Commit Graph

1879 Commits

Author SHA1 Message Date
b51ca2a1f8 pgrep: Prevent a potential stack-based buffer overflow.
This is one of the worst issues that we found: if the strlen() of one of
the cmdline arguments is greater than INT_MAX (it is possible), then the
"int bytes" could wrap around completely, back to a very large positive
int, and the next strncat() would be called with a huge number of
destination bytes (a stack-based buffer overflow).

Fortunately, every distribution that we checked compiles its procps
utilities with FORTIFY, and the fortified strncat() detects and aborts
the buffer overflow before it occurs.

This patch also fixes a secondary issue: the old "--bytes;" meant that
cmdline[sizeof (cmdline) - 2] was never written to if the while loop was
never entered; in the example below, "ff" is the uninitialized byte:

((exec -ca `python3 -c 'print("A" * 131000)'` /usr/bin/cat < /dev/zero) | sleep 60) &
pgrep -a -P "$!" 2>/dev/null | hexdump -C
00000000  31 32 34 36 30 20 41 41  41 41 41 41 41 41 41 41  |12460 AAAAAAAAAA|
00000010  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
*
00001000  41 41 41 41 ff 0a 31 32  34 36 32 20 73 6c 65 65  |AAAA..12462 slee|
00001010  70 20 36 30 0a                                    |p 60.|
2018-05-19 07:32:21 +10:00
40c4254318 pgrep: Always null-terminate the cmd*[] buffers.
Otherwise, man strncpy: "If there is no null byte among the first n
bytes of src, the string placed in dest will not be null-terminated."
2018-05-19 07:32:21 +10:00
35f58d8a3e pgrep: Initialize the cmd*[] stack buffers.
Otherwise (for example), if the (undocumented) opt_echo is set, but not
opt_long, and not opt_longlong, and not opt_pattern, there is a call to
xstrdup(cmdoutput) but cmdoutput was never initialized:

sleep 60 & echo "$!" > pidfile
env -i LD_DEBUG=`perl -e 'print "A" x 131000'` pkill -e -c -F pidfile | xxd
...
000001c0: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
000001d0: 4141 4141 4141 4141 fcd4 e6bd e47f 206b  AAAAAAAA...... k
000001e0: 696c 6c65 6420 2870 6964 2031 3230 3931  illed (pid 12091
000001f0: 290a 310a                                ).1.
[1]+  Terminated              sleep 60

(the LD_DEBUG is just a trick to fill the initial stack with non-null
bytes, to show that there is uninitialized data from the stack in the
output; here, an address "fcd4 e6bd e47f")
2018-05-19 07:32:21 +10:00
d0d902f089 pgrep: Simplify the match_*() functions. 2018-05-19 07:32:21 +10:00
5d2b44eaf6 pgrep: Replace buf+1 with buf in read_pidfile().
Unless we missed something, this makes it unnecessarily difficult to
read/audit.
2018-05-19 07:32:21 +10:00
c1dbd41d2b pgrep: Replace ints with longs in strict_atol().
atol() means long, and value points to a long.
2018-05-19 07:32:21 +10:00
4ea5b22d62 pgrep: Prevent integer overflow of list size.
Not exploitable (not under an attacker's control), but still a potential
non-security problem. Copied, fixed, and used the grow_size() macro from
pidof.c.
2018-05-19 07:32:21 +10:00
657053f5d0 pgrep: Do not memleak the contents of proc_t.
memset()ing task and subtask inside their loops prevents free_acquired()
(in readproc() and readtask()) from free()ing their contents (especially
cmdline and environ).

Our solution is not perfect, because we still memleak the very last
cmdline/environ, but select_procs() is called only once, so this is not
as bad as it sounds.

It would be better to leave subtask in its block and call
free_acquired() after the loop, but this function is static (not
exported).

The only other solution is to use freeproc(), but this means replacing
the stack task/subtask with xcalloc()s, thus changing a lot of code in
pgrep.c (to pointer accesses).

