Fix arbitrary command execution/code injection bugs (#866)

* Security patch part 1

Never use $SHELL or sh.shpath when executing shebang-less scripts

- sh_ntfork(): Removed a misguided optimization that causes ksh to
  run scripts without a shebang using the binary pointed to by
  either $SHELL or sh.shpath. This has a few problems:
  - The shell in sh.shpath or more disastrously in $SHELL has
    no guarantee of being identical to the currently running
    copy of ksh93 or even existing at all, so using either is
    not only bogus, but potentially dangerous.
  - The optimization has no ability to pass down the current
    POSIX mode status to the script.
  - It's only activated for virtual subshells, resulting in
    arbitrarily different behavior depending on whether or
    not we're in a virtual subshell.
  - It does some weird stuff with /dev/fd that seems superfluous,
    and also lacks any SHOPT_DEVFD if directive. (Additionally,
    if it did have one, that stat(2) would likely become mere
    dead code and a waste of context switches.)

The optimization was probably intended to be used for running a
shebang-less script via posix_spawn, which is ostensibly faster
than fork. But this simply isn't possible without risking running
the shebang-less script in a shell environment different from
the current one. (If ksh were updated by the package manager
while ksh is still running, this optimization would cause the
script to run via the new version, rather than the currently
running older version.) The optimization is unfixable by design,
and as such must be removed to ensure correct behavior.

* Security patch part 2 (re: bae02c3)

rm setuid script code leading to arbitrary command execution

Changes:
- Delete code for setuid scripts on "Solaris 2.5+" because it
  allows for arbitrary command execution. One millisecond you think
  you're launching ksh, the next you're at the mercy of a hijacker.
  Example:
    SHELL=/bin/ppmflash /bin/ksh -l /dev/fd/0 < <(true)
    MANPATH: usage:  MANPATH flashfactor [ppmfile]
        flashfactor: 0.0 = original picture, 1.0 = total whiteout
  The pathshell() code doesn't *seem* to be vulnerable to privilege
  escalation, but who knows (cf. CVE-2019-14868; this might need its
  own CVE 2025. Maybe pathshell() should be scrapped entirely???)
- Add fickle but functional regression test (you may need to pass
  KSH=/bin/ksh or some such to get it to fail against vulnerable
  versions of ksh). The test uses a login shell via the -l option,
  but the bug *does not* need a login shell. See:
  #874 (comment)
  Modify the execveat reproducer to pass along environ (which
  could include a hijacked SHELL), and you're in for a BAD time.

Maybe the deleted code (introduced sometime within the period of 1995
and 1999) was relevant to some Solaris-specific use case or something.
Maybe the erasure even causes an incompatibility. But that code must
go; it's far too dangerous to execv whatever the hell pathshell gives
us during **init**. (Need I bring CVE-2019-14868 back to remembrance
again? This bug has similarities to that one.)

FWIW, all of the regression tests in the ksh and modernish suites pass
with this patch applied.

* Security patch part 3

Delete pathshell() and replace uses of it with safer equivalents

This function is a dangerous attack vector that ought not remain
in the code base. The value returned by astconf() is doubtless
safer than what is returned by pathshell().

* Other changes

The libast pathprog function and prog feature test are now unused,
and are removed.

Author: JohnoKing

NEWS

@@ -2,6 +2,23 @@ This documents significant changes in the dev branch of ksh 93u+m.
 For full details, see the git log at: https://github.com/ksh93/ksh
 Uppercase BUG_* IDs are shell bug IDs as used by the Modernish shell library.
 
