Commit Graph

387 Commits

Author SHA1 Message Date
Qualys Security Advisory
7efa102248 proc/escape.c: Prevent buffer overflows in escape_command().
This solves several problems:

1/ outbuf[1] was written to, but not outbuf[0], which was left
uninitialized (well, SECURE_ESCAPE_ARGS() already fixes this, but do it
explicitly as well); we know it is safe to write one byte to outbuf,
because SECURE_ESCAPE_ARGS() guarantees it.

2/ If bytes was 1, the write to outbuf[1] was an off-by-one overflow.

3/ Do not call escape_str() with a 0 bufsize if bytes == overhead.

4/ Prevent various buffer overflows if bytes <= overhead.
2018-05-19 07:32:21 +10:00
Qualys Security Advisory
37ce162604 proc/escape.c: Prevent integer overflows in escape_str_utf8().
Simply rearrange the old comparisons. The new comparisons are safe,
because we know from previous checks that:

1/ wlen > 0

2/ my_cells < *maxcells (also: my_cells >= 0 and *maxcells > 0)

3/ len > 1

4/ my_bytes+1 < bufsize (also: my_bytes >= 0 and bufsize > 0)
2018-05-19 07:32:21 +10:00
Qualys Security Advisory
8d359b04ab proc/escape.c: Handle negative wcwidth() return value.
This should never happen, because wcwidth() is called only if iswprint()
returns nonzero. But belt-and-suspenders, and make it visually clear
(very important for the next patch).
2018-05-19 07:32:21 +10:00
Qualys Security Advisory
47303a3592 proc/escape.c: Make sure all escape*() arguments are safe.
The SECURE_ESCAPE_ARGS() macro solves several potential problems
(although we found no problematic calls to the escape*() functions in
procps's code-base, but had to thoroughly review every call; and this is
library code):

1/ off-by-one overflows if the size of the destination buffer is 0;

2/ buffer overflows if this size (or "maxroom") is negative;

3/ integer overflows (for example, "*maxcells+1");

4/ always null-terminate the destination buffer (unless its size is 0).
2018-05-19 07:32:21 +10:00
Qualys Security Advisory
00ab5f0b32 proc/whattime.c: Always initialize buf.
In the human_readable case; otherwise the strcat() that follows may
append bytes to the previous contents of buf.

Also, slightly enlarge buf, as it was a bit too tight.

Could also replace all sprintf()s with snprintf()s, but all the calls
here output a limited number of characters, so they should be safe.
2018-05-19 07:32:21 +10:00
Qualys Security Advisory
7382ac88d5 proc/slab.c: Initialize struct slab_info in get_slabnode().
Especially its "next" member: this is what caused the crash in "slabtop:
Reset slab_list if get_slabinfo() fails." (if parse_slabinfo*() fails in
sscanf(), for example, then curr is set to NULL but it is already linked
into the "list" and its "next" member was never initialized).
2018-05-19 07:32:21 +10:00
Qualys Security Advisory
a33be33885 proc/sysinfo.c: Fix off-by-one in get_pid_digits().
At "pidbuf[rc] = '\0';" if "rc = read()" returns "sizeof pidbuf"
(unlikely to ever happen, but still).
2018-05-19 07:32:21 +10:00
Qualys Security Advisory
8136a7a664 proc/sysinfo.c: Prevent integer overflow of realloc() size. 2018-05-19 07:32:21 +10:00
Qualys Security Advisory
5b6ab39c6d proc/slab.c: Check correct number of items after sscanf(). 2018-05-19 07:32:21 +10:00
Qualys Security Advisory
3ccc6ed262 proc/slab.h: Fix off-by-one overflow in sscanf().
In proc/slab.c, functions parse_slabinfo20() and parse_slabinfo11(),
sscanf() might overflow curr->name, because "String input conversions
store a terminating null byte ('\0') to mark the end of the input; the
maximum field width does not include this terminator."

