1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
| | Submitted here: https://github.com/freebsd/atf/pull/57
From 098b66269b1cf1d944b8b214ceb7ce9febde3682 Mon Sep 17 00:00:00 2001
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Date: Mon, 29 Jan 2024 22:35:49 -0500
Subject: [PATCH] Fix use after free in execute_with_shell.
The temporary string returned by atf::env::get would be used outside
its statement, which is invalid and cause undefined behavior. Copy it
to a local variable to avoid the issue.
Fixes: https://github.com/freebsd/atf/issues/26
Fixes: https://github.com/freebsd/kyua/issues/223
Reported-by: Ruslan Bukin <br@bsdpad.com>
---
atf-sh/atf-check.cpp | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/atf-sh/atf-check.cpp b/atf-sh/atf-check.cpp
index 41f0b13..9d6f7a8 100644
--- a/atf-sh/atf-check.cpp
+++ b/atf-sh/atf-check.cpp
@@ -436,7 +436,9 @@ execute_with_shell(char* const* argv)
const std::string cmd = flatten_argv(argv);
const char* sh_argv[4];
- sh_argv[0] = atf::env::get("ATF_SHELL", ATF_SHELL).c_str();
+ const std::string shell = atf::env::get("ATF_SHELL", ATF_SHELL);
+
+ sh_argv[0] = shell.c_str();
sh_argv[1] = "-c";
sh_argv[2] = cmd.c_str();
sh_argv[3] = NULL;
base-commit: 18eb8168b70a0f934b4824b6391b55ac0b2f4fdf
--
2.41.0
|