Fix /dev/fd/1 memory fault and $0 for /dev/fd scripts

Changes:
- sh_init(): Don't set $0 to the path to ksh. The correct behavior is to
  always use the script name, even when it's a /dev/fd file. The behavior
  of ksh93 should match that of bash and other shells. Please read:
  ksh93#866 (comment)
  ksh93#874 (comment)
- sh_main(): Do not attempt to optimize away sh_open() for the
  stdio fds (0, 1, 2) because that can cause buggy behavior.
  Ksh's handling of /dev/fd/1 and /dev/stdin should not differ. See:
  ksh93#879 (comment)
- exfile(): Don't dup or close fds for /dev/fd scripts with a file
  descriptor > 2. Those should be left open pursuant to the $0 name
  of the script. (This cannot be done safely for fds 1 and 2, so the
  stdio fds are all dup'ed, but not closed.)
- sh_main(): If the fd obtained for the script by sh_open() is <= 2,
  that means the shell was opened with one of the stdio fds closed,
  so for correct behavior use sh_iomovefd() to keep the stdio fd closed.
- sh_iomovefd(): As an optimization, move the fd to a number that's
  either >= 3 or >= 10, depending on what is most appropriate. This
  avoids a possible inefficient scenario of dup'ing an fd from
  0 -> 3 -> 10 (less syscalls is better for performance).
- sh_main(): Use O_CLOEXEC in advance for the fd (which is guaranteed to
  get close-on-exec via a later fcntl call; if we don't end up calling
  fcntl for whatever reason O_CLOEXEC will help avoid an extra syscall).
- basic.sh: Add regression tests for $0 and its associated fd. For the
  time being I've omitted a /dev/fd/1 regression test because I can't
  get one to work correctly with the pty tool.

Patch originally posted here:
ksh93#879 (comment)

Fixes ksh93#874
Fixes ksh93#877

Author: JohnoKing

NEWS

@@ -2,6 +2,20 @@ This documents significant changes in the dev branch of ksh 93u+m.
 For full details, see the git log at: https://github.com/ksh93/ksh
 Uppercase BUG_* IDs are shell bug IDs as used by the Modernish shell library.
 
+2025-07-11:
+
+- Fixed a bug that caused /dev/fd scripts to use the ksh binary for $0
+  rather than the actual /dev/fd file path to the script.
+
+- Fixed a bug that could cause the file descriptor for /dev/fd scripts
+  to be closed during init.
+
+- Fixed a bug that caused the inherited file descriptor for /dev/fd
+  scripts to wrongly get marked as close-on-exec.
+
+- Fixed a bug that could cause ksh to reopen stdout or stderr during
+  init in spite of a 1>&- or 2>&- redirect.
+
 2025-07-10:
 
 - Fixed a file descriptor leak introduced in 93u+ 2012-07-27 that occurred

src/cmd/ksh93/include/io.h

@@ -76,7 +76,7 @@
 
 extern int	sh_iocheckfd(int);
 extern void 	sh_ioinit(void);
-extern int 	sh_iomovefd(int);
+extern int 	sh_iomovefd(int,int);
 extern int	sh_iorenumber(int,int);
 extern void 	sh_pclose(int[]);
 extern int	sh_rpipe(int[],int);

src/cmd/ksh93/include/version.h

@@ -18,7 +18,7 @@
 #include <ast_release.h>
 #include "git.h"
 
-#define SH_RELEASE_DATE	"2025-07-10"	/* must be in this format for $((.sh.version)) */
+#define SH_RELEASE_DATE	"2025-07-11"	/* must be in this format for $((.sh.version)) */
 /*
  * This comment keeps SH_RELEASE_DATE a few lines away from SH_RELEASE_SVER to avoid
  * merge conflicts when cherry-picking dev branch commits onto a release branch.

