Several of these buffer overflows can actually be triggered (through the
configuration file for example): in config_file(), inspection_utility(),
and show_special().
The default action for SIGURG is to ignore the signal, for example.
This is very similar to the patch "ps/display.c: Always exit from
signal_handler()."
Every time sortindx is used as an index, or loaded from the
configuration file. Otherwise it leads to out-of-bounds reads and
arbitrary code execution.
Otherwise they may lead to out-of-bounds writes (snprintf() returns the
number of characters which would have been written if enough space had
been available).
Also, make sure buf is null-terminated after COLPLUSCH has been written.
Otherwise they lead to out-of-bounds reads and format-string bugs.
Since these variables are set/written to in several places (for example,
config_file()), check them in the only place where they are read/used.
Also, constify the static gtab[]s.
If the HOME environment variable is not set, or not absolute, use the
home directory returned by getpwuid(getuid()), if set and absolute
(instead of the cwd "."); otherwise, set p_home to NULL.
To keep the changes to a minimum, we rely on POSIX, which requires that
fopen() fails with ENOENT if the pathname (Rc_name) is an empty string.
This integrates well into the existing code, and makes write_rcfile()
work without a change.
Also, it makes the code in configs_read() easier to follow: only set and
use p_home if safe, and only set Rc_name if safe (in all the other cases
it is the empty string, and the fopen() calls fail). Plus, check for
snprintf() truncation (and if it happens, reset Rc_name to the empty
string).
Important note: top.1 should probably be updated, since it mentions the
fallback to the current working directory.
With a little luck, this should be the final tweak for
our support of extra wide characters. Currently, those
characters don't always display the '+' indicator when
they've been truncated. Now, it should always be seen.
[ plus it's done a tad more efficiently via snprintf ]
Signed-off-by: Jim Warner <james.warner@comcast.net>
As it turns out, that Ukrainian 'demo' text supporting
the '=' command was 152 bytes long, up from an English
version of 80 bytes. Unfortunately, the buffer used to
format all such strings was insufficient at 128 bytes.
Depending on the width of one's terminal, some strange
result could be experienced when a multi-byte sequence
was truncated. So, this just makes that buffer bigger.
Signed-off-by: Jim Warner <james.warner@comcast.net>
After wrestling with extra wide characters, supporting
languages like zh_CN, sometimes default/minimum column
widths might force a truncation of translated headers.
So, this commit explores one way that such truncations
could be avoided. It is designed so as to have minimal
impact on existing code, ultimately affecting just one
function. But it's off by default via its own #define.
Signed-off-by: Jim Warner <james.warner@comcast.net>
When I recently added extra wide character support for
locales like zh_CN, I didn't worry about some overhead
associated with the new calls to 'mbtowc' & 'wcwidth'.
That's because such overhead was usually incurred with
user interactions, not a normal iterative top display.
There was, however, one area where this overhead would
impact the normal iterative top mode - that's with the
Summary display. So I peeked at the glibc source code.
As it turns out, the costs of executing those 'mbtowc'
and 'wcwidth' functions were not at all insignificant.
So, this patch will avoid them in the vast majority of
instances, while still enabling extra wide characters.
Signed-off-by: Jim Warner <james.warner@comcast.net>
There is (should be) no justification for changing the
width of the percentage columns (%CPU, %MEM) depending
on the BOOST_PERCNT #define. So this patch will ensure
that both columns are fixed at their former maximum 5.
Signed-off-by: Jim Warner <james.warner@comcast.net>
With the documentation update in the commit referenced
below, we should also account for such threads as they
will already be represented in the task/thread totals.
[ and do it in a way that might avoid future changes ]
Reference(s):
commit a238a687ce
Signed-off-by: Jim Warner <james.warner@comcast.net>
Back when top was refactored to support UTF-8 encoding
it was acknowledged that languages like zh_CN were not
supported. That was because a single 'character' might
require more than a single 'column' when it's printed.
Well I've now figured out how to accommodate languages
like that. My adaptation is represented in this patch.
[ and just in case someone wishes to avoid the extra ]
[ runtime costs, a #define OFF_XTRAWIDE is included. ]
Along the way, I've cleaned up some miscellaneous code
supporting the 'Inspect' feature so that the rightmost
screen column was always used rather than being blank.
