packages/procps-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!2 upgrade to version 3.3.16 and delete patchs between 3.3.15 and 3.3.16

Browse Source 
Merge pull request !2 from MarsChan/master
This commit is contained in:
openeuler-ci-bot 2020-01-15 09:48:10 +08:00 committed by Gitee
commit faad3275d3
20 changed files with 10 additions and 1809 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Possible-segfault-in-file2strvec-introduced-by-lates.patch
View File

@ -1,13 +0,0 @@
diff --git a/proc/readproc.c b/proc/readproc.c
index 0f00231..b5fbbaa 100644
--- a/proc/readproc.c
+++ b/proc/readproc.c
@@ -714,7 +714,7 @@ static char** file2strvec(const char* directory, const char* what) {
#undef ARG_LEN
if (end_of_file &&
((n > 0 && buf[n-1] != '\0') || /* last read char not null */
- (n <= 0 && rbuf[tot-1] != '\0'))) /* last read char not null */
+ (n <= 0 && rbuf && rbuf[tot-1] != '\0'))) /* last read char not null */
buf[n++] = '\0'; /* so append null-terminator */
if (n <= 0) break; /* unneeded (end_of_file = 1) but avoid realloc */

1111
docs-Tidying-of-ps-kill-and-skill-manpages.patch
View File

File diff suppressed because it is too large Load Diff

72
library-avoid-problems-involving-supgid-mishandling.patch
View File

@ -1,72 +0,0 @@
From f9a8009e27d47a61096ff7bf1de37a90f0f801e6 Mon Sep 17 00:00:00 2001
From: Jim Warner <james.warner@comcast.net>
Date: Wed, 30 May 2018 00:00:00 -0500
Subject: [PATCH 08/65] library: avoid problems involving 'supgid' mishandling
Following that patch referenced below, the top SUPGRPS
field would produce a segmentation fault and ps SUPGRP
would often show "(null)". Such problems resulted from
some faulty logic in the status2proc() routine dealing
with 'Groups' (supgid) which served as a source field.
For many processes the original code produced an empty
string which prevented conversion to the expected "-".
Moreover, prior to release 3.3.15 such an empty string
will become 0 after strtol() which pwcache_get_group()
translates to 'root' yielding very misleading results.
So, now we'll check for empty '/proc/#/status/Groups:'
fields & consistently provide a "-" value for callers.
[ we'll also protect against future problems in that ]
[ new qualys logic by always ensuring valid 'supgrp' ]
[ pointers - logic which revealed our original flaw! ]
Reference(s):
. original qualys patch
0071-proc-readproc.c-Harden-supgrps_from_supgids.patch
Signed-off-by: Jim Warner <james.warner@comcast.net>
---
proc/readproc.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/proc/readproc.c b/proc/readproc.c
index 0f00231..ea7a31b 100644
--- a/proc/readproc.c
+++ b/proc/readproc.c
@@ -387,12 +387,15 @@ ENTER(0x220);
P->vm_swap = strtol(S,&S,10);
continue;
case_Groups:
- { char *nl = strchr(S, '\n');
- size_t j = nl ? (size_t)(nl - S) : strlen(S);
+ { char *ss = S, *nl = strchr(S, '\n');
+ size_t j;
+ while (' ' == *ss || '\t' == *ss) ss++;
+ if (ss >= nl) continue;
+ j = nl ? (size_t)(nl - ss) : strlen(ss);
if (j > 0 && j < INT_MAX) {
P->supgid = xmalloc(j+1); // +1 in case space disappears
- memcpy(P->supgid, S, j);
+ memcpy(P->supgid, ss, j);
if (unlikely(' ' != P->supgid[--j])) ++j;
P->supgid[j] = '\0'; // whack the space or the newline
for ( ; j; j--)
@@ -472,7 +475,11 @@ static void supgrps_from_supgids (proc_t *p) {
while (',' == *s) ++s;
gid = strtol(s, &end, 10);
- if (end <= s) break;
+ if (end <= s) {
+ if (!p->supgrp)
+ p->supgrp = xstrdup("-");
+ break;
+ }
s = end;
g = pwcache_get_group(gid);
--
2.6.4.windows.1

47
procio-fix-potential-out-of-bounds-access-when-write.patch
View File

@ -1,47 +0,0 @@
From 3eb4b5375f7ffca0e21fac479dfa688cae936641 Mon Sep 17 00:00:00 2001
From: Patrick Steinhardt <ps@pks.im>
Date: Tue, 29 May 2018 13:20:00 +0200
Subject: [PATCH 62/65] procio: fix potential out-of-bounds access when write
fails
When writing to procfs via `proc_write` fails, we try to chunk the
buffer into smaller pieces to work around that issue. When searching for
the next location to split the buffer, though, we can underflow the
buffer in case the current offset is smaller than `LINELEN`. Fix the
issue by passing `cookie->offset` instead of `LINELEN` into `memrchr` in
case `cookie->offset` is smaller than `LINELEN`.
This bug can be triggered on musl-based systems, e.g. by executing
$ sysctl kernel.printk_ratelimit=1000000000000000
As the value is out-of-range, `write` will return an error and set
`errno` to `EINVAL`. As we're only trying to write a smallish buffer
with a length smaller than `LINELEN` and as the buffer does not contain
any newlines, the call
token = (char*)memrchr(cookie->buf+offset, '\n', LINELEN);
will underflow the buffer and crash the program.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
---
procio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/procio.c b/procio.c
index 2813cd5..f3258ff 100644
--- a/procio.c
+++ b/procio.c
@@ -251,7 +251,7 @@ ssize_t proc_write(void *c, const char *buf, size_t count)
if (cookie->offset > LINELEN)
token = (char*)memrchr(cookie->buf+offset, cookie->delim, LINELEN);
else
- token = (char*)memrchr(cookie->buf+offset, '\n', LINELEN);
+ token = (char*)memrchr(cookie->buf+offset, '\n', cookie->offset);
if (token)
*token = '\n';
else {
--
2.6.4.windows.1

33
procio-use-the-user-supplied-delimiter-to-split-larg.patch
View File

@ -1,33 +0,0 @@
From 32720b2ee6c36b84005a002def17e79e3ab009e1 Mon Sep 17 00:00:00 2001
From: Patrick Steinhardt <ps@pks.im>
Date: Fri, 8 Jun 2018 13:27:20 +0200
Subject: [PATCH 61/65] procio: use the user-supplied delimiter to split large
input
The `fprocopen` function allows users to specify a delimiter chacter
that is used to split very large input lines into smaller chunks. While
the code checks that the caller did actually supply the delimiter, it is
in fact never used to split the string. Instead, the hardcoded default
character ',' is always used to split the string.
Fix the issue by using `cookie->delim` instead.
---
procio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/procio.c b/procio.c
index ad9b4de..2813cd5 100644
--- a/procio.c
+++ b/procio.c
@@ -249,7 +249,7 @@ ssize_t proc_write(void *c, const char *buf, size_t count)
do {
token = NULL;
if (cookie->offset > LINELEN)
- token = (char*)memrchr(cookie->buf+offset, ',', LINELEN);
+ token = (char*)memrchr(cookie->buf+offset, cookie->delim, LINELEN);
else
token = (char*)memrchr(cookie->buf+offset, '\n', LINELEN);
if (token)
--
2.6.4.windows.1

BIN
procps-ng-3.3.15.tar.xz
View File

Binary file not shown.

BIN
procps-ng-3.3.16.tar.xz Normal file
View File

Binary file not shown.