src/cmd/ksh93/sh/init.c

@@ -1347,10 +1347,7 @@ Shell_t *sh_init(int argc,char *argv[], Shinit_f userinit)
 	else
 		sh_offoption(SH_PRIVILEGED);
 	/* shname for $0 in profiles and . scripts */
-	if(sh_isdevfd(argv[1]))
-		sh.shname = sh_strdup(argv[0]);
-	else
-		sh.shname = sh_strdup(sh.st.dolv[0]);
+	sh.shname = sh_strdup(sh.st.dolv[0]);
 	/*
 	 * return here for shell script execution
 	 * but not for parenthesis subshells

src/cmd/ksh93/sh/io.c

@@ -897,20 +897,20 @@ int sh_chkopen(const char *name)
 }
 
 /*
- * move open file descriptor to a number > 2
+ * move open file descriptor to a number >= minfd
  */
-int sh_iomovefd(int fdold)
+int sh_iomovefd(int fdold, int minfd)
 {
 	int fdnew, dupflags;
 	if(fdold >= sh.lim.open_max)
 		sh_iovalidfd(fdold);
-	if(fdold<0 || fdold>2)
+	if(fdold<0 || fdold>=minfd)
 		return fdold;
 	if(sh.fdstatus[fdold]&IOCLEX)
 		dupflags = F_dupfd_cloexec;
 	else
 		dupflags = F_DUPFD;
-	fdnew = sh_iomovefd(fcntl(fdold,dupflags,3));
+	fdnew = sh_iomovefd(fcntl(fdold,dupflags,minfd),minfd);
 	if((sh.fdstatus[fdold]&IOCLEX) && F_dupfd_cloexec == F_DUPFD)
 		fcntl(fdnew,F_SETFD,FD_CLOEXEC);
 	sh.fdstatus[fdnew] = sh.fdstatus[fdold];
@@ -946,9 +946,9 @@ int	sh_pipe(int pv[], int cloexec)
 	sh.fdstatus[pv[0]] = IONOSEEK|IOREAD|cloexec;
 	sh.fdstatus[pv[1]] = IONOSEEK|IOWRITE|cloexec;
 	if(pv[0]<=2)
-		pv[0] = sh_iomovefd(pv[0]);
+		pv[0] = sh_iomovefd(pv[0],3);
 	if(pv[1]<=2)
-		pv[1] = sh_iomovefd(pv[1]);
+		pv[1] = sh_iomovefd(pv[1],3);
 	sh_subsavefd(pv[0]);
 	sh_subsavefd(pv[1]);
 	return 0;
@@ -978,9 +978,9 @@ int	sh_rpipe(int pv[], int cloexec)
 	sh.fdstatus[pv[0]] = IONOSEEK|IOREAD|cloexec;
 	sh.fdstatus[pv[1]] = IONOSEEK|IOWRITE|cloexec;
 	if(pv[0]<=2)
-		pv[0] = sh_iomovefd(pv[0]);
+		pv[0] = sh_iomovefd(pv[0],3);
 	if(pv[1]<=2)
-		pv[1] = sh_iomovefd(pv[1]);
+		pv[1] = sh_iomovefd(pv[1],3);
 	sh_subsavefd(pv[0]);
 	sh_subsavefd(pv[1]);
 	return 0;
@@ -1537,7 +1537,7 @@ int	sh_redirect(struct ionod *iop, int flag)
 				sh_close(fn);
 			}
 			if(flag==3)
-				return sh_iomovefd(fd);  /* ensure FD > 2 to make $(<file) work with std{in,out,err} closed */
+				return sh_iomovefd(fd,3);  /* ensure FD > 2 to make $(<file) work with std{in,out,err} closed */
 			if(fd>=0)
 			{
 				if(np)
@@ -1564,7 +1564,7 @@ int	sh_redirect(struct ionod *iop, int flag)
 				}
 				else
 				{
-					fd = sh_iorenumber(sh_iomovefd(fd),fn);
+					fd = sh_iorenumber(sh_iomovefd(fd,3),fn);
 					if(fn>2 && fn<10)
 						sh.inuse_bits |= (1<<fn);
 				}

src/cmd/ksh93/sh/main.c

@@ -64,6 +64,10 @@ static struct stat lastmail;
 static time_t	mailtime;
 static char	beenhere = 0;
 