[ interestingly, my xterm & urxvt terminal emulators ]
[ are able to split extra wide characters then print ]
[ 1/2 of such graphics in the last column. the gnome ]
[ terminal emulator does not duplicate such behavior ]
[ but prints 1 extra character in same width window. ]
Reference(s):
. Sep, 2017 - original utf8 support
commit 7ef38420a4
Signed-off-by: Jim Warner <james.warner@comcast.net>
When the new approach for startup defaults was adopted
in the reference below, a file might be left open that
technically should be closed. This situation arises in
the unlikely event the #define RCFILE_NOERR is active.
Without that #define, the program will exit early thus
rendering the open file issue moot. However, even with
that #define there was no real harm with an open file.
It simply meant a 2nd FILE struct would have been used
when, or if, the rcfile was written via a 'W' command.
Anyway, this patch ensures such a file will be closed.
Reference(s):
. Dec, 2017 - /etc/topdefaultrc introduced
commit 3e6a208ae5
Signed-off-by: Jim Warner <james.warner@comcast.net>
Those references below offer more detail regarding the
default startup changes beginning with version 3.3.10.
It is important to remember that all such changes were
supposed to impact only new users or users who had not
saved the personal config file (via that 'W' command).
However, I introduced a bug wherein the rcfile was not
fully honored. This gave the changes a bad reputation.
That bug was corrected in release 3.3.11 but the issue
of default startup options keeps resurfacing. And it's
clear there's no consensus on what should be included.
Our --disable-modern-top configure option is of little
help since it remains an all-or-nothing approach. What
we need is an answer offering unlimited customization.
So, this commit will provide distribution packagers or
system administrators with a much more flexible way to
set their own preferred startup default configuration.
A new rcfile is being introduced: '/etc/topdefaultrc',
whose format/content is the same as a personal rcfile.
Thus once a 'proper' enterprise configuration has been
established and saved via 'W', it can be copied to the
/etc/ directory. Thereafter, startup in the absence of
a saved rcfile will use that configuration as default.
Now if a distribution packager or system administrator
wishes to expose their users to some of top's advanced
capabilities they can do so gradually. Perhaps setting
up graph mode for summary area task and memory display
while retaining the %CPU sort could be tried. Or maybe
showing colors, but better customized for a particular
terminal emulator. Such possibilities are now endless.
[ in exploiting this new capability, i hope that the ]
[ other windows (alt display mode) aren't overlooked ]
Reference(s):
. Sep, 2014 - Not fully honoring rcfile bug discussed
https://www.freelists.org/post/procps/top-saved-rcfile-bug
. Oct, 2014 - Attempt to defend new startup defaults
https://bugzilla.redhat.com/show_bug.cgi?id=1153049
. Jul, 2015 - Forest vs. %CPU views discussion
https://gitlab.com/procps-ng/procps/issues/6
. Oct, 2017 - Question the use of --disable-modern-top
https://bugzilla.redhat.com/show_bug.cgi?id=1499410
. Oct, 2017 - Forest vs. %CPU views discussion again
https://www.freelists.org/post/procps/Forest-mode-by-default-in-top-seems-a-bit-strange
. Dec, 2017 - Rehash of 3.3.10 startup defaults change
https://gitlab.com/procps-ng/procps/issues/78
Signed-off-by: Jim Warner <james.warner@comcast.net>
Way back in November of 2011, the library was equipped
with an overridable error message handler function. It
was done expressly for a program like top which alters
the tty. But that support was withdrawn shortly after.
This was all done in the lead up to v3.3.2. That's the
release where NLS support was added and it represented
a hectic time. In hindsight, the changes went too far.
So this commit, in a minimal fashion, restores ability
to address a potential fatal library error. After all,
any properly behaving library would never unilaterally
subject a caller to a stderr message and then an exit.
[ when exposing 1 variable in libprocps.sym, 2 other ]
[ existing symbols were repositioned alphabetically. ]
Reference(s):
. generalized library memory provisions
commit 7126cc4491
. top exploit library memory provisions
commit 88087ec5a5
. library xalloc type functions made private
commit 2865ded64e
. restored prior top memory logic
commit 05f5deb97c
Signed-off-by: Jim Warner <james.warner@comcast.net>
And I thought those strange characters I saw with only
certain translations in Fields Management descriptions
were resulting from my terminal emulator deficiencies.
Turns out that ol' top wasn't addressing possibilities
of such descriptions ending with multi-byte sequences.
