From 4604df9ada906e0a6537157a63b6ce7c0509f34d Mon Sep 17 00:00:00 2001
From: Martijn Dekker <martijn@inlv.org>
Date: Thu, 28 Jan 2021 06:08:38 +0000
Subject: [PATCH] Stack robustness fixes from OpenSUSE

Three OpenSUSE patches from:
https://build.opensuse.org/package/show/shells/ksh

As usual, the relevant bug is not currently public:
https://bugzilla.opensuse.org/show_bug.cgi?id=844071

src/cmd/ksh93/sh/xec.c: sh_debug()/sh_exec():
- Fix stk restoration. [bnc#844071]

src/lib/libast/misc/stk.c:
- Fix stk aliasing code. [bnc#844071]
  (ksh93-stkalias.dif)
- Make a unknown location fatal in stkset() so that we get a core
  dump right away instead of later in an unrelated part of code.
  (ksh93-stkset-abort.dif)

src/lib/libast/man/stk.3,
src/lib/libast/man/stak.3:
- Update manual with new stkset() behaviour. (93u+m addition)
  (Note that stak is implemented as macros that translate to stk)
---
 src/cmd/ksh93/sh/xec.c    |  6 +++---
 src/lib/libast/man/stak.3 |  5 +++--
 src/lib/libast/man/stk.3  |  5 +++--
 src/lib/libast/misc/stk.c | 16 ++++++++++------
 4 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/src/cmd/ksh93/sh/xec.c b/src/cmd/ksh93/sh/xec.c
index 23526098ec20..ca3876394d63 100644
--- a/src/cmd/ksh93/sh/xec.c
+++ b/src/cmd/ksh93/sh/xec.c
@@ -646,8 +646,8 @@ int sh_debug(Shell_t *shp, const char *trap, const char *name, const char *subsc
 	Stk_t			*stkp=shp->stk;
 	struct sh_scoped	savst;
 	Namval_t		*np = SH_COMMANDNOD;
-	char			*sav = stkptr(stkp,0);
 	int			n=4, offset=stktell(stkp);
+	char			*sav = stkfreeze(stkp,0);
 	const char		*cp = "+=( ";
 	Sfio_t			*iop = stkstd;
 	short			level;
@@ -702,7 +702,7 @@ int sh_debug(Shell_t *shp, const char *trap, const char *name, const char *subsc
 	nv_putval(SH_FUNNAMENOD,shp->st.funname,NV_NOFREE);
 	shp->st = savst;
 	if(sav != stkptr(stkp,0))
-		stkset(stkp,sav,0);
+		stkset(stkp,sav,offset);
 	else
 		stkseek(stkp,offset);
 	return(n);
@@ -962,7 +962,7 @@ int sh_exec(register const Shnode_t *t, int flags)
 		int		ntflag = 0;
 #endif
 		int		topfd = shp->topfd;
-		char 		*sav=stkptr(stkp,0);
+		char 		*sav=stkfreeze(stkp,0);
 		char		*cp=0, **com=0, *comn;
 		int		argn;
 		int 		skipexitset = 0;
diff --git a/src/lib/libast/man/stak.3 b/src/lib/libast/man/stak.3
index 5feac69..89e0f54 100644
--- a/src/lib/libast/man/stak.3
+++ b/src/lib/libast/man/stak.3
@@ -109,8 +109,9 @@ the given \fIaddress\fP, and sets the current object to the given
 \fIaddress\fP.
 The top of the current object is set to \fIoffset\fP bytes from
 current object.
-If \fIaddress\fP is not the address of an object on the
-stack the result is undefined.
+If \fIaddress\fP is null, the stack is reset to the beginning.
+If it is non-null, but is not the address of an object on the
+stack, the program aborts and dumps core.
 .PP
 The remaining functions are used to build the current object incrementally.
 An object that is built incrementally on the stack will  
diff --git a/src/lib/libast/man/stk.3 b/src/lib/libast/man/stk.3
index 20dfdbefa44c..dd5705cf1188 100644
--- a/src/lib/libast/man/stk.3
+++ b/src/lib/libast/man/stk.3
@@ -110,8 +110,9 @@ the given \fIaddress\fP, and sets the current object to the given
 \fIaddress\fP.
 The top of the current object is set to \fIoffset\fP bytes from
 current object.
-If \fIaddress\fP is not the address of an object on the
-stack the result is undefined.
+If \fIaddress\fP is null, the stack is reset to the beginning.
+If it is non-null, but is not the address of an object on the
+stack, the program aborts and dumps core.
 .PP
 The \f5sfio\fP(3) output functions can be used to build
 current object incrementally.
diff --git a/src/lib/libast/misc/stk.c b/src/lib/libast/misc/stk.c
index 31cd0911dd29..f147ae4fec8c 100644
--- a/src/lib/libast/misc/stk.c
+++ b/src/lib/libast/misc/stk.c
@@ -331,9 +331,9 @@ int stkon(register Sfio_t * stream, register char* loc)
 }
 /*
  * reset the bottom of the current stack back to <loc>
- * if <loc> is not in this stack, then the stack is reset to the beginning
+ * if <loc> is null, then the stack is reset to the beginning
+ * if <loc> is not in this stack, the program dumps core
  * otherwise, the top of the stack is set to stkbot+<offset>
- *
  */
 char *stkset(register Sfio_t * stream, register char* loc, size_t offset)
 {
@@ -377,6 +377,9 @@ char *stkset(register Sfio_t * stream, register char* loc, size_t offset)
 			break;
 		frames++;
 	}
+	/* not found: produce a useful stack trace now instead of a useless one later */
+	if(loc)
+		abort();
 	/* set stack back to the beginning */
 	cp = (char*)(fp+1);
 	if(frames)
@@ -503,7 +506,7 @@ static char *stkgrow(register Sfio_t *stream, size_t size)
 	register char *cp, *dp=0;
 	register size_t m = stktell(stream);
 	size_t endoff;
-	char *end=0;
+	char *end=0, *oldbase=0;
 	int nn=0,add=1;
 	n += (m + sizeof(struct frame)+1);
 	if(sp->stkflags&STK_SMALL)
@@ -519,6 +522,7 @@ static char *stkgrow(register Sfio_t *stream, size_t size)
 		dp=sp->stkbase;
 		sp->stkbase = ((struct frame*)dp)->prev;
 		end = fp->end;
+		oldbase = dp;
 	}
 	endoff = end - dp;
 	cp = newof(dp, char, n, nn*sizeof(char*));
@@ -545,10 +549,10 @@ static char *stkgrow(register Sfio_t *stream, size_t size)
 	if(fp->nalias=nn)
 	{
 		fp->aliases = (char**)fp->end;
-		if(end && nn>1)
-			memmove(fp->aliases,end,(nn-1)*sizeof(char*));
+		if(end && nn>add)
+			memmove(fp->aliases,end,(nn-add)*sizeof(char*));
 		if(add)
-			fp->aliases[nn-1] = dp + roundof(sizeof(struct frame),STK_ALIGN);
+			fp->aliases[nn-1] = oldbase + roundof(sizeof(struct frame),STK_ALIGN);
 	}
 	if(m && !dp)
 	{