From 662d0e0d84f9580b5c5f74a6503d997a097af7c9 Mon Sep 17 00:00:00 2001
From: jilles <jilles@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Fri, 14 Apr 2017 21:42:27 +0000
Subject: [PATCH] MFC r314686: sh: Fix crash if a -T trap is taken during
 command substitution.

Code like  t=$(stat -f %m "$file")  segfaulted if -T was active and a trap
was taken while the shell was waiting for the child process to finish.

What happened was that the dotrap() call in waitforjob() was hit. This
re-entered command execution (including expand.c) at a point not expected by
expbackq(), and global state (unallocated stack string and argbackq) was
corrupted.

To fix this, change expbackq() to prepare for command execution to be
re-entered.

In stable/10, there is more global state that needs to be restored than in
stable/11 and head.

Reported by:	bdrewery


git-svn-id: svn://svn.freebsd.org/base/stable/10@316942 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 bin/sh/expand.c                     | 15 +++++++++------
 bin/sh/tests/expansion/Makefile     |  2 ++
 bin/sh/tests/expansion/cmdsubst21.0 |  6 ++++++
 bin/sh/tests/expansion/cmdsubst22.0 |  6 ++++++
 4 files changed, 23 insertions(+), 6 deletions(-)
 create mode 100644 bin/sh/tests/expansion/cmdsubst21.0
 create mode 100644 bin/sh/tests/expansion/cmdsubst22.0

diff --git a/bin/sh/expand.c b/bin/sh/expand.c
index 2113ab7a3..f61c10bd2 100644
--- a/bin/sh/expand.c
+++ b/bin/sh/expand.c
@@ -439,9 +439,6 @@ expbackq(union node *cmd, int quoted, int flag)
 	p = grabstackstr(dest);
 	evalbackcmd(cmd, &in);
 	ungrabstackstr(p, dest);
-	ifsfirst = saveifs;
-	ifslastp = savelastp;
-	argbackq = saveargbackq;
 
 	p = in.buf;
 	lastc = '\0';
@@ -479,14 +476,20 @@ expbackq(union node *cmd, int quoted, int flag)
 		close(in.fd);
 	if (in.buf)
 		ckfree(in.buf);
-	if (in.jp)
+	if (in.jp) {
+		p = grabstackstr(dest);
 		exitstatus = waitforjob(in.jp, (int *)NULL);
-	if (quoted == 0)
-		recordregion(startloc, dest - stackblock(), 0);
+		ungrabstackstr(p, dest);
+	}
 	TRACE(("expbackq: size=%td: \"%.*s\"\n",
 		((dest - stackblock()) - startloc),
 		(int)((dest - stackblock()) - startloc),
 		stackblock() + startloc));
+	ifsfirst = saveifs;
+	ifslastp = savelastp;
+	if (quoted == 0)
+		recordregion(startloc, dest - stackblock(), 0);
+	argbackq = saveargbackq;
 	expdest = dest;
 	INTON;
 }
diff --git a/bin/sh/tests/expansion/Makefile b/bin/sh/tests/expansion/Makefile
index fd1c3bb0e..ecf1084ed 100644
--- a/bin/sh/tests/expansion/Makefile
+++ b/bin/sh/tests/expansion/Makefile
@@ -41,6 +41,8 @@ FILES+=		cmdsubst17.0
 FILES+=		cmdsubst18.0
 FILES+=		cmdsubst19.0
 FILES+=		cmdsubst20.0
+FILES+=		cmdsubst21.0
+FILES+=		cmdsubst22.0
 FILES+=		export1.0
 FILES+=		export2.0
 FILES+=		export3.0
diff --git a/bin/sh/tests/expansion/cmdsubst21.0 b/bin/sh/tests/expansion/cmdsubst21.0
new file mode 100644
index 000000000..87ff6a9db
--- /dev/null
+++ b/bin/sh/tests/expansion/cmdsubst21.0
@@ -0,0 +1,6 @@
+# $FreeBSD$
+
+set -T
+trapped=''
+trap "trapped=x$trapped" TERM
+[ "x$($SH -c "kill $$")y" = xy ] && [ "$trapped" = x ]
diff --git a/bin/sh/tests/expansion/cmdsubst22.0 b/bin/sh/tests/expansion/cmdsubst22.0
new file mode 100644
index 000000000..97c6c98df
--- /dev/null
+++ b/bin/sh/tests/expansion/cmdsubst22.0
@@ -0,0 +1,6 @@
+# $FreeBSD$
+
+set -T
+trapped=''
+trap "trapped=x$trapped" TERM
+[ "x$(:; kill $$)y" = xy ] && [ "$trapped" = x ]
-- 
2.42.0