Package: procps / 2:3.3.9-9+deb8u1

Metadata

Package Version Patches format
procps 2:3.3.9-9+deb8u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
bts775624 pmap xoutput | (download)

pmap.c | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 pmap: output when smaps unreadable
 If smaps can be opened but not readable, the output
 is now the same as if the file cannot be opened
Bug-Debian: https://bugs.debian.org/775624
bts743758_vmstat_test | (download)

testsuite/vmstat.test/vmstat.exp | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 add bypass for vmstat -p test
 Some buildd have odd /proc/partition which means this test fails
 The change just bypasses the test in this case
Bug-Debian: http://bugs.debian.org/743758
top_defines | (download)

top/top.c | 280 140 + 140 - 0 !
top/top.h | 46 23 + 23 - 0 !
top/top_nls.c | 210 105 + 105 - 0 !
3 files changed, 268 insertions(+), 268 deletions(-)

 top: avoid name conflict in the next version of stdlib
 Since its inception top has always used enumerators to
 identify displayable fields. They've taken the form of
 P_PID, etc. As it turns out, something has changed for
 libc6-dev versions beyond 2.17-93 wherein 'P_PID' will
 now be exposed via stdlib.h. I have not pinpointed the
 exact cause but it may depend on header include order.
 .
 This patch just trades top's long standing 'P_' prefix
 convention for that of 'EU_' (short for enumerator). I
 cannot find *any* header under /usr/include/ currently
 utilizing this particular three character combination.
 .
 And as a further safeguard top will henceforth include
 'system' specific headers after the standard includes.
Reference(s):
 http://www.freelists.org/post/procps/top-wont-compile-anymore
Signed-off-by: Jim Warner <james.warner@comcast.net>

uptime_test | (download)

testsuite/w.test/w.exp | 16 8 + 8 - 0 !
1 file changed, 8 insertions(+), 8 deletions(-)

---
testsuite_unsupp | (download)

testsuite/pgrep.test/pgrep.exp | 6 5 + 1 - 0 !
testsuite/pkill.test/pkill.exp | 2 1 + 1 - 0 !
testsuite/ps.test/ps_output.exp | 4 2 + 2 - 0 !
testsuite/pwdx.test/pwdx.exp | 11 6 + 5 - 0 !
testsuite/vmstat.test/vmstat.exp | 5 3 + 2 - 0 !
5 files changed, 17 insertions(+), 11 deletions(-)

 set some tests to unsupported
Bug-Debian: http://bugs.debian.org/710851
bts732920_sysctl_conf | (download)

sysctl.c | 9 8 + 1 - 0 !
1 file changed, 8 insertions(+), 1 deletion(-)

 fix sysctl --system
 Interim patch until 3.3.10 comes along which fixes this.
Bug-Debian: http://bugs.debian.org/732920
testsuite_kill | (download)

testsuite/config/unix.exp | 15 15 + 0 - 0 !
testsuite/pgrep.test/pgrep.exp | 10 1 + 9 - 0 !
testsuite/pkill.test/pkill.exp | 10 1 + 9 - 0 !
3 files changed, 17 insertions(+), 18 deletions(-)

 make testsuite kill work
 Patch pulled from upstream git patch cacba561
 kill doesn't reliably work on buildd, this patch does it right, I hope
Bug-Debian: http://bugs.debian.org/754620
Bug-Debian: http://bugs.debian.org/725743


0008 pgrep Prevent a potential stack based buffer overflo.patch | (download)

pgrep.c | 25 15 + 10 - 0 !
1 file changed, 15 insertions(+), 10 deletions(-)

 [patch 008/126] pgrep: prevent a potential stack-based buffer
 overflow.

This is one of the worst issues that we found: if the strlen() of one of
the cmdline arguments is greater than INT_MAX (it is possible), then the
"int bytes" could wrap around completely, back to a very large positive
int, and the next strncat() would be called with a huge number of
destination bytes (a stack-based buffer overflow).

Fortunately, every distribution that we checked compiles its procps
utilities with FORTIFY, and the fortified strncat() detects and aborts
the buffer overflow before it occurs.

This patch also fixes a secondary issue: the old "--bytes;" meant that
cmdline[sizeof (cmdline) - 2] was never written to if the while loop was
never entered; in the example below, "ff" is the uninitialized byte:

((exec -ca `python3 -c 'print("A" * 131000)'` /usr/bin/cat < /dev/zero) | sleep 60) &
pgrep -a -P "$!" 2>/dev/null | hexdump -C
00000000  31 32 34 36 30 20 41 41  41 41 41 41 41 41 41 41  |12460 AAAAAAAAAA|
00000010  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
*
00001000  41 41 41 41 ff 0a 31 32  34 36 32 20 73 6c 65 65  |AAAA..12462 slee|
00001010  70 20 36 30 0a                                    |p 60.|
[carnil: backport for 3.3.9: adjust context]

0035 proc alloc. Use size_t not unsigned int.patch | (download)

proc/alloc.c | 20 12 + 8 - 0 !
proc/alloc.h | 4 2 + 2 - 0 !
2 files changed, 14 insertions(+), 10 deletions(-)

 [patch 035/126] proc/alloc.*: use size_t, not unsigned int.