Hence this imperfect solution for now.
2018-05-19 07:32:21 +10:00
75bd099420 library: check not undef SIGLOST
sig.c had this odd logic where on non-Hurd systems it would undefine
SIGLOST. Fine for Hurd or amd64 Linux systems. Bad for a sparc which
has SIGLOST defined *and* is not Hurd.

Just check its defined, its much simpler.
2018-05-03 21:06:05 +10:00
ca07bcad4d misc: fix ps etime tests
The test assumes only one process appears which, depending on the
speed of things, may not be true. It now matches one to many process
lines.
2018-04-10 22:09:40 +10:00
3afea8abab update translations 2018-04-10 21:37:39 +10:00
5576c8e438 library: build on non-glibc systems
Some non-glibc systems didn't have libio.h or __BEGIN_DECLS
Changes to make it more standard.

References:
 issue #88
2018-04-10 21:28:11 +10:00
58bff862fc free: fix scaling on 32-bit systems
Systems that have a 32-bit long would give incorrect results in free.

References:
 Issue #89
 https://www.freelists.org/post/procps/frees-scale-size-broken-with-32bit-long
2018-04-10 21:20:25 +10:00
1982a79ba8 misc: Update news about #91 2018-04-10 21:16:10 +10:00
791cb72d32 Revert "Support running with child namespaces"
This reverts commit dcb6914f11.

This commit broke a lot of scripts that were expecting to see all
programs. See #91
2018-04-10 21:14:01 +10:00
0b488c7f5c pgrep: Don't segfault with no match
If pgrep is run with a non-program name match and there are
no matches, it segfaults.

The testsuite thinks zero bytes sent, and zero bytes sent
because the program crashed is the same :/

References:
 commit 1aacf4af7f
 https://bugs.debian.org/894917

Signed-off-by: Craig Small <csmall@enc.com.au>
2018-04-06 23:00:29 +10:00
2fc2427ed3 misc: Update translations from Translation project 2018-04-01 17:37:10 +10:00
e22a5087dd 3.3.13 release candidate 1
Update NEWS with the version
Add library API change into NEWS
Update c:r:a for library to 7:0:1

This means the current and age are incremented, so old programs can
use new library but not vice-versa as they won't have the numa*
functions.
2018-03-12 16:30:58 +11:00
a1b7338b4a misc: Update translations
po4a is awful, basically.
2018-03-12 14:24:49 +11:00
f46865eaf3 sysctl: fixup build system
Remove the external definition of the procio function.
2018-03-12 13:06:08 +11:00
8954e4349c misc: update NEWS with some missed items 2018-03-03 18:59:17 +11:00
8517c86560 misc: Add link protection examples to sysctl.conf
Adds both examples to the sample sysctl.conf configuration file
to enable link protection for both hard and soft links.

Most kernels probably have this enabled anyhow.

References:
 https://bugs.debian.org/889098
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18078
 561ec64ae6
2018-03-03 18:56:20 +11:00
69f4b6ec8e docs: Note limitation of finding scripts in pidof.1
pidof will miss scripts that are run a certain way due to how
they appear in procfs. This is just a note to say it might miss
them.

References:
 procps-ng/procps#17
2018-03-03 18:47:22 +11:00
d4a9a1e5d4 watch: use sysconf() for hostname length
Hurd doesn't have HOST_NAME_MAX, neither does Solaris.
An early fix just checked for this value and used 64 instead.
This change uses sysconf which is the correct method, possibly until
this compiles on some mis-behaving OS which doesn't have this value.

References:
 commit e564ddcb01
 procps-ng/procps#54
2018-03-03 18:36:44 +11:00
1a26eec12b sysctl: fix typo in help
Changed "a variables" to "the given variable(s)"

References:
 procps-ng/procps#84
2018-03-03 18:29:19 +11:00
7c7781a120 docs: Reword --exec option in watch.1
The manual page for watch for the exec option was confusing and
backwards. Hopefully this one makes more sense.