+2025-06-14:
+
+- Fixed a bug occurring on systems with posix_spawn(3), spawnve(2), and
+  spawn(2), which when exploited could cause ksh93 to execute scripts
+  without a shebang with a shell other than itself, provided /bin/ksh
+  was hijacked, or in the case of ksh being unable to obtain it's own
+  executable path, whatever the SHELL variable was set to.
+
+- Fixed a bug that could cause scripts without a shebang to run
+  without POSIX mode enabled when executed in a virtual subshell.
+
+- Fixed a bug that could allow an attacker to hijack ksh93 during
+  shell initialization to execv a shell other than ksh itself, leading to
+  the ksh process being surreptitiously replaced with bash, zsh, or
+  really anything, provided the binary name ends with the letters
+  'sh'.
+
 2025-05-31:
 
 - Fixed a bug that caused the multiline option to break when PS*

src/cmd/ksh93/include/shell.h

@@ -225,8 +225,6 @@ struct sh_scoped
 	char		**otrapcom;	/* save parent EXIT and signals for v=$(trap) */
 	void		*timetrap;	/* for the 'alarm' built-in */
 	struct Ufunction *real_fun;	/* current 'function name' function */
-	int             repl_index;
-	char            *repl_arg;
 };
 
 struct limits
@@ -269,7 +267,6 @@ struct Shell_s
 	Namval_t	*bltin_nodes;
 	Namval_t	*bltin_cmds;
 	History_t	*hist_ptr;
-	char		*shpath;
 	char		*user;
 	char		**sigmsg;
 	char		**login_files;

src/cmd/ksh93/include/version.h

@@ -18,7 +18,7 @@
 #include <ast_release.h>
 #include "git.h"
 
-#define SH_RELEASE_DATE	"2025-06-09"	/* must be in this format for $((.sh.version)) */
+#define SH_RELEASE_DATE	"2025-06-14"	/* must be in this format for $((.sh.version)) */
 /*
  * This comment keeps SH_RELEASE_DATE a few lines away from SH_RELEASE_SVER to avoid
  * merge conflicts when cherry-picking dev branch commits onto a release branch.

src/cmd/ksh93/sh/init.c

@@ -1266,34 +1266,6 @@ Shell_t *sh_init(int argc,char *argv[], Shinit_f userinit)
 	}
 	/* increase SHLVL */
 	sh.shlvl++;
-#if SHOPT_SPAWN
-	{
-		/*
-		 * try to find the pathname for this interpreter
-		 * try using environment variable _ or argv[0]
-		 */
-		char *cp=nv_getval(L_ARGNOD);
-		char buff[PATH_MAX+1];
-		size_t n;
-		sh.shpath = 0;
-		if((n = pathprog(NULL, buff, sizeof(buff))) > 0 && n <= sizeof(buff))
-			sh.shpath = sh_strdup(buff);
-		else if((cp && (sh_type(cp)&SH_TYPE_SH)) || (argc>0 && strchr(cp= *argv,'/')))
-		{
-			if(*cp=='/')
-				sh.shpath = sh_strdup(cp);
-			else if(cp = nv_getval(PWDNOD))
-			{
-				int offset = stktell(sh.stk);
-				sfputr(sh.stk,cp,'/');
-				sfputr(sh.stk,argv[0],-1);
-				pathcanon(stkptr(sh.stk,offset),PATH_DOTDOT);
-				sh.shpath = sh_strdup(stkptr(sh.stk,offset));
-				stkseek(sh.stk,offset);
-			}
-		}
-	}
-#endif
 	nv_putval(IFSNOD,(char*)e_sptbnl,NV_RDONLY);
 	astconfdisc(newconf);
 #if SHOPT_TIMEOUT
@@ -1306,7 +1278,6 @@ Shell_t *sh_init(int argc,char *argv[], Shinit_f userinit)
 #endif
 	if(argc>0)
 	{
-		int dolv_index;
 		/* check for restricted shell */
 		if(type&SH_TYPE_RESTRICTED)
 			sh_onoption(SH_RESTRICTED);
@@ -1318,10 +1289,7 @@ Shell_t *sh_init(int argc,char *argv[], Shinit_f userinit)
 			sh_done(0);
 		}
 		opt_info.disc = 0;
-		dolv_index = (argc - 1) - sh.st.dolc;
-		sh.st.dolv = argv + dolv_index;
-		sh.st.repl_index = dolv_index;
-		sh.st.repl_arg = argv[dolv_index];
+		sh.st.dolv = argv + (argc - 1) - sh.st.dolc;
 		sh.st.dolv[0] = argv[0];
 		if(sh.st.dolc < 1)
 		{