30
procps-ng.spec
View File

@ -1,6 +1,6 @@
Name: procps-ng Name: procps-ng
Version: 3.3.15 Version: 3.3.16
Release: 10 Release: 11
Summary: Utilities that provide system information. Summary: Utilities that provide system information.
License: GPL+ and GPLv2 and GPLv2+ and GPLv3+ and LGPLv2+ License: GPL+ and GPLv2 and GPLv2+ and GPLv3+ and LGPLv2+
URL: https://sourceforge.net/projects/procps-ng/ URL: https://sourceforge.net/projects/procps-ng/
@ -11,23 +11,6 @@ Source2: README.top
Patch9000: feature-add-options-M-and-N-for-top.patch Patch9000: feature-add-options-M-and-N-for-top.patch
Patch9001: bugfix-top-exit-with-error-when-pid-overflow.patch Patch9001: bugfix-top-exit-with-error-when-pid-overflow.patch
Patch6002: top-fix-iokey-flaw-preventing-proper-translations.patch
Patch6003: Possible-segfault-in-file2strvec-introduced-by-lates.patch
Patch6004: top-don-t-mess-with-groff-line-length-in-man-documen.patch
Patch6005: top-add-another-field-sanity-check-in-config_file.patch
Patch6006: top-prevent-buffer-overruns-in-inspection_utility.patch
Patch6007: docs-Tidying-of-ps-kill-and-skill-manpages.patch
Patch6008: library-avoid-problems-involving-supgid-mishandling.patch
Patch6009: w-Prevent-out-of-bounds-reads-in-print_display_or_in.patch
Patch6010: w-Clamp-maxcmd-to-the-MIN-MAX_CMD_WIDTH-range.patch
Patch6011: vmstat-getopt-returns-1-when-done-not-EOF.patch
Patch6012: vmstat-Replace-memcmp-with-strncmp.patch
Patch6013: vmstat-Check-return-values-of-localtime-and-strftime.patch
Patch6014: vmstat-Prevent-out-of-bounds-writes-in-new_header-an.patch
Patch6015: top-the-define-PRETEND2_5_X-was-found-to-be-broken.patch
Patch6016: procio-use-the-user-supplied-delimiter-to-split-larg.patch
Patch6017: procio-fix-potential-out-of-bounds-access-when-write.patch
Patch6018: sysctl-do-not-report-set-key-in-case-close_stream-fa.patch
BuildRequires: ncurses-devel libtool autoconf automake gcc gettext-devel systemd-devel BuildRequires: ncurses-devel libtool autoconf automake gcc gettext-devel systemd-devel
@ -107,9 +90,16 @@ ln -s %{_bindir}/pidof %{buildroot}%{_sbindir}/pidof
%files help %files help
%doc AUTHORS Documentation/bugs.md Documentation/FAQ NEWS README.md top/README.top Documentation/TODO %doc AUTHORS Documentation/bugs.md Documentation/FAQ NEWS README.md top/README.top Documentation/TODO
%{_mandir}/man* %{_mandir}/man*
%{_mandir}/translated
%changelog %changelog
* Tue Jan 7 2020 MarsChan <chenmingmin@huawei.com> - 3.3.16-11
- Type:upgrade
- ID:NA
- SUG:NA
- DESC: upgrade to version 3.3.16 and delete the patch between
3.3.15 and 3.3.16.
* Mon Dec 23 2019 wangshuo <wangshuo47@huawei.com> - 3.3.15-10 * Mon Dec 23 2019 wangshuo <wangshuo47@huawei.com> - 3.3.15-10
- Type:bugfix - Type:bugfix
- ID:NA - ID:NA