References:
 procps-ng/procps#75
2018-03-03 18:26:47 +11:00
3fc3a20523 Merge branch 'dbanerje/procps-namespace'
References:
 procps-ng/procps!41
2018-03-03 18:00:56 +11:00
dcb6914f11 Support running with child namespaces
By default pgrep/pkill should not kill processes in a namespace it is not
part of. If this is allowed, it allows callers to break namespaces they did
not expect to affect, requiring rewrite of all callers to fix.

So by default, we should work in the current namespace. If --ns 0 is
specified, they we look at all namespaces, and if any other pid is specified
we continue to look in only that namespace.

Signed-off-by: Debabrata Banerjee <dbanerje@akamai.com>
2018-03-03 17:59:18 +11:00
029a463172 top: show that truncation indicator ('+') consistently
With a little luck, this should be the final tweak for
our support of extra wide characters. Currently, those
characters don't always display the '+' indicator when
they've been truncated. Now, it should always be seen.

[ plus it's done a tad more efficiently via snprintf ]

Signed-off-by: Jim Warner <james.warner@comcast.net>
2018-03-03 17:52:43 +11:00
5d0b094b8c ps: Add NEWS and checks for times and cputimes
The previous commit had one minor bug in it because the fields need
to be alphabetical and times comes after timeout.

Added NEWS item for this feature
Added another testsuite check for new flags in case they
disappear or go strange one day.

References:
 commit 8a94ed6111
2018-03-02 22:07:46 +11:00
942440d2a1 Merge branch 'sbigaret/procps-master'
References:
 procps-ng/procps!43
2018-03-02 21:59:47 +11:00
8a94ed6111 ps: add times & cputimes format specifiers: cumulative CPU time in seconds
These format specifiers are to time & cputime what etimes is to etime.

Signed-off-by: Sébastien Bigaret <sebastien.bigaret@telecom-bretagne.eu>
2018-03-02 21:58:45 +11:00
cd289c88a0 misc: Add news entry for previous pidof 2018-03-02 21:47:50 +11:00
825469fcb6 Merge branch 'masatake/procps-pidof-sep-option'
References:
 procps-ng/procps!58
2018-03-02 21:43:27 +11:00
73492b182d pidof: allow to change a separator put between pids
I frequency use pidof command with strace system call tracer.
strace can trace MULTIPLE processes specified with "-p $PID"
arguments like:

	  strace -p 1 -p 1030 -p 3043

Sometimes I want to do as following

	  strace -p $(pidof httpd)

However, above command line doesn't work because -p option
is needed for specifying a pid. pidof uses a whitespace as
a separator. For passing the output to strace, the separator
should be replaced with ' -p '.

This maybe not a special to my use case.

This commit introduces -S option that allows a user to specify a
separator the one wants.

    $ ./pidof bash
    ./pidof bash
    24624 18790 12786 11898 11546 10766 7654 5095
    $ ./pidof -S ',' bash
    ./pidof -S ',' bash
    24624,18790,12786,11898,11546,10766,7654,5095
    $ ./pidof -S '-p ' bash
    ./pidof -S '-p ' bash
    24624-p 18790-p 12786-p 11898-p 11546-p 10766-p 7654-p 5095
    $ ./pidof -S ' -p ' bash
    ./pidof -S ' -p ' bash
    24624 -p 18790 -p 12786 -p 11898 -p 11546 -p 10766 -p 7654 -p 5095
    $ strace -p $(./pidof -S ' -p ' bash)
    strace -p $(./pidof -S ' -p ' bash)
    strace: Process 24624 attached
    strace: Process 18790 attached
    strace: Process 12786 attached
    ...

Signed-off-by: Masatake YAMATO <yamato@redhat.com>
2018-03-02 21:42:46 +11:00
c9be22a8c0 sysctl: Bring procio functions out of library
The procio functions that were in the library have been
moved into sysctl. sysctl is not linked to libprocps in
newlib and none of the other procps binaries would need
to read/write large data to the procfs.