+#if SHOPT_DEVFD
+#define GOT_DEVFD	2
+#endif
+
 /*
  * search for file and exfile() it if it exists
  * 1 returned if file found, 0 otherwise
@@ -125,7 +129,7 @@ noreturn void sh_main(int ac, char *av[], Shinit_f userinit)
 #endif
 	if(!beenhere)
 	{
-		beenhere++;
+		beenhere = 1;
 		sh_onstate(SH_PROFILE);
 		sh.sigflag[SIGTSTP] |= SH_SIGIGNORE;
 		/* decide whether shell is interactive */
@@ -218,11 +222,10 @@ noreturn void sh_main(int ac, char *av[], Shinit_f userinit)
 				fdin = 0;
 			else
 			{
-				char *sp;
+#if SHOPT_DEVFD
 				/* open stream should have been passed into shell */
-				if(strmatch(name,e_devfdNN))
+				if(strmatch(name,e_devfdNN) && (fdin=(int)strtol(name+8, NULL, 10)) > 2)
 				{
-					fdin = (int)strtol(name+8, NULL, 10);
 					if(fstat(fdin,&statb)<0)
 					{
 						errormsg(SH_DICT,ERROR_system(1),e_open,name);
@@ -231,11 +234,14 @@ noreturn void sh_main(int ac, char *av[], Shinit_f userinit)
 					name = av[0];
 					sh_offoption(SH_VERBOSE);
 					sh_offoption(SH_XTRACE);
+					beenhere = GOT_DEVFD;
 				}
 				else
+#endif /* SHOPT_DEVFD */
 				{
+					char *sp;
 					int isdir = 0;
-					if((fdin=sh_open(name,O_RDONLY,0))>=0 &&(fstat(fdin,&statb)<0 || S_ISDIR(statb.st_mode)))
+					if((fdin=sh_open(name,O_RDONLY|O_cloexec,0))>=0 &&(fstat(fdin,&statb)<0 || S_ISDIR(statb.st_mode)))
 					{
 						sh_close(fdin);
 						isdir = 1;
@@ -250,7 +256,7 @@ noreturn void sh_main(int ac, char *av[], Shinit_f userinit)
 							sp = stkptr(sh.stk,PATH_OFFSET);
 						if(sp)
 						{
-							if((fdin=sh_open(sp,O_RDONLY,0))>=0)
+							if((fdin=sh_open(sp,O_RDONLY|O_cloexec,0))>=0)
 								sh.st.filename = path_fullname(sp);
 						}
 					}
@@ -272,8 +278,14 @@ noreturn void sh_main(int ac, char *av[], Shinit_f userinit)
 							strcopy(name," \"$@\"");
 						goto shell_c;
 					}
-					if(fdin==0)
-						fdin = sh_iomovefd(fdin);
+					/*
+					 * Note: fdin could wind up being zero or some such if the
+					 *       shell was opened with stdin/stdout/stderr closed
+					 *       (i.e. 0>&-), so we move the fd in such a case to
+					 *       keep that file descriptor closed.
+					 */
+					if(fdin<=2)
+						fdin = sh_iomovefd(fdin,10);
 				}
 				sh.readscript = sh.shname;
 			}
@@ -347,28 +359,38 @@ static void	exfile(Sfio_t *iop,int fno)
 	{
 		if(fno > 0)
 		{
-			if(fno < 10)
+#if SHOPT_DEVFD
+			if(beenhere == GOT_DEVFD)
+				;  /* leave the inherited /dev/fd as is */
+			else
+#endif
 			{
-				int r = sh_fcntl(fno,F_dupfd_cloexec,10);
-				if(r >= 10)
+				if(fno < 10)
 				{
-					if(F_dupfd_cloexec != F_DUPFD)
-						sh.fdstatus[r] = sh.fdstatus[fno]|IOCLEX;
-					else
-						sh.fdstatus[r] = sh.fdstatus[fno];
-					sh_close(fno);
-					fno = r;
+					int r = sh_fcntl(fno,F_dupfd_cloexec,10);
+					if(r >= 10)
+					{
+						if(F_dupfd_cloexec != F_DUPFD)
+							sh.fdstatus[r] = sh.fdstatus[fno]|IOCLEX;
+						else
+							sh.fdstatus[r] = sh.fdstatus[fno];
+						/* leave std* fds open when they're not explicitly closed */
+						if(fno > 2)
+							sh_close(fno);
+						fno = r;
+					}
 				}
+				if(!(sh.fdstatus[fno]&IOCLEX))
+					sh_fcntl(fno,F_SETFD,FD_CLOEXEC);
 			}
-			if(!(sh.fdstatus[fno]&IOCLEX))
-				sh_fcntl(fno,F_SETFD,FD_CLOEXEC);
 			iop = sh_iostream(fno);
 		}
 		else
 			iop = sfstdin;
 	}
 	else
 		fno = -1;
+	beenhere = 1;
 	sh.infd = fno;
 	if(sh_isstate(SH_INTERACTIVE))
 	{