40
sysctl-do-not-report-set-key-in-case-close_stream-fa.patch
View File

@ -1,40 +0,0 @@
From da82fe49b1476d227874905068adb69577e11d96 Mon Sep 17 00:00:00 2001
From: Patrick Steinhardt <ps@pks.im>
Date: Tue, 29 May 2018 13:29:03 +0200
Subject: [PATCH 63/65] sysctl: do not report set key in case `close_stream`
fails
As we're using buffered I/O when writing kernel parameters, write errors
may get delayed until we close the `FILE` stream. As we are currently
outputting the key that is to be set disregarding the return value of
`close_stream`, we may end up in a situation where we report error and
success:
$ sysctl kernel.printk_ratelimit=100000000000000
sysctl: setting key "kernel.printk_ratelimit": error code 22
kernel.printk_ratelimit = 100000000000000
Fix the issue by only outputting the updated value in case
`close_stream` does not report an error.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
---
sysctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sysctl.c b/sysctl.c
index 2371ca9..2172759 100644
--- a/sysctl.c
+++ b/sysctl.c
@@ -465,7 +465,7 @@ static int WriteSetting(const char *setting)
rc = 0;
if (close_stream(fp) != 0)
xwarn(_("setting key \"%s\""), outname);
- if (rc == 0 && !Quiet) {
+ else if (rc == 0 && !Quiet) {
if (NameOnly) {
fprintf(stdout, "%s\n", outname);
} else {
--
2.6.4.windows.1

46
top-add-another-field-sanity-check-in-config_file.patch
View File

@ -1,46 +0,0 @@
From a42742b0df64a3b282eac469447e9f57d416449e Mon Sep 17 00:00:00 2001
From: Jim Warner <james.warner@comcast.net>
Date: Wed, 23 May 2018 00:00:00 -0500
Subject: [PATCH 03/65] top: add another field sanity check in 'config_file()'
Until the Qualys security audit I had never considered
it a possibility that some malicious person might edit
the top config file to achieve some nefarious results.
And while the Qualys approach tended to concentrate on
the symptoms from such an effort, subsequent revisions
more properly concentrated on startup and that rcfile.
This commit completes those efforts with 1 more field.
Signed-off-by: Jim Warner <james.warner@comcast.net>
---
top/top.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/top/top.c b/top/top.c
index d890140..0c02201 100644
--- a/top/top.c
+++ b/top/top.c
@@ -3759,8 +3759,7 @@ static const char *config_file (FILE *fp, const char *name, float *delay) {
return p;
if (4 != fscanf(fp, "\tsummclr=%d, msgsclr=%d, headclr=%d, taskclr=%d\n"
- , &w->rc.summclr, &w->rc.msgsclr
- , &w->rc.headclr, &w->rc.taskclr))
+ , &w->rc.summclr, &w->rc.msgsclr, &w->rc.headclr, &w->rc.taskclr))
return p;
if (w->rc.summclr < 0 || w->rc.summclr > 7) return p;
if (w->rc.msgsclr < 0 || w->rc.msgsclr > 7) return p;
@@ -3804,6 +3803,8 @@ static const char *config_file (FILE *fp, const char *name, float *delay) {
Rc.summ_mscale = 0;
if (Rc.task_mscale < 0 || Rc.task_mscale > SK_Pb)
Rc.task_mscale = 0;
+ if (Rc.zero_suppress < 0 || Rc.zero_suppress > 1)
+ Rc.zero_suppress = 0;
// we'll start off Inspect stuff with 1 'potential' blank line
// ( only realized if we end up with Inspect.total > 0 )
--
2.6.4.windows.1

35
top-don-t-mess-with-groff-line-length-in-man-documen.patch
View File

@ -1,35 +0,0 @@
From cc5c9e6c1ea1911cb53f1cb0643cbc5f6e4cad1d Mon Sep 17 00:00:00 2001
From: Jim Warner <james.warner@comcast.net>
Date: Sun, 20 May 2018 00:00:00 -0500
Subject: [PATCH 02/65] top: don't mess with groff line length in man document
I've long since forgotten why the attempt to influence
groff line lengths was made. However, I did receive an
email regarding problems formatting postscript output.
Hopefully this patch will eliminate any such problems.
Signed-off-by: Jim Warner <james.warner@comcast.net>
---
top/top.1 | 5 -----
1 file changed, 5 deletions(-)
diff --git a/top/top.1 b/top/top.1
index b8405e9..3a00543 100644
--- a/top/top.1
+++ b/top/top.1
@@ -6,11 +6,6 @@
. This file may be copied under the terms of the GNU Public License.
..
\# Setup ////////////////////////////////////////////////////////////////
-\# ** Comment out '.nr' or set to 0 to eliminate WIDTH fiddlin' !
-.nr half_xtra 4
-.
-.ll +(\n[half_xtra] + \n[half_xtra])
-.
\# Commonly used strings (for consistency) ----------
\# - our em-dashes
.ds Em \fR\ \-\-\ \fR
--
2.6.4.windows.1

