sh: Fix double INTON with vfork

The shell maintains a count of the number of times SIGINT processing has
been disabled via INTOFF, so SIGINT processing resumes when all disables
have enabled again (INTON).

If an error occurs in a vfork() child, the processing of the error enables
SIGINT processing again, and the INTON in vforkexecshell() causes the count
to become negative.

As a result, a later INTOFF may not actually disable SIGINT processing. This
might cause memory corruption if a SIGINT arrives at an inopportune time. As
of r360452, it causes the shell to abort when it would unsafely allocate or
free memory in certain ways.

Note that various places such as errors in non-special builtins
unconditionally reset the count to 0, so the problem might still not always
be visible.

PR:		246497
Reported by:	jbeich
MFC after:	2 weeks
This commit is contained in:
Jilles Tjoelker 2020-05-16 16:29:23 +00:00
parent 9982b3ee29
commit 6bc7175f31
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=361112
3 changed files with 10 additions and 1 deletions

View File

@ -1008,9 +1008,11 @@ vforkexecshell(struct job *jp, char **argv, char **envp, const char *path, int i
pid_t pid;
struct jmploc jmploc;
struct jmploc *savehandler;
int inton;
TRACE(("vforkexecshell(%%%td, %s, %p) called\n", jp - jobtab, argv[0],
(void *)pip));
inton = is_int_on();
INTOFF;
flushall();
savehandler = handler;
@ -1045,7 +1047,7 @@ vforkexecshell(struct job *jp, char **argv, char **envp, const char *path, int i
setcurjob(jp);
#endif
}
INTON;
SETINTON(inton);
TRACE(("In parent shell: child = %d\n", (int)pid));
return pid;
}

View File

@ -64,6 +64,7 @@ ${PACKAGE}FILES+= subshell2.0
${PACKAGE}FILES+= subshell3.0
${PACKAGE}FILES+= subshell4.0
${PACKAGE}FILES+= unknown1.0
${PACKAGE}FILES+= unknown2.0
${PACKAGE}FILES+= var-assign1.0
.include <bsd.test.mk>

View File

@ -0,0 +1,6 @@
# $FreeBSD$
{
: $(/var/empty/nosuchtool)
: $(:)
} 2>/dev/null