From e109dc9885201bbfadd97bc8085772c7b7f5a38b Mon Sep 17 00:00:00 2001 From: millert Date: Sat, 4 May 2024 22:59:21 +0000 Subject: [PATCH] Update awk to the May 4, 2024 version. Fixes a use-after-free bug with ARGV for "delete ARGV". --- usr.bin/awk/FIXES | 18 ++++++++++++----- usr.bin/awk/b.c | 6 +++--- usr.bin/awk/lib.c | 6 +++--- usr.bin/awk/main.c | 50 ++++++++++++++++++++++++++++++++-------------- usr.bin/awk/run.c | 8 ++++---- usr.bin/awk/tran.c | 24 ++++++++++++---------- 6 files changed, 71 insertions(+), 41 deletions(-) diff --git a/usr.bin/awk/FIXES b/usr.bin/awk/FIXES index c4eef3bd8ea..15c4630675e 100644 --- a/usr.bin/awk/FIXES +++ b/usr.bin/awk/FIXES @@ -25,15 +25,23 @@ THIS SOFTWARE. This file lists all bug fixes, changes, etc., made since the second edition of the AWK book was published in September 2023. +May 4, 2024 + Fixed a use-after-free bug with ARGV for "delete ARGV". + Also ENVtab is no longer global. Thanks to Benjamin Sturz + for spotting the ARGV issue and Todd Miller for the fix. + +May 3, 2024: + Remove warnings when compiling with g++. Thanks to Arnold Robbins. + Apr 22, 2024: - fixed regex engine gototab reallocation issue that was - introduced during the Nov 24 rewrite. Thanks to Arnold Robbins. + Fixed regex engine gototab reallocation issue that was + Introduced during the Nov 24 rewrite. Thanks to Arnold Robbins. Fixed a scan bug in split in the case the separator is a single - character. thanks to Oguz Ismail for spotting the issue. + character. Thanks to Oguz Ismail for spotting the issue. Mar 10, 2024: - fixed use-after-free bug in fnematch due to adjbuf invalidating - the pointers to buf. thanks to github user caffe3 for spotting + Fixed use-after-free bug in fnematch due to adjbuf invalidating + the pointers to buf. Thanks to github user caffe3 for spotting the issue and providing a fix, and to Miguel Pineiro Jr. for the alternative fix. MAX_UTF_BYTES in fnematch has been replaced with awk_mb_cur_max. diff --git a/usr.bin/awk/b.c b/usr.bin/awk/b.c index 89f4918b7a0..82f65221667 100644 --- a/usr.bin/awk/b.c +++ b/usr.bin/awk/b.c @@ -1,4 +1,4 @@ -/* $OpenBSD: b.c,v 1.51 2024/04/25 18:33:53 millert Exp $ */ +/* $OpenBSD: b.c,v 1.52 2024/05/04 22:59:21 millert Exp $ */ /**************************************************************** Copyright (C) Lucent Technologies 1997 All Rights Reserved @@ -651,7 +651,7 @@ static int set_gototab(fa *f, int state, int ch, int val) /* hide gototab implem f->gototab[state].entries[0].state = val; f->gototab[state].inuse++; return val; - } else if (ch > f->gototab[state].entries[f->gototab[state].inuse-1].ch) { + } else if ((unsigned)ch > f->gototab[state].entries[f->gototab[state].inuse-1].ch) { // not seen yet, insert and return gtt *tab = & f->gototab[state]; if (tab->inuse + 1 >= tab->allocated) @@ -875,7 +875,7 @@ bool fnematch(fa *pfa, FILE *f, char **pbuf, int *pbufsize, int quantum) * Call u8_rune with at least awk_mb_cur_max ahead in * the buffer until EOF interferes. */ - if (k - j < awk_mb_cur_max) { + if (k - j < (int)awk_mb_cur_max) { if (k + awk_mb_cur_max > buf + bufsize) { char *obuf = buf; adjbuf(&buf, &bufsize, diff --git a/usr.bin/awk/lib.c b/usr.bin/awk/lib.c index