13
top-fix-iokey-flaw-preventing-proper-translations.patch
View File

@ -1,13 +0,0 @@
diff --git a/top/top.c b/top/top.c
index d1dbf95..9e41999 100644
--- a/top/top.c
+++ b/top/top.c
@@ -1138,7 +1138,7 @@ static int iokey (int action) {
const char *str;
int key;
} tinfo_tab[] = {
- { "\033\n",kbd_ENTER }, { NULL, kbd_UP }, { NULL, kbd_DOWN },
+ { "\n", kbd_ENTER }, { NULL, kbd_UP }, { NULL, kbd_DOWN },
{ NULL, kbd_LEFT }, { NULL, kbd_RIGHT }, { NULL, kbd_PGUP },
{ NULL, kbd_PGDN }, { NULL, kbd_HOME }, { NULL, kbd_END },
{ NULL, kbd_BKSP }, { NULL, kbd_INS }, { NULL, kbd_DEL },

36
top-prevent-buffer-overruns-in-inspection_utility.patch
View File

@ -1,36 +0,0 @@
From 434530a038023f2e2fcb0a9b7341cbdefc08baef Mon Sep 17 00:00:00 2001
From: Jim Warner <james.warner@comcast.net>
Date: Thu, 24 May 2018 00:00:00 -0500
Subject: [PATCH 04/65] top: prevent buffer overruns in 'inspection_utility()'
When a Qualys patch was reverted as being unwarranted,
1 specific problem their patch had, in fact, prevented
was re-introduced. This patch corrects that oversight.
Reference(s):
. qualys patch revert
commit c5026787156d23512487ad9bbf540be7e3ee8de1
Signed-off-by: Jim Warner <james.warner@comcast.net>
---
top/top.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/top/top.c b/top/top.c
index 0c02201..6777942 100644
--- a/top/top.c
+++ b/top/top.c
@@ -3468,8 +3468,8 @@ static void inspection_utility (int pid) {
Inspect.tab[sel].caps = "~4"; dst[0] = '\0'; \
for (i = 0; i < Inspect.total; i++) { char _s[SMLBUFSIZ]; \
snprintf(_s, sizeof(_s), " %s %s", Inspect.tab[i].name, Inspect.tab[i].caps); \
- strcat(dst, _s); } }
- char sels[MEDBUFSIZ];
+ strncat(dst, _s, (sizeof(dst) - 1) - strlen(dst)); } }
+ char sels[SCREENMAX];
static int sel;
int i, key;
proc_t *p;
--
2.6.4.windows.1

50
top-the-define-PRETEND2_5_X-was-found-to-be-broken.patch
View File

@ -1,50 +0,0 @@
From 2b82cbfc2aa25d613414d9b164ae5773ca31045f Mon Sep 17 00:00:00 2001
From: Jim Warner <james.warner@comcast.net>
Date: Tue, 14 Aug 2018 00:00:00 -0500
Subject: [PATCH 53/65] top: the '#define PRETEND2_5_X' was found to be broken
Our newlib branch has already dropped support for such
old kernels. However, the master branch still supports
them. So this patch will correct a broken #define that
is used to influence the top Summary Area information.
Signed-off-by: Jim Warner <james.warner@comcast.net>
---
top/top.c | 4 ++++
top/top.h | 4 ----
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/top/top.c b/top/top.c
index 46ffdc5..4146ddb 100644
--- a/top/top.c
+++ b/top/top.c
@@ -3615,7 +3615,11 @@ static void before (char *me) {
struct sigaction sa;
proc_t p;
int i;
+#ifndef PRETEND2_5_X
int linux_version_code = procps_linux_version();
+#else
+ int linux_version_code = LINUX_VERSION(2,5,43);
+#endif
atexit(close_stdout);
diff --git a/top/top.h b/top/top.h
index b6e970c..4a7c49a 100644
--- a/top/top.h
+++ b/top/top.h
@@ -92,10 +92,6 @@
/* For prompting & helping with top's utf-8 support, thanks to:
Göran Uddeborg <goeran@uddeborg.se> - September, 2017 */
-#ifdef PRETEND2_5_X
-#define linux_version_code LINUX_VERSION(2,5,43)
-#endif
-
// pretend as if #define _GNU_SOURCE
char *strcasestr(const char *haystack, const char *needle);
--
2.6.4.windows.1