Signed-off-by: Jim Warner <james.warner@comcast.net>
Initially, I was going to ignore that coverity warning
CID #177876. But, since top may be running SETUID it's
best if it can be avoided instead. The fix was simple.
We'll trade the access() call for a real fopen() call.
This time-of-check-time-of-use warning should go away.
------------------------------------------------------
When XDG support was originally introduced in top, the
author made a poor choice in access(). A real question
that needed asking was 'does the file exist'. However,
the question that was asked was 'can this real user ID
or this real group ID access the file'. Then, when the
fopen() is finally issued, top would use the effective
user ID or the effective group ID to access that file.
That's what opened the potential TOCTOU vulnerability,
which was important only if top was running SUID/SGID.
Signed-off-by: Jim Warner <james.warner@comcast.net>
By eliminating the call to 'fmtmk', the 'utf8_justify'
function could more easily be used in libproc someday.
Signed-off-by: Jim Warner <james.warner@comcast.net>
Gosh, all this time we used indents of 4 spaces, not 3
spaces which were always the top standard indentation.
[ and we made our 'utf8_embody' a little more robust ]
Signed-off-by: Jim Warner <james.warner@comcast.net>
This patch better exploits short-circuit evaluation in
two 'if' tests. In every case, the 1st of 2 conditions
in each 'if' test must take place but it always proves
true with each iteration for 1 of the 'if' statements.
Thus, the 2nd condition will have to be evaluated too.
By reordering 2 tests in each 'if', we can ensure that
the 2nd condition will then be tested much less often.
Signed-off-by: Jim Warner <james.warner@comcast.net>
Upon reflection, there was absolutely no justification
for that call to strlen() which was then followed by a
call to snprintf(). The latter provides this needed #.
[ also make that 'delta' value a little more visible ]
[ instead of hiding it at the end of a its code line ]
Signed-off-by: Jim Warner <james.warner@comcast.net>
With the help of our Swedish translator, hopefully the
final buglet has now been vanquished in the multi-byte
translation support. This one was a real nasty bugger.
Although it didn't occur with every terminal emulator,
occasionally random text lines were being chopped off.
As it turns out, those terminals were blameless. There
were two separate places in top's show_special routine
where potential multi-byte sequences were inadequately
addressed. Solution: exploit existing utf-8 functions.
[ it also became apparent that the translation hints ]
[ in the top_nls module were deficient. so a special ]
[ caution was added regarding the final line of txt. ]
Reference(s):
https://gitlab.com/procps-ng/procps/issues/68
Signed-off-by: Jim Warner <james.warner@comcast.net>
Unlike the insp_mkrow_raw function the insp_mkrow_utf8
routine is not equipped to print non-ctl, non-printing
characters like '<7f>'. However, technically that very
value currently slips through the cracks. So with this
patch top will now print a space in the unlikely event
a character with the value of 127 is ever encountered.
Signed-off-by: Jim Warner <james.warner@comcast.net>
Since all the necessary utf-8 plumbing is now in place
this commit will extend multi-byte support to user and
group names. Now top will be on a par with the ps guy.
[ plus, it's also my way of showing appreciation for ]
[ all those investments silently made by translators ]
Reference(s):
https://gitlab.com/procps-ng/procps/issues/68
Signed-off-by: Jim Warner <james.warner@comcast.net>
Translatable column headers are supposed to be limited
to no more than 7 characters, even though some columns
are wider than that or even variable width. That value
of 7 is dictated by the Fields Management screen which
will otherwise truncate a column header longer than 7.
Our new utf-8 support did not adequately deal with the
potential need for truncation of column headers should
that limit of 7 be exceeded. This patch corrects that.
[ a few comments were also tweaked just a little bit ]
Signed-off-by: Jim Warner <james.warner@comcast.net>
The previous commit implemented multi-byte support for
the basic top user interaction and display provisions.
This commit completes multi-byte support by addressing
that 'Inspect Other Output' feature (the 'Y' command).
Few people probably exploit this very powerful feature
which allows the perusing of any file or piped output.
And even if nobody uses 'Y', someone will stumble over
it on the help screen and try it out. Assuming top was
not built with INSP_OFFDEMO defined, they'll end up on
the screen our translators have faithfully translated.
Without this patch, such a screen would display with a
bunch of 'unprintable' characters which will then show
in the standard (less-like) way as: '^A', '<C3>', etc.
