Commit Graph

1979 Commits

Author SHA1 Message Date
Qualys Security Advisory
b51ca2a1f8 pgrep: Prevent a potential stack-based buffer overflow.
This is one of the worst issues that we found: if the strlen() of one of
the cmdline arguments is greater than INT_MAX (it is possible), then the
"int bytes" could wrap around completely, back to a very large positive
int, and the next strncat() would be called with a huge number of
destination bytes (a stack-based buffer overflow).

Fortunately, every distribution that we checked compiles its procps
utilities with FORTIFY, and the fortified strncat() detects and aborts
the buffer overflow before it occurs.

This patch also fixes a secondary issue: the old "--bytes;" meant that
cmdline[sizeof (cmdline) - 2] was never written to if the while loop was
never entered; in the example below, "ff" is the uninitialized byte:

((exec -ca `python3 -c 'print("A" * 131000)'` /usr/bin/cat < /dev/zero) | sleep 60) &
pgrep -a -P "$!" 2>/dev/null | hexdump -C
00000000  31 32 34 36 30 20 41 41  41 41 41 41 41 41 41 41  |12460 AAAAAAAAAA|
00000010  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
*
00001000  41 41 41 41 ff 0a 31 32  34 36 32 20 73 6c 65 65  |AAAA..12462 slee|
00001010  70 20 36 30 0a                                    |p 60.|
2018-05-19 07:32:21 +10:00
Qualys Security Advisory
40c4254318 pgrep: Always null-terminate the cmd*[] buffers.
Otherwise, man strncpy: "If there is no null byte among the first n
bytes of src, the string placed in dest will not be null-terminated."
2018-05-19 07:32:21 +10:00
Qualys Security Advisory
35f58d8a3e pgrep: Initialize the cmd*[] stack buffers.
Otherwise (for example), if the (undocumented) opt_echo is set, but not
opt_long, and not opt_longlong, and not opt_pattern, there is a call to
xstrdup(cmdoutput) but cmdoutput was never initialized:

sleep 60 & echo "$!" > pidfile
env -i LD_DEBUG=`perl -e 'print "A" x 131000'` pkill -e -c -F pidfile | xxd
...
000001c0: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
000001d0: 4141 4141 4141 4141 fcd4 e6bd e47f 206b  AAAAAAAA...... k
000001e0: 696c 6c65 6420 2870 6964 2031 3230 3931  illed (pid 12091
000001f0: 290a 310a                                ).1.
[1]+  Terminated              sleep 60

(the LD_DEBUG is just a trick to fill the initial stack with non-null
bytes, to show that there is uninitialized data from the stack in the
output; here, an address "fcd4 e6bd e47f")
2018-05-19 07:32:21 +10:00
Qualys Security Advisory
d0d902f089 pgrep: Simplify the match_*() functions. 2018-05-19 07:32:21 +10:00
Qualys Security Advisory
5d2b44eaf6 pgrep: Replace buf+1 with buf in read_pidfile().
Unless we missed something, this makes it unnecessarily difficult to
read/audit.
2018-05-19 07:32:21 +10:00
Qualys Security Advisory
c1dbd41d2b pgrep: Replace ints with longs in strict_atol().
atol() means long, and value points to a long.
2018-05-19 07:32:21 +10:00
Qualys Security Advisory
4ea5b22d62 pgrep: Prevent integer overflow of list size.
Not exploitable (not under an attacker's control), but still a potential
non-security problem. Copied, fixed, and used the grow_size() macro from
pidof.c.
2018-05-19 07:32:21 +10:00
Qualys Security Advisory
657053f5d0 pgrep: Do not memleak the contents of proc_t.
memset()ing task and subtask inside their loops prevents free_acquired()
(in readproc() and readtask()) from free()ing their contents (especially
cmdline and environ).

Our solution is not perfect, because we still memleak the very last
cmdline/environ, but select_procs() is called only once, so this is not
as bad as it sounds.

It would be better to leave subtask in its block and call
free_acquired() after the loop, but this function is static (not
exported).

The only other solution is to use freeproc(), but this means replacing
the stack task/subtask with xcalloc()s, thus changing a lot of code in
pgrep.c (to pointer accesses).