src/cmd/ksh93/sh/path.c

@@ -489,7 +489,7 @@ static int	opentype(const char *name, Pathcomp_t *pp, int fun)
 		}
 	}
 	while(fd<0 && nextpp);
-	if(fd>=0 && (fd = sh_iomovefd(fd)) > 0 && !(sh.fdstatus[fd]&IOCLEX))
+	if(fd>=0 && (fd = sh_iomovefd(fd,10)) > 0 && !(sh.fdstatus[fd]&IOCLEX))
 		sh_fcntl(fd,F_SETFD,FD_CLOEXEC);
 	return fd;
 }
@@ -1325,7 +1325,7 @@ static noreturn void exscript(char *path,char *argv[])
 		errormsg(SH_DICT,ERROR_system(ERROR_NOEXEC),e_exec,path);
 		UNREACHABLE();
 	}
-	sh.infd = sh_iomovefd(sh.infd);
+	sh.infd = sh_iomovefd(sh.infd,10);
 #if SHOPT_ACCT
 	sh_accbegin(path) ;  /* reset accounting */
 #endif	/* SHOPT_ACCT */

src/cmd/ksh93/tests/basic.sh

@@ -1134,7 +1134,30 @@ cp "$bindir/hijack_shell" "$bindir/hijack_sh"
 rm -r "$bindir"
 unset bindir
 [[ $exp == $got ]] || err_exit 'ksh93 shebang-less scripts are vulnerable to being hijacked for arbitrary code execution' \
-	"(exp $(printf %q "$exp"), got $(printf %q "$got"))"
+	"(expected $(printf %q "$exp"), got $(printf %q "$got"))"
+
+# ======
+# $0 should be the /dev/fd path for scripts executed from a /dev/fd file
+# https://github.com/ksh93/ksh/issues/874
+# https://github.com/ksh93/ksh/pull/879
+if ((SHOPT_DEVFD))
+then	# $0 should be the /dev/fd script name when the script is a process substitution
+	got=$("$SHELL" <(echo 'echo $0'))
+	if [[ ${got:0:7} != '/dev/fd' ]]
+	then err_exit '$0 is wrong for process substitution scripts' \
+		"(expected a /dev/fd file name, got $(printf %q "$got"))"
+	else	# The file descriptor for the /dev/fd script must remain open
+		if ! "$SHELL" <(echo '[[ -e $0 ]]')
+		then	err_exit 'the file descriptor corresponding to $0 is not open in /dev/fd scripts'
+		fi
+		# The file descriptor for the /dev/fd script should not be close-on-exec
+		typeset -x verify_fd_script=$tmp/verify-procsub-$RANDOM.ksh
+		echo '[[ -e $fd ]]' > "$verify_fd_script"
+		if ! "$SHELL" <(echo 'typeset -x fd=$0; "$SHELL" "$verify_fd_script"')
+		then	err_exit 'file descriptor for /dev/fd script is not passed on to child processes'
+		fi
+	fi
+fi
 
 # ======
 exit $((Errors<125?Errors:125))