References:
 be6b048a41
2018-03-01 21:25:04 +11:00
063838a7f5 docs: Change name of fprocopen man page
Add NEWS for sysctl large buffers
Rename manpage to fprocopen

References:
 be6b048a41
 procps-ng/procps!56
2018-02-28 21:24:03 +11:00
be6b048a41 Merge branch 'bitstreamout/procps-procio'
References:
 procps-ng/procps!56
2018-02-28 20:48:57 +11:00
8dd64c413e Use new standard I/O for reading/writing sysctl values
thereby use one allocated buffer for I/O which now might
be increased by the stdio function getline(3) on the
file if required.

Signed-off-by: Werner Fink <werner@suse.de>
2018-02-28 20:46:58 +11:00
e0ab7cff1f Add flexible buffered I/O based on fopencookie(3)
to be able to read and write large buffers below /proc.
The buffers and file offsets are handled dynamically
on the required buffer size at read, that is lseek(2)
is used to determine this size. Large buffers at
write are split at a delimeter into pieces and also
lseek(2) is used to write each of them.

Signed-off-by: Werner Fink <werner@suse.de>
2018-02-28 20:46:58 +11:00
6559450503 Preload sysctl lines even if longer than stdio buffer
by using getline(3) to use a dynamically increased buffer
if required by the input found in sysctl configuration files.

Signed-off-by: Werner Fink <werner@suse.de>
2018-02-28 20:46:58 +11:00
3497521d63 docs: sysctl.8 clarify when w flag is required
The w flag is not needed for key=val type options but only forces all
options to be that format.

References:
 procps-ng/procps#83
2018-02-19 21:05:42 +11:00
4b74777bd2 Merge branch 'jrybar/procps-ps-luid'
Accept merge request procps-ng/procps!57
2018-02-19 20:43:18 +11:00
67bc433c17 ps: LUID format option impelemented 2018-02-19 20:41:40 +11:00
0d352aa3d9 top: update copyright dates in source and man document
Signed-off-by: Jim Warner <james.warner@comcast.net>
2018-02-19 20:37:24 +11:00
dddb8e1751 top: try to avoid premature truncation indicator ('+')
Signed-off-by: Jim Warner <james.warner@comcast.net>
2018-02-19 20:37:24 +11:00
4e77b307dc top: avoid potential truncation with 'Inspect' feature
As it turns out, that Ukrainian 'demo' text supporting
the '=' command was 152 bytes long, up from an English
version of 80 bytes. Unfortunately, the buffer used to
format all such strings was insufficient at 128 bytes.

Depending on the width of one's terminal, some strange
result could be experienced when a multi-byte sequence
was truncated. So, this just makes that buffer bigger.

Signed-off-by: Jim Warner <james.warner@comcast.net>
2018-02-19 20:37:24 +11:00
f3f90ab93c top: allow translated field headers to determine width
After wrestling with extra wide characters, supporting
languages like zh_CN, sometimes default/minimum column
widths might force a truncation of translated headers.

So, this commit explores one way that such truncations
could be avoided. It is designed so as to have minimal
impact on existing code, ultimately affecting just one
function. But it's off by default via its own #define.

Signed-off-by: Jim Warner <james.warner@comcast.net>
2018-02-19 20:37:24 +11:00
3b53aba319 top: an efficiency tweak to extra wide character logic
When I recently added extra wide character support for
locales like zh_CN, I didn't worry about some overhead
associated with the new calls to 'mbtowc' & 'wcwidth'.
That's because such overhead was usually incurred with
user interactions, not a normal iterative top display.

There was, however, one area where this overhead would
impact the normal iterative top mode - that's with the
Summary display. So I peeked at the glibc source code.

As it turns out, the costs of executing those 'mbtowc'
and 'wcwidth' functions were not at all insignificant.
So, this patch will avoid them in the vast majority of
instances, while still enabling extra wide characters.

Signed-off-by: Jim Warner <james.warner@comcast.net>
2018-02-19 20:37:24 +11:00
2167dcbccb top: standardize width of the %CPU & %MEM columns at 5
There is (should be) no justification for changing the
width of the percentage columns (%CPU, %MEM) depending
on the BOOST_PERCNT #define. So this patch will ensure
that both columns are fixed at their former maximum 5.

Signed-off-by: Jim Warner <james.warner@comcast.net>
2018-02-19 20:37:24 +11:00