KEe-Ej;
	Tue, 02 Jul 2024 10:28:28 +0000
Authentication-Results: zsh.org;
	iprev=pass (mta-snd-w08.biglobe.ne.jp) smtp.remote-ip=27.86.113.24;
	dkim=pass header.d=kba.biglobe.ne.jp header.s=default-1th84yt82rvi header.a=rsa-sha256;
	dmarc=none header.from=kba.biglobe.ne.jp;
	arc=none
Received: from mta-snd-w08.biglobe.ne.jp ([27.86.113.24]:36704)
	by zero.zsh.org with esmtps (TLS1.3:TLS_AES_256_GCM_SHA384:256)
	id 1sOajb-000JtM-MX;
	Tue, 02 Jul 2024 10:27:42 +0000
Received: from mail.biglobe.ne.jp by mta-snd-w08.biglobe.ne.jp with ESMTP
          id <20240702102733246.IJCB.116736.mail.biglobe.ne.jp@biglobe.ne.jp>;
          Tue, 2 Jul 2024 19:27:33 +0900
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Subject: Re: Crash with read-only CDPATH
From: Jun T <takimoto-j@kba.biglobe.ne.jp>
In-Reply-To: <CAD9VzoAct1RxG-TMYR2vxau+pTDt_5ZVQXjPgL3Wy5RaZueKcw@mail.gmail.com>
Date: Tue, 2 Jul 2024 19:27:22 +0900
Cc: Connor Olding <cloningdonor@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A4710344-95A0-48DC-BD1E-A4CCD1B08251@kba.biglobe.ne.jp>
References: <CAD9VzoAct1RxG-TMYR2vxau+pTDt_5ZVQXjPgL3Wy5RaZueKcw@mail.gmail.com>
To: zsh-workers@zsh.org
X-Mailer: Apple Mail (2.3731.700.6)
X-Biglobe-Sender: takimoto-j@kba.biglobe.ne.jp
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kba.biglobe.ne.jp; s=default-1th84yt82rvi; t=1719916053;
 bh=uhqxp+BV3ia68+4zRbotAE2R1YGrcr+mLa2Pfboc5cQ=;
 h=Subject:From:In-Reply-To:Date:Cc:References:To;
 b=eIMBoXTC6rQy9RFg3bGan4uPi2D/Py1DPN4FXG5aT9ZvyOF61rLBoOkIBQnsrCB7A6zWjJjw
 CnGJx87P1Noh/xUwZp1zQU3faAYnT4EC+PHRqSwlHgYYrOy4eb1KpyefgC+rHQ8mXZEzo8uF+m
 SHlA5SG6a18aM6tNP5hd2VD0aBIl80EKzWFoG7vT3btgSJsLRb2FlUNwnG+zGyAtJt4mn98PQK
 NxLi9RONU2+Uvnt5roZ07Kv+3FtFxUGgnAMgKxDakNJbZUcNC5vJoS7bNZbrcHURM0152l2Jfd
 6yE5/ZKAvZ0R2noLWVGvWvsbv+AP1E8c5nlrPVJDze39OJFw==
X-Seq: 52985
Archived-At: <https://zsh.org/workers/52985>
X-Loop: zsh-workers@zsh.org
Errors-To: zsh-workers-owner@zsh.org
Precedence: list
Precedence: bulk
Sender: zsh-workers-request@zsh.org
X-no-archive: yes
List-Id: <zsh-workers.zsh.org>
List-Help: <http://www.zsh.org/sympa/help>, <mailto:sympa@zsh.org?subject=HELP>
List-Subscribe: <http://www.zsh.org/sympa/subscribe/zsh-workers>, <mailto:sympa@zsh.org?subject=SUB%20zsh-workers>
List-Unsubscribe: <http://www.zsh.org/sympa/signoff/zsh-workers>, <mailto:sympa@zsh.org?subject=SIG%20zsh-workers>
List-Post: <mailto:zsh-workers@zsh.org>
List-Owner: <mailto:zsh-workers-request@zsh.org>
List-Archive: <http://www.zsh.org/sympa/arc/zsh-workers>


> 2024/06/30 9:11, Connor Olding <cloningdonor@gmail.com> wrote:
>=20
> This minimal example immediately crashes zsh:
>=20
> readonly CDPATH; CDPATH=3D cd

Thank you for the report.

If CDPATH (a special parameter) is made readonly, save_params()
(called at exec.c:4071) does not allocate any memory for tpm,
but the original pm (obtained by paramtab->getnode() at line 4410)
is added to the restorelist (line 4442).

After addvars() (line 4083) fails ("read-only variable" error),
restore_params() (line 4086) tries to restore CDPATH,
but in this function
  pm (from the restorelist, line 4471), and
  tpm (from paramtab, line 4473)
point to the same memory (the original CDPATH).

Then
    exec.c:4483    tpm->gsu.s->setfn(tpm, pm->u.str)
coredumps when trying to free the memory for pm->u.str.

pm->u.str is the same data as pm->u.data,
and in the case of the original CDPATH it points to the global
variable 'char **cdpath' (line 61) and can't be freed.

I _guess_, in save_param(), we need to add tpm to restorelist
only if a copy of pm (i.e., tpm) is allocated.

Is this reasonable?


diff --git a/Src/exec.c b/Src/exec.c
index e955e85df..ac6c82ec6 100644
--- a/Src/exec.c
+++ b/Src/exec.c
@@ -4408,7 +4408,7 @@ save_params(Estate state, Wordcode pc, LinkList =
*restore_p, LinkList *remove_p)
     while (wc_code(ac =3D *pc) =3D=3D WC_ASSIGN) {
 	s =3D ecrawstr(state->prog, pc + 1, NULL);
 	if ((pm =3D (Param) paramtab->getnode(paramtab, s))) {
-	    Param tpm;
+	    Param tpm =3D NULL;
 	    if (pm->env)
 		delenv(pm);
 	    if (!(pm->node.flags & PM_SPECIAL)) {
@@ -4425,7 +4425,6 @@ save_params(Estate state, Wordcode pc, LinkList =
*restore_p, LinkList *remove_p)
 		tpm =3D (Param) zshcalloc(sizeof *tpm);
 		tpm->node.nam =3D ztrdup(pm->node.nam);
 		copyparam(tpm, pm, 0);
-		pm =3D tpm;
 	    } else if (!(pm->node.flags & PM_READONLY) &&
 		       (unset(RESTRICTED) || !(pm->node.flags & =
PM_RESTRICTED))) {
 		/*
@@ -4436,10 +4435,10 @@ save_params(Estate state, Wordcode pc, LinkList =
*restore_p, LinkList *remove_p)
 		tpm =3D (Param) hcalloc(sizeof *tpm);
 		tpm->node.nam =3D pm->node.nam;
 		copyparam(tpm, pm, 1);
-		pm =3D tpm;
 	    }
 	    addlinknode(*remove_p, dupstring(s));
-	    addlinknode(*restore_p, pm);
+	    if (tpm)
+		addlinknode(*restore_p, tpm);
 	} else
 	    addlinknode(*remove_p, dupstring(s));
=20