Add one byte to name[] for this terminator.
2018-05-19 07:32:21 +10:00
Qualys Security Advisory
bf12b14db9 proc/sig.c: Harden print_given_signals().
And signal_name_to_number().
2018-05-19 07:32:21 +10:00
Qualys Security Advisory
3244e7ddb0 proc/devname.c: Never write more than "chop" (part 2).
"chop" is the maximum offset where the null-byte should be written;
respect this even if about to write just one (non-null) character.
2018-05-19 07:32:21 +10:00
Qualys Security Advisory
6b7ceb36a4 proc/devname.c: Never write more than "chop" characters.
This should be guaranteed by "tmp[chop] = '\0';" and "if(!c) break;" but
this patch adds a very easy belt-and-suspenders check.
2018-05-19 07:32:21 +10:00
Qualys Security Advisory
730bdc33e7 proc/devname.c: Prevent off-by-one overflow in dev_to_tty(). 2018-05-19 07:32:21 +10:00
Qualys Security Advisory
9f59bd5c52 proc/devname.c: Use snprintf() in link_name().
Found no problematic use case at the moment, but better safe than sorry.
Also, return an error on snprintf() or readlink() truncation.
2018-05-19 07:32:21 +10:00
Qualys Security Advisory
59666e6255 proc/version.h: Protect parameter in LINUX_VERSION() macro.
Just in case (no problematic use case at the moment).
2018-05-19 07:32:21 +10:00
Qualys Security Advisory
f1077b7a55 proc/alloc.*: Use size_t, not unsigned int.
Otherwise this can truncate sizes on 64-bit platforms, and is one of the
reasons the integer overflows in file2strvec() are exploitable at all.
Also: catch potential integer overflow in xstrdup() (should never
happen, but better safe than sorry), and use memcpy() instead of
strcpy() (faster).

Warnings:

- in glibc, realloc(ptr, 0) is equivalent to free(ptr), but not here,
  because of the ++size;

- here, xstrdup() can return NULL (if str is NULL), which goes against
  the idea of the xalloc wrappers.

We were tempted to call exit() or xerrx() in those cases, but decided
against it, because it might break things in unexpected places; TODO?
2018-05-19 07:32:21 +10:00
Qualys Security Advisory
98b79d1ef1 proc/alloc.c: Use vfprintf(), not fprintf().
This can disclose information from the stack, but is unlikely to have a
security impact in the context of the procps utilities:

user@debian:~$ w 2>&1 | xxd
00000000: a03c 79b7 1420 6661 696c 6564 2074 6f20  .<y.. failed to
00000010: 616c 6c6f 6361 7465 2033 3232 3137 3439  allocate 3221749
00000020: 3738 3020 6279 7465 7320 6f66 206d 656d  780 bytes of mem
00000030: 6f72 79                                  ory
2018-05-19 07:32:21 +10:00
Qualys Security Advisory
7941bb512a proc/readproc.c: Add checks to get_ns_name() and get_ns_id(). 2018-05-19 07:32:21 +10:00
Qualys Security Advisory
3ce9f837a3 proc/sig.c: Fix the strtosig() function.
Do not memleak "copy" in case of an error.

Do not use "sizeof(converted)" in snprintf(), since "converted" is a
"char *" (luckily, 8 >= sizeof(char *)). Also, remove "sizeof(char)"
which is guaranteed to be 1 by the C standard, and replace 8 with 12,
which is enough to hold any stringified int and does not consume more
memory (in both cases, the glibc malloc()ates a minimum-sized chunk).
2018-05-19 07:32:21 +10:00
Craig Small
75bd099420 library: check not undef SIGLOST
sig.c had this odd logic where on non-Hurd systems it would undefine
SIGLOST. Fine for Hurd or amd64 Linux systems. Bad for a sparc which
has SIGLOST defined *and* is not Hurd.

Just check its defined, its much simpler.
2018-05-03 21:06:05 +10:00
Craig Small
5576c8e438 library: build on non-glibc systems
Some non-glibc systems didn't have libio.h or __BEGIN_DECLS
Changes to make it more standard.

References:
 issue #88
2018-04-10 21:28:11 +10:00
Craig Small
f46865eaf3 sysctl: fixup build system
Remove the external definition of the procio function.
2018-03-12 13:06:08 +11:00
Craig Small
c9be22a8c0 sysctl: Bring procio functions out of library
The procio functions that were in the library have been
moved into sysctl. sysctl is not linked to libprocps in
newlib and none of the other procps binaries would need
to read/write large data to the procfs.