In other words, those poor screens will be a big mess!
[ this program can even display an executable binary ]
[ while at that same time supporting Find/Find Next. ]
[ imagine, a file with no guarantee of real strings! ]
[ just try a Find using less with such binary files. ]
With this commit, the translated 'Y' demo screens will
now be properly shown, providing no invalid multi-byte
characters have been detected. Should that be the case
then they'll be displayed in that less-like way above.
And, if users go on to fully exploit this 'Y' command,
there is a good chance that a file or pipe might yield
output in a utf-8 multi-byte form. Should that be true
such output will thus be handled appropriately by top.
[ in many respects, this change was more challenging ]
[ than the basic support within the previous commit. ]
[ story of my life: least used = most effort needed. ]
Many thanks to our procps-ng translators which enabled
a proper test of these changed 'Y' command provisions:
. Vietnamese: Trần Ngọc Quân
. Polish: Jakub Bogusz
. German: Mario Blättermann
. French: Frédéric Marchal, Stéphane Aulery
[ and my sincerest apologies too, for my negligence! ]
Reference(s):
https://gitlab.com/procps-ng/procps/issues/68
Signed-off-by: Jim Warner <james.warner@comcast.net>
When this project first began implementing translation
support nearly 6 years ago, we overcame many 'gettext'
obstacles and limitations. And, of course, there were
not any actual translations at the time so our testing
was quite limited plus, in many cases, only simulated.
None of that, however, can justify or excuse the total
lack of attention to top's approach to NLS, especially
since some actual translations have existed for years.
When the issue referenced below was raised, I suffered
immediate feelings of anxiety, doubt and pending doom.
This was mostly because top strives to avoid line wrap
at all costs and that did not bode well for multi-byte
translated strings, using several bytes per character.
I was also concerned over possible performance impact,
assuming it was even possible to properly handle utf8.
But, after wrestling with the problem for several days
those initial feelings have now been replaced by guilt
over any trouble I initially caused those translators.
One can only imagine how frustrating it must have been
after the translation effort to then see top display a
misaligned column header and fields management page or
truncated screens like those of help or color mapping.
------------------------------------------------------
Ok, with that off my chest let's review these changes,
now that top properly handles UTF8 multi-byte strings.
. Performance - virtually all of this newly added cost
for multi-byte support is incurred during interactions
with the user. So, performance is not really an issue.
The one occasion when performance is impacted is found
during 'summary_show()' processing, due to an addition
of one new call to 'utf8_delta()' in 'show_special()'.
. Extra Wide Characters - I have not yet and may never
figure out a way to support languages like zh_CN where
the characters can be wider than most other languages.
. Translated User Name - at some future point we could
implement translation of user names. But as the author
of the issue acknowledged such names are non-standard.
Thus task display still incurs no new multi-byte costs
beyond those already incurred in that escape.c module.
For raising the issue I extend my sincerest thanks to:
Göran Uddeborg
Reference(s):
https://gitlab.com/procps-ng/procps/issues/68
Signed-off-by: Jim Warner <james.warner@comcast.net>
The 'N_fmt' and 'N_txt' macros are interchangeable and
just highlight the 2 str types found in Norm_nlstable.
The change in this patch (strictly cosmetic) was found
during the coding for what will be the next 2 commits.
It has not been squashed into either of those so as to
not muddy up the waters for what was a major refactor.
Signed-off-by: Jim Warner <james.warner@comcast.net>
Until this patch, top falsely assumed that there would
always be some (small) amount of physical memory after
subtracting 'used' and 'available' from the total. But
as the issue referenced below attests, a sum of 'used'
and 'available' might exceed that total memory amount.
I'm not sure if this is a problem with our calculation
of the 'used' amount, a flaw in the kernel 'available'
algorithms or some other reason I cannot even imagine.
Anyway, this patch protects against such a contingency
through the following single line addition of new code
. if (pct_used + pct_misc > 100.0 || pct_misc < 0) ...
The check for less than zero is not actually necessary
as long as the source numbers remain unsigned. However
should they ever become signed, we'll have protection.
[ Most of the changes in this commit simply separate ]
[ a variable's definition from its associated logic. ]
Reference(s):
https://gitlab.com/procps-ng/procps/issues/64
Signed-off-by: Jim Warner <james.warner@comcast.net>
For the past 3 years top has fully honored that locale
LC_NUMERIC setting which impacts his refresh interval.
