From: Herbert Xu <herbert@gondor.apana.org.au>
To: Daniel Snider <daniel.snider@upsun.com>
Cc: dash@vger.kernel.org
Subject: Re: [PATCH] input: Fix heap buffer overflow in preadbuffer for non-SMALL builds
Date: Sat, 14 Mar 2026 18:26:14 +0900 [thread overview]
Message-ID: <abUptrjFvOwWM5yL@gondor.apana.org.au> (raw)
In-Reply-To: <CAB_UPCCnoM-7oU=u51jCDGarLPTM5TzYWVSfhqWHaQP0BFpotQ@mail.gmail.com>
Daniel Snider <daniel.snider@upsun.com> wrote:
> From 0242b3e94da8de5043d5b2a8fba2f380347f6eaf Mon Sep 17 00:00:00 2001
> From: Daniel Snider <daniel.snider@platform.sh>
> Date: Fri, 20 Feb 2026 20:37:21 -0600
> Subject: [PATCH] input: Fix heap buffer overflow in preadbuffer for non-SMALL
> builds
>
> Commit a065467 ("input: Move newline loop into preadbuffer") removed a
> guard that prevented looping back to preadfd when no more characters
> remain in the buffer. In non-SMALL builds (with libedit), this causes
> preadbuffer to call preadfd again without resynchronising the buffer
> pointer, overwriting heap memory past the allocated IBUFSIZ input buffer.
>
> Any single-line shell input longer than IBUFSIZ (~8 KB) triggers a heap
> buffer overflow that corrupts glibc malloc metadata, resulting in
> SIGABRT or SIGSEGV.
>
> Reproducer (requires --with-libedit build):
>
> { printf 'export X='; head -c 16000 /dev/zero | tr '\0' A; echo; } > /tmp/t.sh
> dash -c '. /tmp/t.sh'
>
> Restore the guard so that "goto again" only fires when no characters
> have been consumed from the current buffer (q == parsefile->nextc),
> matching the pre-a065467 behaviour.
>
> Signed-off-by: Daniel Snider <daniel.snider@platform.sh>
> ---
> src/input.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Thanks. This will be fixed with
https://patchwork.kernel.org/project/dash/patch/CAO_NRt5mv7E-qkSA2hE+4HsQMzpczrF9ZAWL-jKbW0Li1F3U0A@mail.gmail.com/
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
prev parent reply other threads:[~2026-03-14 9:26 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-22 11:09 [PATCH] input: Fix heap buffer overflow in preadbuffer for non-SMALL builds Daniel Snider
2026-03-14 9:26 ` Herbert Xu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=abUptrjFvOwWM5yL@gondor.apana.org.au \
--to=herbert@gondor.apana.org.au \
--cc=daniel.snider@upsun.com \
--cc=dash@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox