From 8476e6f4f922aa61c2305938e50127fef794e49c Mon Sep 17 00:00:00 2001 From: Qualys Security Advisory Date: Thu, 1 Jan 1970 00:00:00 +0000 Subject: [PATCH] pmap: Fix extended mode in one_proc(). Check the return value of sscanf() to make sure that all input items are properly initialized. In extended mode (x_option), one_proc() loads the values of start and perms during one iteration of the while loop, and displays them during one of the following iterations, but start and perms are variables local to the while loop: move them out of the while loop, to the beginning of the function. Also, display a mapping only if cp2 is properly initialized; otherwise (for example), mappings that do not belong to a selected range are displayed, and with a NULL mapping name: $ pmap -x -A 6FFF00000000,7FFF00000000 $$ ... Address Kbytes RSS Dirty Mode Mapping 000055b3d1e9b000 0 912 0 r-xp (null) 000055b3d2194000 0 16 16 r--p (null) 000055b3d2198000 0 36 36 rw-p (null) ... --- pmap.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/pmap.c b/pmap.c index 569c10ee..49a2a6a8 100644 --- a/pmap.c +++ b/pmap.c @@ -509,14 +509,17 @@ loop_end: /* We don't free() the list, it's used for all PIDs passed as arguments */ } -static int one_proc(proc_t * p) +static int one_proc(const proc_t * p) { char buf[32]; FILE *fp; unsigned long total_shared = 0ul; unsigned long total_private_readonly = 0ul; unsigned long total_private_writeable = 0ul; + unsigned KLONG start = 0; unsigned KLONG diff = 0; + unsigned KLONG end = 0; + char perms[32] = ""; const char *cp2 = NULL; unsigned long long rss = 0ull; unsigned long long private_dirty = 0ull; @@ -584,10 +587,8 @@ static int one_proc(proc_t * p) } while (fgets(mapbuf, sizeof mapbuf, fp)) { - char perms[32]; /* to clean up unprintables */ char *tmp; - unsigned KLONG start, end; unsigned long long file_offset, inode; unsigned dev_major, dev_minor; unsigned long long smap_value; @@ -613,8 +614,8 @@ static int one_proc(proc_t * p) continue; } if (strcmp("Swap", smap_key) == 0) { - /*doesn't matter as long as last */ - printf("%0*" KLF "x %*lu %*llu %*llu %*s %s\n", + /* doesn't matter as long as last */ + if (cp2) printf("%0*" KLF "x %*lu %*llu %*llu %*s %s\n", maxw1, start, maxw2, (unsigned long)(diff >> 10), maxw3, rss, @@ -623,16 +624,18 @@ static int one_proc(proc_t * p) cp2); /* reset some counters */ rss = shared_dirty = private_dirty = 0ull; - diff = 0; + start = diff = end = 0; + perms[0] = '\0'; + cp2 = NULL; continue; } } /* Other keys or not a key-value pair */ continue; } - sscanf(mapbuf, "%" KLF "x-%" KLF "x %31s %llx %x:%x %llu", &start, - &end, perms, &file_offset, &dev_major, &dev_minor, - &inode); + if (sscanf(mapbuf, "%" KLF "x-%" KLF "x %31s %llx %x:%x %llu", &start, + &end, perms, &file_offset, &dev_major, &dev_minor, &inode) != 7) + continue; if (end - 1 < range_low) continue;