[klibc] [klibc:update-dash] dash: [EVAL] Fix use-after-free in dotrap/evalstring

[klibc-bot for Herbert Xu]

Commit-ID:  097a6e92dd6aea6d1e1e872c3aa02d677a004a88
Gitweb:     http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=097a6e92dd6aea6d1e1e872c3aa02d677a004a88
Author:     Herbert Xu <herbert at gondor.apana.org.au>
AuthorDate: Thu, 2 Oct 2014 08:26:06 +0800
Committer:  Ben Hutchings <ben at decadent.org.uk>
CommitDate: Sat, 28 Mar 2020 21:42:54 +0000

[klibc] dash: [EVAL] Fix use-after-free in dotrap/evalstring

[ dash commit 6c3f73bc536082fec38bd36e6c8a121033c68835 ]

The function dotrap calls evalstring using the stored trap string.
If evalstring then unsets that exact trap string then we will end
up using freed memory.

This patch fixes it by making evalstring always duplicate the string
before using it.

Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben at decadent.org.uk>

---
 usr/dash/eval.c     | 3 +++
 usr/dash/histedit.c | 3 +--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/usr/dash/eval.c b/usr/dash/eval.c
index e6f6cd5c..adf05fde 100644
--- a/usr/dash/eval.c
+++ b/usr/dash/eval.c
@@ -160,6 +160,7 @@ evalstring(char *s, int flags)
 	struct stackmark smark;
 	int status;
 
+	s = sstrdup(s);
 	setinputstring(s);
 	setstackmark(&smark);
 
@@ -171,7 +172,9 @@ evalstring(char *s, int flags)
 		if (evalskip)
 			break;
 	}
+	popstackmark(&smark);
 	popfile();
+	stunalloc(s);
 
 	return status;
 }
diff --git a/usr/dash/histedit.c b/usr/dash/histedit.c
index b27d6294..94465d78 100644
--- a/usr/dash/histedit.c
+++ b/usr/dash/histedit.c
@@ -372,8 +372,7 @@ histcmd(int argc, char **argv)
 					out2str(s);
 				}
 
-				evalstring(strcpy(stalloc(strlen(s) + 1), s),
-					   0);
+				evalstring(s, 0);
 				if (displayhist && hist) {
 					/*
 					 *  XXX what about recursive and