From db28d5668c1b184ffdfefe8c8d23f0bc3d3c7f15 Mon Sep 17 00:00:00 2001
From: pooka <pooka@NetBSD.org>
Date: Thu, 17 Feb 2011 15:13:49 +0000
Subject: [PATCH] Tell copyfd if the caller wants the exact tofd to just fd >=
 tofd. Fixes "echo foo > /rump/bar" in a rump hijacked shell.

reviewed by christos
---
 bin/sh/cd.c    |  6 +++---
 bin/sh/eval.c  | 12 ++++++------
 bin/sh/input.c |  6 +++---
 bin/sh/redir.c | 17 ++++++++++-------
 bin/sh/redir.h |  4 ++--
 5 files changed, 24 insertions(+), 21 deletions(-)

diff --git a/bin/sh/cd.c b/bin/sh/cd.c
index 238d673a5b56..1bfa98710002 100644
--- a/bin/sh/cd.c
+++ b/bin/sh/cd.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: cd.c,v 1.40 2010/01/01 19:34:59 dholland Exp $	*/
+/*	$NetBSD: cd.c,v 1.41 2011/02/17 15:13:49 pooka Exp $	*/
 
 /*-
  * Copyright (c) 1991, 1993
@@ -37,7 +37,7 @@
 #if 0
 static char sccsid[] = "@(#)cd.c	8.2 (Berkeley) 5/4/95";
 #else
-__RCSID("$NetBSD: cd.c,v 1.40 2010/01/01 19:34:59 dholland Exp $");
+__RCSID("$NetBSD: cd.c,v 1.41 2011/02/17 15:13:49 pooka Exp $");
 #endif
 #endif /* not lint */
 
@@ -425,7 +425,7 @@ find_curdir(int noerror)
 			(void) close(pip[0]);
 			if (pip[1] != 1) {
 				close(1);
-				copyfd(pip[1], 1);
+				copyfd(pip[1], 1, 1);
 				close(pip[1]);
 			}
 			(void) execl("/bin/pwd", "pwd", (char *)0);
diff --git a/bin/sh/eval.c b/bin/sh/eval.c
index bf4d61b030b6..5a8d583fe426 100644
--- a/bin/sh/eval.c
+++ b/bin/sh/eval.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: eval.c,v 1.100 2010/06/03 16:14:13 christos Exp $	*/
+/*	$NetBSD: eval.c,v 1.101 2011/02/17 15:13:49 pooka Exp $	*/
 
 /*-
  * Copyright (c) 1993
@@ -37,7 +37,7 @@
 #if 0
 static char sccsid[] = "@(#)eval.c	8.9 (Berkeley) 6/8/95";
 #else
-__RCSID("$NetBSD: eval.c,v 1.100 2010/06/03 16:14:13 christos Exp $");
+__RCSID("$NetBSD: eval.c,v 1.101 2011/02/17 15:13:49 pooka Exp $");
 #endif
 #endif /* not lint */
 
@@ -520,14 +520,14 @@ evalpipe(union node *n)
 			INTON;
 			if (prevfd > 0) {
 				close(0);
-				copyfd(prevfd, 0);
+				copyfd(prevfd, 0, 1);
 				close(prevfd);
 			}
 			if (pip[1] >= 0) {
 				close(pip[0]);
 				if (pip[1] != 1) {
 					close(1);
-					copyfd(pip[1], 1);
+					copyfd(pip[1], 1, 1);
 					close(pip[1]);
 				}
 			}
@@ -591,7 +591,7 @@ evalbackcmd(union node *n, struct backcmd *result)
 			close(pip[0]);
 			if (pip[1] != 1) {
 				close(1);
-				copyfd(pip[1], 1);
+				copyfd(pip[1], 1, 1);
 				close(pip[1]);
 			}
 			eflag = 0;
@@ -905,7 +905,7 @@ normal_fork:
 			close(pip[0]);
 			if (pip[1] != 1) {
 				close(1);
-				copyfd(pip[1], 1);
+				copyfd(pip[1], 1, 1);
 				close(pip[1]);
 			}
 		}
diff --git a/bin/sh/input.c b/bin/sh/input.c
index 89a3a3e8e15c..4b9fd9f92983 100644
--- a/bin/sh/input.c
+++ b/bin/sh/input.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: input.c,v 1.43 2010/08/30 06:27:14 christos Exp $	*/
+/*	$NetBSD: input.c,v 1.44 2011/02/17 15:13:49 pooka Exp $	*/
 
