URL: <https://savannah.gnu.org/bugs/?67586>
Summary: Fix CHERI out-of-bounds access by updating
'input_string' after rellaoc
Group: The GNU Bourne-Again SHell
Submitter: flow
Submitted: Mon 06 Oct 2025 05:27:32 PM UTC
Category: None
Severity: 3 - Normal
Priority: 5 - Normal
Item Group: None
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Follow-up Comments:
-------------------------------------------------------
Date: Mon 06 Oct 2025 05:27:32 PM UTC By: Florian Schmaus <flow>
On CHERI systems with architectural capabilities, the (capability) pointer
returned by xrealloc() may have the same address part but it will have updated
bounds. Not using the returned pointer with the updated bounds results in
CHERI out-of-bounds faults. Therefore, it is important always use the pointer
returned by xrealloc() even if its address part is equal.
Bash currently does *not* update the 'input_string' pointer in read.def:
char *x;
x = (char *)xrealloc (input_string, size += 128);
/* Only need to change unwind-protect if input_string changes */
if (x != input_string)
{
input_string = x;
remove_unwind_protect ();
add_unwind_protect (xfree, input_string);
}
Attached patch fixes this.
_______________________________________________________
File Attachments:
Name: read-always-update-input_string-pointer-on-CHERI.patch Size: 1KiB
<https://file.savannah.gnu.org/file/read-always-update-input_string-pointer-on-CHERI.patch?file_id=57701>
AGPL NOTICE
These attachments are served by Savane. You can download the corresponding
source code of Savane at
https://savannah.gnu.org/source/savane-5746339587448d00fc8371e6693dda6fa1b95c65.tar.gz
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?67586>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
signature.asc
Description: PGP signature