References:
 be6b048a41
2018-03-01 21:25:04 +11:00
Craig Small
063838a7f5 docs: Change name of fprocopen man page
Add NEWS for sysctl large buffers
Rename manpage to fprocopen

References:
 be6b048a41
 procps-ng/procps!56
2018-02-28 21:24:03 +11:00
Werner Fink
e0ab7cff1f Add flexible buffered I/O based on fopencookie(3)
to be able to read and write large buffers below /proc.
The buffers and file offsets are handled dynamically
on the required buffer size at read, that is lseek(2)
is used to determine this size. Large buffers at
write are split at a delimeter into pieces and also
lseek(2) is used to write each of them.

Signed-off-by: Werner Fink <werner@suse.de>
2018-02-28 20:46:58 +11:00
Sven Eden
776b0791ba Add support for elogind
A session manager similar to logind from systemd.
See https://github.com/elogind/elogind

Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
2017-12-29 15:57:14 +11:00
James Clarke
bd72ba3a4b sig: Move runtime signal count check to compile time
Since the value of number_of_signals is known at compile time, we can
use a compile-time check instead. This also adds SIGLOST for the Hurd,
uses the correct signal counts for the Hurd and FreeBSD, and only gives
a compile-time warning when compiled on an unknown platform that it does
not know whether the number of signals is correct.
2017-12-23 17:48:36 +11:00
Jim Warner
0003d704ac library: relocate the typedef used in alloc.h override
There is no longer justification for placing a typedef
employed in overriding that alloc.h message handler in
the procps.h header file. So this commit just moves it
to the alloc.h header file itself where's it's needed!

[ gosh, sure wish i had thought to relocate this guy ]
[ when the changes in the 1st commit shown were made ]

Reference(s):
. most recent related changes
commit 18e5aecd2b
. place where it *should* have been relocated
commit 2865ded64e

Signed-off-by: Jim Warner <james.warner@comcast.net>
2017-12-23 17:41:37 +11:00
Jim Warner
18e5aecd2b top: exploit msg handler override to avoid corrupt tty
Way back in November of 2011, the library was equipped
with an overridable error message handler function. It
was done expressly for a program like top which alters
the tty. But that support was withdrawn shortly after.

This was all done in the lead up to v3.3.2. That's the
release where NLS support was added and it represented
a hectic time. In hindsight, the changes went too far.

So this commit, in a minimal fashion, restores ability
to address a potential fatal library error. After all,
any properly behaving library would never unilaterally
subject a caller to a stderr message and then an exit.

[ when exposing 1 variable in libprocps.sym, 2 other ]
[ existing symbols were repositioned alphabetically. ]

Reference(s):
. generalized library memory provisions
commit 7126cc4491
. top exploit library memory provisions
commit 88087ec5a5
. library xalloc type functions made private
commit 2865ded64e
. restored prior top memory logic
commit 05f5deb97c

Signed-off-by: Jim Warner <james.warner@comcast.net>
2017-12-20 21:07:44 +11:00
Kyle Laker
5979696ada whattime: Fix formatting
Update formatting within the if block to two spaces
2017-09-23 17:32:29 +10:00
Kyle Laker
325d68b7c3 whattime: Show 0 minutes in pretty output
When supplying the -p command to uptime, it does not display any
sections where the value is less than 1; however, after a reboot, this
causes the command to just output "up". Showing 0 minutes when the
system has been up for less than a minute makes it clear a reboot just
occurred.
2017-09-23 17:32:29 +10:00
Wayne Porter
53e101452f Consolidated patch of previously merged CYGWIN support
The combined results of merge request #49 without that
overhead plus distortion in this repository's history.

Prototyped-by: Wayne Porter <wporter82@gmail.com>
2017-09-03 20:59:23 +10:00
Jim Warner
1a2ec0390a library: set stage for NUMA node field display support
In response to that suggestion referenced below, these
changes allow display of task/thread level NUMA nodes.

Currently, only the 'top' program offers any NUMA type
support and it is limited to the Summary Area display.
With this commit both the 'top' and 'ps' programs will
be able to display NUMA nodes associated with threads.