Otherwise this can truncate sizes on 64-bit platforms, and is one of the
reasons the integer overflows in file2strvec() are exploitable at all.
Also: catch potential integer overflow in xstrdup() (should never
happen, but better safe than sorry), and use memcpy() instead of
strcpy() (faster).

Warnings:

- in glibc, realloc(ptr, 0) is equivalent to free(ptr), but not here,
  because of the ++size;

- here, xstrdup() can return NULL (if str is NULL), which goes against
  the idea of the xalloc wrappers.

We were tempted to call exit() or xerrx() in those cases, but decided
against it, because it might break things in unexpected places; TODO?

0054 ps output.c Fix outbuf overflows in pr_args etc.patch | (download)

ps/output.c | 23 14 + 9 - 0 !
1 file changed, 14 insertions(+), 9 deletions(-)

 [patch 054/126] ps/output.c: fix outbuf overflows in pr_args() etc.

Because there is usually less than OUTBUF_SIZE available at endp.

0074 proc readproc.c Fix bugs and overflows in file2strve.patch | (download)

proc/readproc.c | 54 33 + 21 - 0 !
1 file changed, 33 insertions(+), 21 deletions(-)

 [patch 074/126] proc/readproc.c: fix bugs and overflows in
 file2strvec().

Note: this is by far the most important and complex patch of the whole
series, please review it carefully; thank you very much!

For this patch, we decided to keep the original function's design and
skeleton, to avoid regressions and behavior changes, while fixing the
various bugs and overflows. And like the "Harden file2str()" patch, this
patch does not fail when about to overflow, but truncates instead: there
is information available about this process, so return it to the caller;
also, we used INT_MAX as a limit, but a lower limit could be used.

The easy changes:

- Replace sprintf() with snprintf() (and check for truncation).

- Replace "if (n == 0 && rbuf == 0)" with "if (n <= 0 && tot <= 0)" and
  do break instead of return: it simplifies the code (only one place to
  handle errors), and also guarantees that in the while loop either n or
  tot is > 0 (or both), even if n is reset to 0 when about to overflow.

- Remove the "if (n < 0)" block in the while loop: it is (and was) dead
  code, since we enter the while loop only if n >= 0.

- Rewrite the missing-null-terminator detection: in the original
  function, if the size of the file is a multiple of 2047, a null-
  terminator is appended even if the file is already null-terminated.

- Replace "if (n <= 0 && !end_of_file)" with "if (n < 0 || tot <= 0)":
  originally, it was equivalent to "if (n < 0)", but we added "tot <= 0"
  to handle the first break of the while loop, and to guarantee that in
  the rest of the function tot is > 0.

- Double-force ("belt and suspenders") the null-termination of rbuf:
  this is (and was) essential to the correctness of the function.

- Replace the final "while" loop with a "for" loop that behaves just
  like the preceding "for" loop: in the original function, this would
  lead to unexpected results (for example, if rbuf is |\0|A|\0|, this
  would return the array {"",NULL} but should return {"","A",NULL}; and
  if rbuf is |A|\0|B| (should never happen because rbuf should be null-
  terminated), this would make room for two pointers in ret, but would
  write three pointers to ret).

The hard changes:

- Prevent the integer overflow of tot in the while loop, but unlike
  file2str(), file2strvec() cannot let tot grow until it almost reaches
  INT_MAX, because it needs more space for the pointers: this is why we
  introduced ARG_LEN, which also guarantees that we can add "align" and
  a few sizeof(char*)s to tot without overflowing.

- Prevent the integer overflow of "tot + c + align": when INT_MAX is
  (almost) reached, we write the maximal safe amount of pointers to ret
  (ARG_LEN guarantees that there is always space for *ret = rbuf and the
  NULL terminator).
[carnil: backport for 3.3.9: Add include for limits.h and use of MAX_INT]

0097 top Do not default to the cwd in configs_read.patch | (download)

top/top.c | 24 23 + 1 - 0 !
1 file changed, 23 insertions(+), 1 deletion(-)

 [patch 097/126] top: do not default to the cwd in configs_read().

If the HOME environment variable is not set, or not absolute, use the
home directory returned by getpwuid(getuid()), if set and absolute
(instead of the cwd "."); otherwise, set p_home to NULL.

To keep the changes to a minimum, we rely on POSIX, which requires that
fopen() fails with ENOENT if the pathname (Rc_name) is an empty string.
This integrates well into the existing code, and makes write_rcfile()
work without a change.

Also, it makes the code in configs_read() easier to follow: only set and
use p_home if safe, and only set Rc_name if safe (in all the other cases
it is the empty string, and the fopen() calls fail). Plus, check for
snprintf() truncation (and if it happens, reset Rc_name to the empty
string).

Important note: top.1 should probably be updated, since it mentions the
fallback to the current working directory.
[carnil: Backport to 3.3.9: p_home -> p, context]