 /*-
  * Copyright (c) 1991, 1993
@@ -37,7 +37,7 @@
 #if 0
 static char sccsid[] = "@(#)input.c	8.3 (Berkeley) 6/9/95";
 #else
-__RCSID("$NetBSD: input.c,v 1.43 2010/08/30 06:27:14 christos Exp $");
+__RCSID("$NetBSD: input.c,v 1.44 2011/02/17 15:13:49 pooka Exp $");
 #endif
 #endif /* not lint */
 
@@ -405,7 +405,7 @@ setinputfile(const char *fname, int push)
 	}
 
 	if (fd < 10) {
-		fd2 = copyfd(fd, 10);
+		fd2 = copyfd(fd, 10, 0);
 		close(fd);
 		if (fd2 < 0)
 			error("Out of file descriptors");
diff --git a/bin/sh/redir.c b/bin/sh/redir.c
index 788d1ddbeb5a..497963f0a81a 100644
--- a/bin/sh/redir.c
+++ b/bin/sh/redir.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: redir.c,v 1.30 2008/01/21 06:43:03 msaitoh Exp $	*/
+/*	$NetBSD: redir.c,v 1.31 2011/02/17 15:13:49 pooka Exp $	*/
 
 /*-
  * Copyright (c) 1991, 1993
@@ -37,7 +37,7 @@
 #if 0
 static char sccsid[] = "@(#)redir.c	8.2 (Berkeley) 5/4/95";
 #else
-__RCSID("$NetBSD: redir.c,v 1.30 2008/01/21 06:43:03 msaitoh Exp $");
+__RCSID("$NetBSD: redir.c,v 1.31 2011/02/17 15:13:49 pooka Exp $");
 #endif
 #endif /* not lint */
 
@@ -222,7 +222,7 @@ openredirect(union node *redir, char memory[10], int flags)
 			if (memory[redir->ndup.dupfd])
 				memory[fd] = 1;
 			else
-				copyfd(redir->ndup.dupfd, fd);
+				copyfd(redir->ndup.dupfd, fd, 1);
 		}
 		INTON;
 		return;
@@ -235,7 +235,7 @@ openredirect(union node *redir, char memory[10], int flags)
 	}
 
 	if (f != fd) {
-		copyfd(f, fd);
+		copyfd(f, fd, 1);
 		close(f);
 	}
 	INTON;
@@ -308,7 +308,7 @@ popredir(void)
                                 fd0_redirected--;
 			close(i);
 			if (rp->renamed[i] >= 0) {
-				copyfd(rp->renamed[i], i);
+				copyfd(rp->renamed[i], i, 1);
 				close(rp->renamed[i]);
 			}
 		}
@@ -375,11 +375,14 @@ clearredir(vforked)
  */
 
 int
-copyfd(int from, int to)
+copyfd(int from, int to, int equal)
 {
 	int newfd;
 
-	newfd = fcntl(from, F_DUPFD, to);
+	if (equal)
+		newfd = dup2(from, to);
+	else
+		newfd = fcntl(from, F_DUPFD, to);
 	if (newfd < 0) {
 		if (errno == EMFILE)
 			return EMPTY;
diff --git a/bin/sh/redir.h b/bin/sh/redir.h
index c9709e93bf26..923619fbd89b 100644
--- a/bin/sh/redir.h
+++ b/bin/sh/redir.h
@@ -1,4 +1,4 @@
-/*	$NetBSD: redir.h,v 1.15 2003/08/07 09:05:37 agc Exp $	*/
+/*	$NetBSD: redir.h,v 1.16 2011/02/17 15:13:49 pooka Exp $	*/
 
 /*-
  * Copyright (c) 1991, 1993
@@ -44,5 +44,5 @@ void redirect(union node *, int);
 void popredir(void);
 int fd0_redirected_p(void);
 void clearredir(int);
-int copyfd(int, int);
+int copyfd(int, int, int);