src/cmd/ksh93/sh/main.c

@@ -221,33 +221,12 @@ noreturn void sh_main(int ac, char *av[], Shinit_f userinit)
 				/* open stream should have been passed into shell */
 				if(strmatch(name,e_devfdNN))
 				{
-#if !_WINIX
-					char *cp;
-					int type;
-#endif
 					fdin = (int)strtol(name+8, NULL, 10);
 					if(fstat(fdin,&statb)<0)
 					{
 						errormsg(SH_DICT,ERROR_system(1),e_open,name);
 						UNREACHABLE();
 					}
-#if !_WINIX
-					/*
-					 * try to undo effect of Solaris 2.5+
-					 * change for argv for setuid scripts
-					 */
-					if(sh.st.repl_index > 0)
-						av[sh.st.repl_index] = sh.st.repl_arg;
-					if(((type = sh_type(cp = av[0])) & SH_TYPE_SH) && (name = nv_getval(L_ARGNOD)) && (!((type = sh_type(cp = name)) & SH_TYPE_SH)))
-					{
-						av[0] = (type & SH_TYPE_LOGIN) ? cp : path_basename(cp);
-						/* exec to change $0 for ps */
-						execv(pathshell(),av);
-						/* exec fails */
-						sh.st.dolv[0] = av[0];
-						fixargs(sh.st.dolv,1);
-					}
-#endif
 					name = av[0];
 					sh_offoption(SH_VERBOSE);
 					sh_offoption(SH_XTRACE);

src/cmd/ksh93/sh/path.c

@@ -1221,8 +1221,6 @@ pid_t path_spawn(const char *opath,char **argv, char **envp, Pathcomp_t *libpath
 		 */
 		if(spawn)
 		{
-			if(sh.subshell)
-				return -1;
 			do
 			{
 				if((pid=fork())>0)

src/cmd/ksh93/sh/xec.c

@@ -3365,26 +3365,6 @@ static pid_t sh_ntfork(const Shnode_t *t,char *argv[],int *jobid,int topfd)
 		job_fork(-1);
 		jobfork = 1;
 		spawnpid = path_spawn(path,argv,arge,pp,(grp<<1)|1);
-		if(spawnpid < 0 && errno==ENOEXEC)
-		{
-			char *devfd;
-			int fd = open(path,O_RDONLY);
-			argv[-1] = argv[0];
-			argv[0] = path;
-			if(fd>=0)
-			{
-				struct stat statb;
-				sfprintf(sh.strbuf,"/dev/fd/%d",fd);
-				if(stat(devfd=sfstruse(sh.strbuf),&statb)>=0)
-					argv[0] =  devfd;
-			}
-			if(!sh.shpath)
-				sh.shpath = pathshell();
-			spawnpid = path_spawn(sh.shpath,&argv[-1],arge,pp,(grp<<1)|1);
-			if(fd>=0)
-				close(fd);
-			argv[0] = argv[-1];
-		}
 	fail:
 		if(jobfork && spawnpid<0)
 			job_fork(-2);

src/cmd/ksh93/tests/basic.sh

@@ -1084,5 +1084,33 @@ wait "$parallel_5" || err_exit 'command substitution causes pipefail option to h
 wait "$parallel_6" || err_exit '"command | while read...done" finishing too fast'
 wait "$parallel_7" || err_exit 'early termination not causing broken pipe'
 
