[bug #66445] Use after free in change_to

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #66445] Use after free in change_to_directory function

From:	anonymous
Subject:	[bug #66445] Use after free in change_to_directory function
Date:	Fri, 15 Nov 2024 05:48:58 -0500 (EST)

URL:
  <https://savannah.gnu.org/bugs/?66445>

                 Summary: Use after free in change_to_directory function
                   Group: The GNU Bourne-Again SHell
               Submitter: None
               Submitted: Fri 15 Nov 2024 10:48:54 AM UTC
                Category: None
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Fri 15 Nov 2024 10:48:54 AM UTC By: Anonymous
There two places, where use after free occurs in change_to_directory function
defined in cd.def file.
1. First place:
assign: Assigning: tdir = nolinks ? sh_physpath(t, 0) : sh_canonpath(t, 3).
571  tdir = nolinks ? sh_physpath (t, 0)
572                 : sh_canonpath (t, PATH_CHECKDOTDOT|PATH_CHECKEXISTS);
573
574  ndlen = strlen (newdir);
575
576  /* Use the canonicalized version of NEWDIR, or, if canonicalization
577     failed, use the non-canonical form. */
578  canon_failed = 0;
6. Condition tdir, taking true branch.
7. Condition *tdir, taking false branch.
579  if (tdir && *tdir)
580    free (t);
581  else
582    {
8. Condition tdir, taking true branch.
9. freed_arg: free frees tdir.
583      FREE (tdir);
CID 6159462: (#1 of 1): Use after free (USE_AFTER_FREE)
10. use_after_free: Using freed pointer t.
584      tdir = t;
585      canon_failed = 1;

2. Second place:
CID 6159485: (#1 of 1): Use after free (USE_AFTER_FREE)
14. use_after_free: Using freed pointer tdir.
628      r = chdir (nolinks ? newdir : tdir);








    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?66445>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[bug #66445] Use after free in change_to_directory function, anonymous <=

Prev by Date: [bug #66444] Use after free in expand_string_dollar_quote function
Next by Date: Re: [PATCH] Makefile.in: add LIBINTL_H to install-headers
Previous by thread: [bug #66444] Use after free in expand_string_dollar_quote function
Next by thread: redirection / process substitution fails to read a file descriptor
Index(es):
- Date
- Thread