Created attachment 191838 [details] Patch to fix the issue I have encountered and fixed an issue when the magic character ' ' is used. apply(1) checks for magic numbers to substitue. These magic numbers are used for argument substitution. You could write a command like $ apply '2to3 %1 %2' test1.py test2.py Which would run "2to3 test1.py test2.py". The magic character '%' can be replaced with the option -a. In my case, I replace it with ' '. The issue is that check for magic numbers and actual replacement happen in two different parts of the code. Between them, the command is prepended with "exec ", which is used for the shell invocation later on. The bug is triggered with an invocation like this: $ apply -a ' ' 2to3 test.py Segmentation fault (core dumped) $ _ The check for magic numbers is negative, because "2to3" has no magic number. But right after the check, it's extended to "exec 2to3". As I changed the magic character from '%' to ' ', suddenly it DOES contain a magic number. The code does not properly verify afterwards if enough arguments have been supplied and tries to access argv[2], which is NULL. The command crashes. This patch is based on my merge attempt of a previous FreeBSD bug into OpenBSD. You can see the discussion and OpenBSD's version of the patch here: https://marc.info/?l=openbsd-tech&m=152180028615405&w=2
A commit references this bug: Author: kevans Date: Wed Aug 8 21:21:29 UTC 2018 New revision: 337504 URL: https://svnweb.freebsd.org/changeset/base/337504 Log: apply(1): Fix magic number substitution with magic character ' ' Using a space as the magic character would result in problems if the command started with a number: - For a 'valid' number n, n < size of argv, it would erroneously get replaced with that argument; e.g. `apply -a ' ' -d 1rm x => `execxrm x` - For an 'invalid' number n, n >= size of argv, it would segfault. e.g. `apply -a ' ' 2to3 test.py` would try to access argv[2] This problem occurred because apply(1) would prepend "exec " to the command string before doing the actual magic number replacements, so it would come across "exec 2to3 1" and assume that the " 2" is also a magic number to be replaced. Re-work this to instead just append "exec " to the command sbuf and workaround the ugliness. This also simplifies stuff in the process. PR: 226948 Submitted by: Tobias Stoeckmann <tobias@stoeckmann.org> MFC after: 1 week Changes: head/usr.bin/apply/apply.c
Applied, thanks!
A commit references this bug: Author: kevans Date: Wed Aug 15 01:24:43 UTC 2018 New revision: 337825 URL: https://svnweb.freebsd.org/changeset/base/337825 Log: MFC r337504: apply(1): Fix magic number substitution with a magic space Using a space as the magic character would result in problems if the command started with a number: - For a 'valid' number n, n < size of argv, it would erroneously get replaced with that argument; e.g. `apply -a ' ' -d 1rm x => `execxrm x` - For an 'invalid' number n, n >= size of argv, it would segfault. e.g. `apply -a ' ' 2to3 test.py` would try to access argv[2] This problem occurred because apply(1) would prepend "exec " to the command string before doing the actual magic number replacements, so it would come across "exec 2to3 1" and assume that the " 2" is also a magic number to be replaced. Re-work this to instead just append "exec " to the command sbuf and workaround the ugliness. This also simplifies stuff in the process. PR: 226948 Changes: _U stable/11/ stable/11/usr.bin/apply/apply.c
Hi, I've no intention of MFC'ing this to stable/10 -- let me know if you need it there, though, and I will MFC it. Thanks, Kyle Evans