Hence this imperfect solution for now.
2018-05-19 07:32:21 +10:00
Craig Small
75bd099420 library: check not undef SIGLOST
sig.c had this odd logic where on non-Hurd systems it would undefine
SIGLOST. Fine for Hurd or amd64 Linux systems. Bad for a sparc which
has SIGLOST defined *and* is not Hurd.

Just check its defined, its much simpler.
2018-05-03 21:06:05 +10:00
Craig Small
ca07bcad4d misc: fix ps etime tests
The test assumes only one process appears which, depending on the
speed of things, may not be true. It now matches one to many process
lines.
2018-04-10 22:09:40 +10:00
Craig Small
3afea8abab update translations 2018-04-10 21:37:39 +10:00
Craig Small
5576c8e438 library: build on non-glibc systems
Some non-glibc systems didn't have libio.h or __BEGIN_DECLS
Changes to make it more standard.

References:
 issue #88
2018-04-10 21:28:11 +10:00
Craig Small
58bff862fc free: fix scaling on 32-bit systems
Systems that have a 32-bit long would give incorrect results in free.

References:
 Issue #89
 https://www.freelists.org/post/procps/frees-scale-size-broken-with-32bit-long
2018-04-10 21:20:25 +10:00
Craig Small
1982a79ba8 misc: Update news about #91 2018-04-10 21:16:10 +10:00
Craig Small
791cb72d32 Revert "Support running with child namespaces"
This reverts commit dcb6914f11.

This commit broke a lot of scripts that were expecting to see all
programs. See #91
2018-04-10 21:14:01 +10:00
Craig Small
0b488c7f5c pgrep: Don't segfault with no match
If pgrep is run with a non-program name match and there are
no matches, it segfaults.

The testsuite thinks zero bytes sent, and zero bytes sent
because the program crashed is the same :/

References:
 commit 1aacf4af7f
 https://bugs.debian.org/894917

Signed-off-by: Craig Small <csmall@enc.com.au>
2018-04-06 23:00:29 +10:00
Craig Small
2fc2427ed3 misc: Update translations from Translation project 2018-04-01 17:37:10 +10:00
Craig Small
e22a5087dd 3.3.13 release candidate 1
Update NEWS with the version
Add library API change into NEWS
Update c:r:a for library to 7:0:1

This means the current and age are incremented, so old programs can
use new library but not vice-versa as they won't have the numa*
functions.
2018-03-12 16:30:58 +11:00
Craig Small
a1b7338b4a misc: Update translations
po4a is awful, basically.
2018-03-12 14:24:49 +11:00
Craig Small
f46865eaf3 sysctl: fixup build system
Remove the external definition of the procio function.
2018-03-12 13:06:08 +11:00
Craig Small
8954e4349c misc: update NEWS with some missed items 2018-03-03 18:59:17 +11:00
Craig Small
8517c86560 misc: Add link protection examples to sysctl.conf
Adds both examples to the sample sysctl.conf configuration file
to enable link protection for both hard and soft links.

Most kernels probably have this enabled anyhow.

References:
 https://bugs.debian.org/889098
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18078
 561ec64ae6
2018-03-03 18:56:20 +11:00
Craig Small
69f4b6ec8e docs: Note limitation of finding scripts in pidof.1
pidof will miss scripts that are run a certain way due to how
they appear in procfs. This is just a note to say it might miss
them.

References:
 procps-ng/procps#17
2018-03-03 18:47:22 +11:00
Craig Small
d4a9a1e5d4 watch: use sysconf() for hostname length
Hurd doesn't have HOST_NAME_MAX, neither does Solaris.
An early fix just checked for this value and used 64 instead.
This change uses sysconf which is the correct method, possibly until
this compiles on some mis-behaving OS which doesn't have this value.

References:
 commit e564ddcb01
 procps-ng/procps#54
2018-03-03 18:36:44 +11:00
Craig Small
1a26eec12b sysctl: fix typo in help
Changed "a variables" to "the given variable(s)"

References:
 procps-ng/procps#84
2018-03-03 18:29:19 +11:00
Craig Small
7c7781a120 docs: Reword --exec option in watch.1
The manual page for watch for the exec option was confusing and
backwards. Hopefully this one makes more sense.