+# ======
+# Hijacking ksh93 via $SHELL for arbitrary command execution during initialization.
+# https://github.com/ksh93/ksh/issues/874
+bindir=$tmp/dir.$RANDOM/bin
+mkdir -p "$bindir"
+echo $'#!/bin/sh\necho "CODE INJECTION"' > "$bindir"/hijack_sh
+chmod +x "$bindir"/hijack_sh
+got=$(set +x; SHELL="$bindir"/hijack_sh "$SHELL" -l <(echo) 2>&1)
+[[ $got =~ "CODE INJECTION" ]] && err_exit 'ksh93 is vulnerable to being hijacked during init via $SHELL' \
+	"(got $(printf %q "$got"))"
+
+# Hijacking ksh93 shebang-less scripts for arbitrary command execution.
+# https://github.com/ksh93/ksh/pull/866
+export bindir
+print 'echo GOOD' > "$bindir/dummy.sh"
+chmod +x "$bindir/dummy.sh"
+cp "$SHELL" "$bindir/hijack_sh"
+exp=$'GOOD\nGOOD'
+got=$("$bindir/hijack_sh" -c $'print $\'\#!/bin/sh\necho HIJACKED\' > "$bindir/hijack_shell"
+chmod +x "$bindir/hijack_shell"
+rm "$bindir/hijack_sh"
+cp "$bindir/hijack_shell" "$bindir/hijack_sh"
+("$bindir/dummy.sh"); "$bindir/dummy.sh"; :')
+rm -r "$bindir"
+unset bindir
+[[ $exp == $got ]] || err_exit 'ksh93 shebang-less scripts are vulnerable to being hijacked for arbitrary code execution' \
+	"(exp $(printf %q "$exp"), got $(printf %q "$got"))"
+
 # ======
 exit $((Errors<125?Errors:125))

src/cmd/ksh93/tests/posix.sh

@@ -81,15 +81,13 @@ got=$(<out)
 [[ $got == "$exp" ]] || err_exit "incorrect --posix settings on invoking hashbangless script from posix shell (direct)" \
 	"(expected $(printf %q "$exp"), got $(printf %q "$got"))"
 
-: <<\DISABLED  # TODO: these do not pass yet, unless SHOPT_SPAWN is disabled.
 (./script) >|out
 got=$(<out)
 [[ $got == "$exp" ]] || err_exit "incorrect --posix settings on invoking hashbangless script from posix shell (subshell)" \
 	"(expected $(printf %q "$exp"), got $(printf %q "$got"))"
 got=$(./script)
 [[ $got == "$exp" ]] || err_exit "incorrect --posix settings on invoking hashbangless script from posix shell (comsub)" \
 	"(expected $(printf %q "$exp"), got $(printf %q "$got"))"
-DISABLED
 
 got=$("$SHELL" --posix -c "$(<script)")
 [[ $got == "$exp" ]] || err_exit "incorrect --posix settings on invoking -c script from posix shell" \

src/lib/libast/Mamfile

@@ -322,11 +322,6 @@ make install virtual
 		exec - invoke_iffe %{<}
 	done
 
-	make FEATURE/prog
-		makp features/prog
-		exec - invoke_iffe %{<}
-	done
-
 	make FEATURE/locale
 		makp features/locale
 		exec - invoke_iffe %{<}
@@ -1222,13 +1217,6 @@ make install virtual
 			exec - compile %{<}
 		done
 
-		make pathshell.o
-			make path/pathshell.c
-				prev include/ast.h
-			done
-			exec - compile %{<}
-		done
-
 		make pathcd.o
 			make path/pathcd.c
 				prev include/stk.h
@@ -1238,15 +1226,6 @@ make install virtual
 			exec - compile %{<}
 		done
 
-		make pathprog.o
-			make path/pathprog.c
-				prev FEATURE/prog
-				prev include/ast_windows.h
-				prev include/ast.h
-			done
-			exec - compile %{<}
-		done
-
 		make ftwalk.o
 			make misc/ftwalk.c
 				make include/ftwalk.h