[ this patch has been adapted from the newlib branch ]
[ and implemented so as to preserve the existing ABI ]

Reference(s):
https://gitlab.com/procps-ng/procps/issues/58

Signed-off-by: Jim Warner <james.warner@comcast.net>
2017-05-22 21:34:32 +10:00
Jim Warner
629fa81b57 misc: eliminate all those remaining gcc -Wall warnings
Reference(s):
proc/readproc.c: In function 'statm2proc'
proc/readproc.c:627:9: warning: variable 'num' set but not used [-Wunused-but-set-variable]

ps/output.c: In function 'pr_context':
ps/output.c:1273:14: warning: unused variable 'tried_load' [-Wunused-variable]
ps/output.c:1272:16: warning: unused variable 'ps_is_selinux_enabled' [-Wunused-variable]
ps/output.c:1272:16: warning: 'ps_is_selinux_enabled' defined but not used [-Wunused-variable]
ps/output.c:1273:14: warning: 'tried_load' defined but not used [-Wunused-variable]
ps/output.c:1837:18: warning: 'shortsort_array_count' defined but not used [-Wunused-const-variable=]
ps/output.c:1803:18: warning: 'aix_array_count' defined but not used [-Wunused-const-variable=]

ps/parser.c: In function 'arg_type':
ps/parser.c:1098:3: warning: this 'if' clause does not guard... [-Wmisleading-indentation]
ps/parser.c:1099:34: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the 'if'

ps/sortformat.c: In function 'format_parse':
ps/sortformat.c:241:1: warning: label 'out' defined but not used [-Wunused-label]

ps/stacktrace.c:176:13: warning: 'stack_trace_sigsegv' defined but not used [-Wunused-function]

watch.c: In function 'process_ansi':
watch.c:234:5: warning: this 'if' clause does not guard... [-Wmisleading-indentation]
watch.c:237:2: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the 'if'

Signed-off-by: Jim Warner <james.warner@comcast.net>
2017-05-22 21:34:32 +10:00
Jan Rybar
19649938ec Merge branch 'fix-99d71ad' into 'master'
Fix 99d71ad

My previous patch has a regression. Please merge the fix of regression.

This is based on the following post.
http://www.freelists.org/post/procps/fix-regression-created-by-99d71ad

See merge request !29
2016-12-20 15:01:18 +00:00
Jim Warner
dc8e89119a misc: remove some trailing whitespace newly introduced
The commit (merge) referenced below added some useless
trailing whitespace, and this patch will correct such.

[ this also updates the NEWS file for the buglet fix ]

Gosh, if folks cannot coax their editors into avoiding
such crap they should remove the '.sample' suffix from
their '.git/hooks/pre-commit.sample' file. Thereafter,
git itself will reject changes with whitespace errors.

Reference(s):
commit cc1f49aeba

Signed-off-by: Jim Warner <james.warner@comcast.net>
2016-12-07 21:50:59 +11:00
Jan Rybar
fc7f60a6bc ps: removed stripping of prefixes off wchan data
resolves Red Hat Bugzilla #1322111
2016-11-22 16:58:14 +01:00
Takayuki Nagata
23ba442c88 libprocps: use float to calculate %use of slabtop
In some environments, 100 * nr_active_objs is calculated at first,
and the result of lower 32bits is divided by nr_objs. This occurs
even in a 64-bit architecture. So nr_active_objes > 42949672, %use
will be incorrect.

This fix casts type of nr_active_objs to float to calculate
correctly the %use in 32-bit/64-bit architectures.

Signed-off-by: Takayuki Nagata <tnagata@redhat.com>
2016-10-12 16:59:01 +09:00
Takayuki Nagata
636b48efd8 Revert "bprocps: fix order of operations for %use of slabinfo"
This reverts commit 99d71ad581.

When nr_active_objs / nr_objs is calculated, the result will be 1
or 0 since the variables are integer. So the commit is wrong.
2016-10-12 16:58:56 +09:00
Olof Sivertsson
586bfb7655 kill: Fix free() with bad pointer on SIG-prefixed signal-name
kill -l SIGHUP (or any other signal-name prefixed with "SIG")
would cause free() to be called with a bad pointer instead of
a pointer to what was allocated. Fix this and add test-case.
2016-09-08 22:32:18 +02:00
Jon Boden
8abd0c92ab library: Don't use SIGPWR on FreeBSD
FreeBSD doesn't have SIGPWR so makes no sense in warning and assuming
its 29.

References:
 https://bugs.debian/org/832148

Signed-off-by: Craig Small <csmall@enc.com.au>
2016-08-28 19:14:32 +10:00
Jim Warner
67a634dc4c library: revert one ancient 'escape_str_utf8' deletion
Profiling revealed a large amount of time spent in the
'escape_str_utf8' function (escape.c) with both of our
NLS branches (newlib and master). That same result was
not seen under an ancient top-3.2.8 program & library.