References:
 procps-ng/procps#75
2018-03-03 18:26:47 +11:00
Craig Small
3fc3a20523 Merge branch 'dbanerje/procps-namespace'
References:
 procps-ng/procps!41
2018-03-03 18:00:56 +11:00
Debabrata Banerjee
dcb6914f11 Support running with child namespaces
By default pgrep/pkill should not kill processes in a namespace it is not
part of. If this is allowed, it allows callers to break namespaces they did
not expect to affect, requiring rewrite of all callers to fix.

So by default, we should work in the current namespace. If --ns 0 is
specified, they we look at all namespaces, and if any other pid is specified
we continue to look in only that namespace.

Signed-off-by: Debabrata Banerjee <dbanerje@akamai.com>
2018-03-03 17:59:18 +11:00
Jim Warner
029a463172 top: show that truncation indicator ('+') consistently
With a little luck, this should be the final tweak for
our support of extra wide characters. Currently, those
characters don't always display the '+' indicator when
they've been truncated. Now, it should always be seen.

[ plus it's done a tad more efficiently via snprintf ]

Signed-off-by: Jim Warner <james.warner@comcast.net>
2018-03-03 17:52:43 +11:00
Craig Small
5d0b094b8c ps: Add NEWS and checks for times and cputimes
The previous commit had one minor bug in it because the fields need
to be alphabetical and times comes after timeout.

Added NEWS item for this feature
Added another testsuite check for new flags in case they
disappear or go strange one day.

References:
 commit 8a94ed6111
2018-03-02 22:07:46 +11:00
Craig Small
942440d2a1 Merge branch 'sbigaret/procps-master'
References:
 procps-ng/procps!43
2018-03-02 21:59:47 +11:00
Sébastien Bigaret
8a94ed6111 ps: add times & cputimes format specifiers: cumulative CPU time in seconds
These format specifiers are to time & cputime what etimes is to etime.

Signed-off-by: Sébastien Bigaret <sebastien.bigaret@telecom-bretagne.eu>
2018-03-02 21:58:45 +11:00
Craig Small
cd289c88a0 misc: Add news entry for previous pidof 2018-03-02 21:47:50 +11:00
Craig Small
825469fcb6 Merge branch 'masatake/procps-pidof-sep-option'
References:
 procps-ng/procps!58
2018-03-02 21:43:27 +11:00
Masatake YAMATO
73492b182d pidof: allow to change a separator put between pids
I frequency use pidof command with strace system call tracer.
strace can trace MULTIPLE processes specified with "-p $PID"
arguments like:

	  strace -p 1 -p 1030 -p 3043

Sometimes I want to do as following

	  strace -p $(pidof httpd)

However, above command line doesn't work because -p option
is needed for specifying a pid. pidof uses a whitespace as
a separator. For passing the output to strace, the separator
should be replaced with ' -p '.

This maybe not a special to my use case.

This commit introduces -S option that allows a user to specify a
separator the one wants.

    $ ./pidof bash
    ./pidof bash
    24624 18790 12786 11898 11546 10766 7654 5095
    $ ./pidof -S ',' bash
    ./pidof -S ',' bash
    24624,18790,12786,11898,11546,10766,7654,5095
    $ ./pidof -S '-p ' bash
    ./pidof -S '-p ' bash
    24624-p 18790-p 12786-p 11898-p 11546-p 10766-p 7654-p 5095
    $ ./pidof -S ' -p ' bash
    ./pidof -S ' -p ' bash
    24624 -p 18790 -p 12786 -p 11898 -p 11546 -p 10766 -p 7654 -p 5095
    $ strace -p $(./pidof -S ' -p ' bash)
    strace -p $(./pidof -S ' -p ' bash)
    strace: Process 24624 attached
    strace: Process 18790 attached
    strace: Process 12786 attached
    ...

Signed-off-by: Masatake YAMATO <yamato@redhat.com>
2018-03-02 21:42:46 +11:00
Craig Small
c9be22a8c0 sysctl: Bring procio functions out of library
The procio functions that were in the library have been
moved into sysctl. sysctl is not linked to libprocps in
newlib and none of the other procps binaries would need
to read/write large data to the procfs.