For the past nearly 5 years top has saved that refresh
value in a locale independent form in his config file.
With this commit we'll intentionally break top so that
a comma or period will be accepted for the radix point
regardless of what that LC_NUMERIC may have suggested.
The current locale LC_NUMERIC will, however, determine
how the delay interval is displayed in the 'd' prompt.
[ This position is better than the approach employed ]
[ by those coreutils 'sleep' and 'timeout' programs. ]
[ Both claim to permit floating point arguments. But ]
[ neither one will accept the comma separator should ]
[ the locale be a country that in fact uses a comma. ]
Reference(s):
https://gitlab.com/procps-ng/procps/merge_requests/50
Prototyped by: Jan Rybar <jrybar@redhat.com>
Signed-off-by: Jim Warner <james.warner@comcast.net>
Ok, I admit it. I'm now tired of cleaning up after me.
This is the 3rd related tweak after that '-1' argument
was originally introduced. And with this patch we will
once again properly honor the '-o' and '-u|U' switches
without a need to be followed by an additional switch.
[ one can follow my unfortunate trail of alterations ]
[ beginning with my most recent fix referenced below ]
Reference(s):
commit 4b44aebd80
Signed-off-by: Jim Warner <james.warner@comcast.net>
While the effective user id would always be present in
each proc_t, thus supporting 'u' filtering, other user
ids would only be present if /proc/$$/status was read.
This commit just puts the 'master' branch top on a par
with the 'newlib' branch when user filtering with 'U'.
Signed-off-by: Jim Warner <james.warner@comcast.net>
With the introduction of a new '1' command line toggle
I have gone and broken a provision of the '-p' command
line switch (pids monitoring). Multiple pids could not
be specified through the use of comma delimited lists.
Thus, this commit simply corrects that newly added bug
which was born in the 'adjustment' commit shown below.
Reference(s):
. adjustment to '-1' implementation
commit 909b37d755
Signed-off-by: Jim Warner <james.warner@comcast.net>
There exists the possibility that a 'putp' call can be
issued before the 'setupterm' invocation has occurred,
as is reflected in a bugzilla report referenced below.
Strangely, such a SEGV isn't always triggered as logic
would suggest it ought to be. I experienced a fault in
these environments with the associated curses version:
. archlinux, procps-ng 3.3.12, ncurses 6.0.20170429
. fedora-25, procps-ng 3.3.10, ncurses 6.0.20160709
. opensuse-42.2, procps-ng 3.3.9, ncurses 5.9.20140201
. gentoo, procps-ng 3.3.12, ncurses 6.0.20150808
. slackw-14.2, procps-ng 3.3.12, ncurses 6.0.20160910
Whereas under these environments there was no problem:
. ubuntu-17.04, procps-ng 3.3.12, ncurses 6.0.20160625
. debian-test, procps-ng 3.3.12, ncurses 6.0.20161126
. mageia-5.1, procps-ng 3.3.9, ncurses 5.9.20140323
[ as an aside, the expected result in the bug report ]
[ is incorrect and should mention the '1' parameter. ]
[ however, until release 3.3.13 when the '1' becomes ]
[ a valid switch, numbers are not detected when used ]
[ with any switch which doesn't require an argument. ]
[ you're welcome to treat that as a separate bugglet ]
Reference(s):
https://bugzilla.redhat.com/show_bug.cgi?id=1450429
Signed-off-by: Jim Warner <james.warner@comcast.net>
The top program already incorporated a modest delay at
startup so that some minimal process cpu history could
be established. However, Summary Area system level cpu
statistic history reflected usage since boot. As such,
unchanging % values would be shown with every restart.
This commit just adopts the same approach used in task
%CPU history for the Summary Area statistics. In other
words, it introduces a 'priming read' at startup as is
found in the newlib implementation for the <stat> API.
Reference(s):
https://gitlab.com/procps-ng/procps/merge_requests/42
Signed-off-by: Jim Warner <james.warner@comcast.net>
This program has always tried to maintain an extermely
robust command line parsing procedure, far more robust
that what's available with the getopt stuff. But, with
the introduction of our first numeric switch it should
have been made even more robust than, in fact, it was.
This commit will now accomplish such a desirable goal.
Reference(s):
. added '1' command line switch
commit 89db82d143
Signed-off-by: Jim Warner <james.warner@comcast.net>