Well, the 3.2.8 result was ultimately explained by the
absence of a 'setlocale', necessary under NLS support.
Thus, when that ancient library tested for locale, all
it got was 'ANSI_...' & assumed 'UTF-8' wasn't active.

But after a hack to that ancient code to place it on a
par with newlib/master, I still found cost differences
that led me to revisit an old change referenced below.

It turns out that 'iswprint' costs far more than would
a call of 'isprint', even with the extra support code.
So this commit just reverts that five year old change.

[ this patch parallels a similar change under newlib ]

Reference(s):
commit 7b0fc19e9d

Signed-off-by: Jim Warner <james.warner@comcast.net>
2016-08-23 21:12:32 +10:00
Craig Small
1955657461 Merge branch 'find_elf_note_fix' into 'master'
Fixing invalid reads in find_elf_note due to setenv invocation

Resolves issue on mailing list from 12 Nov 2014 and Red Hat Bugzilla 1163404.

See merge request !20
2016-08-15 11:08:15 +00:00
Jan Rybar
ecabdaca41 Fixing invalid reads in find_elf_note due to setenv invocation
Resolves issue on mailing list and Red Hat Bugzilla 1163404.
2016-08-05 15:21:49 +02:00
Jan Rybar
c63a5a4af0 Fixing is_disk() which mistakes devices with name longer than 20 chars for partitions.
Associated with previous vmstat -d enhancement commit.
2016-08-04 13:55:01 +02:00
Craig Small
2e4959bab8 library: dont use vm_min_free on non-Linux systems
For a specific slice of kernel versions we can get a better
estimate of the available memory before the "real" available
figure appears around kernel 3.2

However, that middle method requires a /proc/sys/vm directory.
FreeBSD 9.x used to emulate a < 2.6.27 kernel procfs meaning
it never tried the middle method. FreeBSD 10.x emulates something
more modern, but without the available figure and without a
/proc/sys/vm, so the library falls into a hole.

Hurd may to one day have this bug so we'll exclude him as well
as its triggered by whatever number appears in
/proc/sys/kernel/osrelease

References:
 commit 3f3b1a59ad
 https://bugs.debian.org/831396
2016-07-17 09:06:24 +10:00
Jim Warner
25a6ecdbfb library: avoid QUICK_THREADS, swat Redhat bug #1284091
For this release, what's likely to be our last oldlib,
we really no longer care when top or ps threads access
is made a little less efficient. This is especially so
when efficiency was gained at the expense of accuracy.

The newlib branch already has turned off QUICK_THREADS
so this patch just brings the master branch into line.

Reference(s):
https://bugzilla.redhat.com/show_bug.cgi?id=1284091

Signed-off-by: Jim Warner <james.warner@comcast.net>
2016-07-09 13:23:27 +10:00
Craig Small
639c58312b library: rename clashing pwcache functions
On MacOS the system already has user_from_uid and group_from_gid.
These are renamed pwcache_get_user and pwcache_get_group.

For the old library, pwcache_get_user needs to be exported
for skill.

References:
 https://gitlab.com/procps-ng/procps/issues/34

Signed-off-by: Craig Small <csmall@enc.com.au>
2016-07-06 22:26:02 +10:00
Jim Warner
5d54dc0d2e library: play catchup with a new proc_t 'cgname' field
Since we're about to break the ABI/API anyway, why not
go ahead and add yet another field to our proc_t which
the newlib branch has had for awhile. This then allows
the top program to offer 'control group name' and will
also permit a few reductions in that ps program logic.

And let's also clean up some unrelated warnings below.

Clang warnings:
proc/readproc.c:1178:50: warning: address of array 'ent->d_name' will always evaluate to 'true' [-Wpointer-bool-conversion]
    if(unlikely(unlikely(!ent) || unlikely(!ent->d_name))) return 0;
                                           ~~~~~~^~~~~~
proc/readproc.c:1205:50: warning: address of array 'ent->d_name' will always evaluate to 'true' [-Wpointer-bool-conversion]
    if(unlikely(unlikely(!ent) || unlikely(!ent->d_name))) return 0;
                                           ~~~~~~^~~~~~

Signed-off-by: Jim Warner <james.warner@comcast.net>
2016-07-06 21:33:17 +10:00