References:
 be6b048a41
2018-03-01 21:25:04 +11:00
Craig Small
063838a7f5 docs: Change name of fprocopen man page
Add NEWS for sysctl large buffers
Rename manpage to fprocopen

References:
 be6b048a41
 procps-ng/procps!56
2018-02-28 21:24:03 +11:00
Craig Small
be6b048a41 Merge branch 'bitstreamout/procps-procio'
References:
 procps-ng/procps!56
2018-02-28 20:48:57 +11:00
Werner Fink
8dd64c413e Use new standard I/O for reading/writing sysctl values
thereby use one allocated buffer for I/O which now might
be increased by the stdio function getline(3) on the
file if required.

Signed-off-by: Werner Fink <werner@suse.de>
2018-02-28 20:46:58 +11:00
Werner Fink
e0ab7cff1f Add flexible buffered I/O based on fopencookie(3)
to be able to read and write large buffers below /proc.
The buffers and file offsets are handled dynamically
on the required buffer size at read, that is lseek(2)
is used to determine this size. Large buffers at
write are split at a delimeter into pieces and also
lseek(2) is used to write each of them.

Signed-off-by: Werner Fink <werner@suse.de>
2018-02-28 20:46:58 +11:00
Werner Fink
6559450503 Preload sysctl lines even if longer than stdio buffer
by using getline(3) to use a dynamically increased buffer
if required by the input found in sysctl configuration files.

Signed-off-by: Werner Fink <werner@suse.de>
2018-02-28 20:46:58 +11:00
Craig Small
3497521d63 docs: sysctl.8 clarify when w flag is required
The w flag is not needed for key=val type options but only forces all
options to be that format.

References:
 procps-ng/procps#83
2018-02-19 21:05:42 +11:00
Craig Small
4b74777bd2 Merge branch 'jrybar/procps-ps-luid'
Accept merge request procps-ng/procps!57
2018-02-19 20:43:18 +11:00
Jan Rybar
67bc433c17 ps: LUID format option impelemented 2018-02-19 20:41:40 +11:00
Jim Warner
0d352aa3d9 top: update copyright dates in source and man document
Signed-off-by: Jim Warner <james.warner@comcast.net>
2018-02-19 20:37:24 +11:00
Jim Warner
dddb8e1751 top: try to avoid premature truncation indicator ('+')
Signed-off-by: Jim Warner <james.warner@comcast.net>
2018-02-19 20:37:24 +11:00
Jim Warner
4e77b307dc top: avoid potential truncation with 'Inspect' feature
As it turns out, that Ukrainian 'demo' text supporting
the '=' command was 152 bytes long, up from an English
version of 80 bytes. Unfortunately, the buffer used to
format all such strings was insufficient at 128 bytes.

Depending on the width of one's terminal, some strange
result could be experienced when a multi-byte sequence
was truncated. So, this just makes that buffer bigger.

Signed-off-by: Jim Warner <james.warner@comcast.net>
2018-02-19 20:37:24 +11:00
Jim Warner
f3f90ab93c top: allow translated field headers to determine width
After wrestling with extra wide characters, supporting
languages like zh_CN, sometimes default/minimum column
widths might force a truncation of translated headers.

So, this commit explores one way that such truncations
could be avoided. It is designed so as to have minimal
impact on existing code, ultimately affecting just one
function. But it's off by default via its own #define.

Signed-off-by: Jim Warner <james.warner@comcast.net>
2018-02-19 20:37:24 +11:00
Jim Warner
3b53aba319 top: an efficiency tweak to extra wide character logic
When I recently added extra wide character support for
locales like zh_CN, I didn't worry about some overhead
associated with the new calls to 'mbtowc' & 'wcwidth'.
That's because such overhead was usually incurred with
user interactions, not a normal iterative top display.

There was, however, one area where this overhead would
impact the normal iterative top mode - that's with the
Summary display. So I peeked at the glibc source code.

As it turns out, the costs of executing those 'mbtowc'
and 'wcwidth' functions were not at all insignificant.
So, this patch will avoid them in the vast majority of
instances, while still enabling extra wide characters.

Signed-off-by: Jim Warner <james.warner@comcast.net>
2018-02-19 20:37:24 +11:00
Jim Warner
2167dcbccb top: standardize width of the %CPU & %MEM columns at 5
There is (should be) no justification for changing the
width of the percentage columns (%CPU, %MEM) depending
on the BOOST_PERCNT #define. So this patch will ensure
that both columns are fixed at their former maximum 5.

Signed-off-by: Jim Warner <james.warner@comcast.net>
2018-02-19 20:37:24 +11:00