On Fri, Aug 1, 2025 at 9:59 PM Harry Eaton <[email protected]> wrote:
> cur_var = cur_var->next;
> free(tmp);
> }
> + free(G.to_free);
> + G.to_free = NULL;
> + free(ptr_to_globals);
> }
> #endif
fflush_all();
#if ENABLE_HUSH_JOB
sigexit(- (exitcode & 0xff));
#else
Use-after-free: sigexit() uses globals.
> @@ -7657,9 +7663,6 @@
> {
> pid_t pid;
> int channel[2];
> -# if !BB_MMU
> - char **to_free = NULL;
> -# endif
>
> xpipe(channel);
> pid = BB_MMU ? xfork() : xvfork();
> @@ -7736,7 +7739,7 @@
> * huge=`cat BIG` # was blocking here forever
> * echo OK
> */
> - re_execute_shell(&to_free,
> + re_execute_shell(&G.to_free,
> s,
> G.global_argv[0],
> G.global_argv + 1,
> @@ -7754,7 +7757,8 @@
> # endif
> enable_restore_tty_pgrp_on_exit();
> # if !BB_MMU
> - free(to_free);
> + free(G.to_free);
> + G.to_free = NULL;
Can you explain how exactly this was leaking the allocation?
_______________________________________________
busybox mailing list
[email protected]
https://lists.busybox.net/mailman/listinfo/busybox