bb49f8e35bf..5060241db93 100644 --- a/usr.bin/awk/lib.c +++ b/usr.bin/awk/lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: lib.c,v 1.55 2023/11/28 20:54:38 millert Exp $ */ +/* $OpenBSD: lib.c,v 1.56 2024/05/04 22:59:21 millert Exp $ */ /**************************************************************** Copyright (C) Lucent Technologies 1997 All Rights Reserved @@ -845,10 +845,10 @@ int isclvar(const char *s) /* is s of form var=something ? */ { const char *os = s; - if (!isalpha((uschar) *s) && *s != '_') + if (!isalpha((uschar)*s) && *s != '_') return 0; for ( ; *s; s++) - if (!(isalnum((uschar) *s) || *s == '_')) + if (!(isalnum((uschar)*s) || *s == '_')) break; return *s == '=' && s > os; } diff --git a/usr.bin/awk/main.c b/usr.bin/awk/main.c index 11296ce12bf..ef5a724a8df 100644 --- a/usr.bin/awk/main.c +++ b/usr.bin/awk/main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: main.c,v 1.69 2024/04/25 18:33:53 millert Exp $ */ +/* $OpenBSD: main.c,v 1.70 2024/05/04 22:59:21 millert Exp $ */ /**************************************************************** Copyright (C) Lucent Technologies 1997 All Rights Reserved @@ -23,7 +23,7 @@ ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ****************************************************************/ -const char *version = "version 20240422"; +const char *version = "version 20240504"; #define DEBUG #include @@ -66,22 +66,42 @@ static noreturn void fpecatch(int n { extern Node *curnode; #ifdef SA_SIGINFO - static const char *emsg[] = { - [0] = "Unknown error", - [FPE_INTDIV] = "Integer divide by zero", - [FPE_INTOVF] = "Integer overflow", - [FPE_FLTDIV] = "Floating point divide by zero", - [FPE_FLTOVF] = "Floating point overflow", - [FPE_FLTUND] = "Floating point underflow", - [FPE_FLTRES] = "Floating point inexact result", - [FPE_FLTINV] = "Invalid Floating point operation", - [FPE_FLTSUB] = "Subscript out of range", - }; + const char *mesg = NULL; + + switch (si->si_code) { + case FPE_INTDIV: + mesg = "Integer divide by zero"; + break; + case FPE_INTOVF: + mesg = "Integer overflow"; + break; + case FPE_FLTDIV: + mesg = "Floating point divide by zero"; + break; + case FPE_FLTOVF: + mesg = "Floating point overflow"; + break; + case FPE_FLTUND: + mesg = "Floating point underflow"; + break; + case FPE_FLTRES: + mesg = "Floating point inexact result"; + break; + case FPE_FLTINV: + mesg = "Invalid Floating point operation"; + break; + case FPE_FLTSUB: + mesg = "Subscript out of range"; + break; + case 0: + default: + mesg = "Unknown error"; + break; + } #endif dprintf(STDERR_FILENO, "floating point exception%s%s\n", #ifdef SA_SIGINFO - ": ", (size_t)si->si_code < sizeof(emsg) / sizeof(emsg[0]) && - emsg[si->si_code] ? emsg[si->si_code] : emsg[0] + ": ", mesg #else "", "" #endif diff --git a/usr.bin/awk/run.c b/usr.bin/awk/run.c index bf24e29bc73..14cc404a0ea 100644 --- a/usr.bin/awk/run.c +++ b/usr.bin/awk/run.c @@ -1,4 +1,4 @@ -/* $OpenBSD: run.c,v 1.85 2024/04/25 18:33:53 millert Exp $ */ +/* $OpenBSD: run.c,v 1.86 2024/05/04 22:59:21 millert Exp $ */ /**************************************************************** Copyright (C) Lucent Technologies 1997 All Rights Reserved @@ -725,7 +725,7 @@ int u8_byte2char(const char *s, int bytenum) return charnum; } -/* runetochar() adapted from rune.c in the Plan 9 distributione */ +/* runetochar() adapted from rune.c in the Plan 9 distribution */ enum { @@ -2063,7 +2063,7 @@ static char *nawk_tolower(const char *s) Cell *bltin(Node **a, int n) /* builtin functions. a[0] is type, a[1] is arg list */ { Cell *x, *y; - Awkfloat u; + Awkfloat u = 0; int t, sz; Awkfloat tmp; char *buf, *fmt; @@ -2539,7 +2539,7 @@ Cell *dosub(Node **a, int subop) /* sub and gsub */ const char *start; const char *noempty = NULL; /* empty match disallowed here */ size_t m = 0; /* match count */ - size_t whichm; /* which match to select, 0 = global */ + size_t whichm = 0; /* which match to select, 0 = global */ int mtype; /* match type */ if (a[0] == NULL) { /* 0 => a[1] is already-compiled regexpr */ diff --git a/usr.bin/awk/tran.c b/usr.bin/awk/tran.c index c2bb1e0227e..ba31583e980 100644 --- a/usr.bin/awk/tran.c +++ b/usr.bin/awk/tran.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tran.c,v 1.38 2023/10/30 17:52:54 millert Exp $ */ +/* $OpenBSD: tran.c,v 1.39 2024/05/04 22:59:21 millert Exp $ */ /**************************************************************** Copyright (C) Lucent Technologies 1997 All Rights Reserved @@ -58,8 +58,7 @@ Cell *fnrloc; /* FNR */ Cell *ofsloc; /* OFS */ Cell *orsloc; /* ORS */ Cell *rsloc; /* RS */ -Array *ARGVtab; /* symbol table containing ARGV[...] */ -Array *ENVtab; /* symbol table containing ENVIRON[...] */ +Cell *ARGVcell; /* cell with symbol table containing ARGV[...] */ Cell *rstartloc; /* RSTART */ Cell *rlengthloc; /* RLENGTH */ Cell *subseploc; /* SUBSEP */ @@ -108,36 +107,39 @@ void syminit(void) /* initialize symbol table with builtin vars */ void arginit(int ac, char **av) /* set up ARGV and ARGC */ { + Array *ap; Cell *cp; int i; char temp[50]; ARGC = &setsymtab("ARGC", "", (Awkfloat) ac, NUM, symtab)->fval; cp = setsymtab("ARGV", "", 0.0, ARR, symtab); - ARGVtab = makesymtab(NSYMTAB); /* could be (int) ARGC as well */ + ap = makesymtab(NSYMTAB); /* could be (int) ARGC as well */ free(cp->sval); - cp->sval = (char *) ARGVtab; + cp->sval = (char *) ap; for (i = 0; i < ac; i++) { double result; snprintf(temp, sizeof(temp), "%d", i); if (is_number(*av, & result)) - setsymtab(temp, *av, result, STR|NUM, ARGVtab); + setsymtab(temp, *av, result, STR|NUM, ap); else - setsymtab(temp, *av, 0.0, STR, ARGVtab); + setsymtab(temp, *av, 0.0, STR, ap); av++; } + ARGVcell = cp; } void envinit(char **envp) /* set up ENVIRON variable */ { + Array *ap; Cell *cp; char *p; cp = setsymtab("ENVIRON", "", 0.0, ARR, symtab); - ENVtab = makesymtab(NSYMTAB); + ap = makesymtab(NSYMTAB); free(cp->sval); - cp->sval = (char *) ENVtab; + cp->sval = (char *) ap; for ( ; *envp; envp++) { double result; @@ -147,9 +149,9 @@ void envinit(char **envp) /* set up ENVIRON variable */ continue; *p++ = 0; /* split into two strings at = */ if (is_number(p, & result)) - setsymtab(*envp, p, result, STR|NUM, ENVtab); + setsymtab(*envp, p, result, STR|NUM, ap); else - setsymtab(*envp, p, 0.0, STR, ENVtab); + setsymtab(*envp, p, 0.0, STR, ap); p[-1] = '='; /* restore in case env is passed down to a shell */ } } -- 2.20.1