From 586fd248570cdd61c88871a235864ee9fa7aef32 Mon Sep 17 00:00:00 2001
From: Jilles Tjoelker <jilles@FreeBSD.org>
Date: Sat, 4 Mar 2017 22:58:34 +0000
Subject: [PATCH] sh: Fix crash if a -T trap is taken during command
 substitution.

Code like  t=$(stat -f %m "$file")  segfaulted if -T was active and a trap
was taken while the shell was waiting for the child process to finish.

What happened was that the dotrap() call in waitforjob() was hit. This
re-entered command execution (including expand.c) at a point not expected by
expbackq(), and global state (unallocated stack string and argbackq) was
corrupted.

To fix this, change expbackq() to prepare for command execution to be
re-entered.

Reported by:	bdrewery
MFC after:	1 week
---
 bin/sh/expand.c                     | 7 +++++--
 bin/sh/tests/expansion/Makefile     | 2 ++
 bin/sh/tests/expansion/cmdsubst21.0 | 6 ++++++
 bin/sh/tests/expansion/cmdsubst22.0 | 6 ++++++
 4 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100644 bin/sh/tests/expansion/cmdsubst21.0
 create mode 100644 bin/sh/tests/expansion/cmdsubst22.0

diff --git a/bin/sh/expand.c b/bin/sh/expand.c
index be0f53ed051d..832b51f12f53 100644
--- a/bin/sh/expand.c
+++ b/bin/sh/expand.c
@@ -460,7 +460,6 @@ expbackq(union node *cmd, int quoted, int flag, struct worddest *dst)
 	p = grabstackstr(dest);
 	evalbackcmd(cmd, &in);
 	ungrabstackstr(p, dest);
-	argbackq = saveargbackq;
 
 	p = in.buf;
 	nnl = 0;
@@ -514,12 +513,16 @@ expbackq(union node *cmd, int quoted, int flag, struct worddest *dst)
 		close(in.fd);
 	if (in.buf)
 		ckfree(in.buf);
-	if (in.jp)
+	if (in.jp) {
+		p = grabstackstr(dest);
 		exitstatus = waitforjob(in.jp, (int *)NULL);
+		ungrabstackstr(p, dest);
+	}
 	TRACE(("expbackq: size=%td: \"%.*s\"\n",
 		((dest - stackblock()) - startloc),
 		(int)((dest - stackblock()) - startloc),
 		stackblock() + startloc));
+	argbackq = saveargbackq;
 	expdest = dest;
 	INTON;
 }
diff --git a/bin/sh/tests/expansion/Makefile b/bin/sh/tests/expansion/Makefile
index 3c0dfa31923d..c0622323517b 100644
--- a/bin/sh/tests/expansion/Makefile
+++ b/bin/sh/tests/expansion/Makefile
@@ -42,6 +42,8 @@ ${PACKAGE}FILES+=	cmdsubst17.0
 ${PACKAGE}FILES+=	cmdsubst18.0
 ${PACKAGE}FILES+=	cmdsubst19.0
 ${PACKAGE}FILES+=	cmdsubst20.0
+${PACKAGE}FILES+=	cmdsubst21.0
+${PACKAGE}FILES+=	cmdsubst22.0
 ${PACKAGE}FILES+=	export1.0
 ${PACKAGE}FILES+=	export2.0
 ${PACKAGE}FILES+=	export3.0
diff --git a/bin/sh/tests/expansion/cmdsubst21.0 b/bin/sh/tests/expansion/cmdsubst21.0
new file mode 100644
index 000000000000..87ff6a9db4ad
--- /dev/null
+++ b/bin/sh/tests/expansion/cmdsubst21.0
@@ -0,0 +1,6 @@
+# $FreeBSD$
+
+set -T
+trapped=''
+trap "trapped=x$trapped" TERM
+[ "x$($SH -c "kill $$")y" = xy ] && [ "$trapped" = x ]
diff --git a/bin/sh/tests/expansion/cmdsubst22.0 b/bin/sh/tests/expansion/cmdsubst22.0
new file mode 100644
index 000000000000..97c6c98dff87
--- /dev/null
+++ b/bin/sh/tests/expansion/cmdsubst22.0
@@ -0,0 +1,6 @@
+# $FreeBSD$
+
+set -T
+trapped=''
+trap "trapped=x$trapped" TERM
+[ "x$(:; kill $$)y" = xy ] && [ "$trapped" = x ]