90
vmstat-Check-return-values-of-localtime-and-strftime.patch
View File

@ -1,90 +0,0 @@
From 0b55f0dc80e886d43c2e966000e6d56c6535cdb0 Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Thu, 1 Jan 1970 00:00:00 +0000
Subject: [PATCH 16/65] vmstat: Check return values of localtime() and
strftime().
Otherwise it leads to NULL-pointer dereferences (in case of localtime()
errors) and indeterminate contents of timebuf (in case of strftime()
errors).
---
vmstat.c | 28 ++++++++++++++++++++++------
1 file changed, 22 insertions(+), 6 deletions(-)
diff --git a/vmstat.c b/vmstat.c
index c5f6d62..837244a 100644
--- a/vmstat.c
+++ b/vmstat.c
@@ -255,7 +255,7 @@ static void new_header(void)
if (t_option) {
(void) time( &the_time );
tm_ptr = localtime( &the_time );
- if (strftime(timebuf, sizeof(timebuf), "%Z", tm_ptr)) {
+ if (tm_ptr && strftime(timebuf, sizeof(timebuf), "%Z", tm_ptr)) {
timebuf[strlen(timestamp_header) - 1] = '\0';
} else {
timebuf[0] = '\0';
@@ -307,7 +307,11 @@ static void new_format(void)
if (t_option) {
(void) time( &the_time );
tm_ptr = localtime( &the_time );
- strftime(timebuf, sizeof(timebuf), "%Y-%m-%d %H:%M:%S", tm_ptr);
+ if (tm_ptr && strftime(timebuf, sizeof(timebuf), "%Y-%m-%d %H:%M:%S", tm_ptr)) {
+ ;
+ } else {
+ timebuf[0] = '\0';
+ }
}
duse = *cpu_use + *cpu_nic;
@@ -360,7 +364,11 @@ static void new_format(void)
if (t_option) {
(void) time( &the_time );
tm_ptr = localtime( &the_time );
- strftime(timebuf, sizeof(timebuf), "%Y-%m-%d %H:%M:%S", tm_ptr);
+ if (tm_ptr && strftime(timebuf, sizeof(timebuf), "%Y-%m-%d %H:%M:%S", tm_ptr)) {
+ ;
+ } else {
+ timebuf[0] = '\0';
+ }
}
duse =
@@ -557,7 +565,7 @@ static void diskheader(void)
if (t_option) {
(void) time( &the_time );
tm_ptr = localtime( &the_time );
- if (strftime(timebuf, sizeof(timebuf), "%Z", tm_ptr)) {
+ if (tm_ptr && strftime(timebuf, sizeof(timebuf), "%Z", tm_ptr)) {
timebuf[strlen(timestamp_header) - 1] = '\0';
} else {
timebuf[0] = '\0';
@@ -591,7 +599,11 @@ static void diskformat(void)
if (t_option) {
(void) time( &the_time );
tm_ptr = localtime( &the_time );
- strftime(timebuf, sizeof(timebuf), "%Y-%m-%d %H:%M:%S", tm_ptr);
+ if (tm_ptr && strftime(timebuf, sizeof(timebuf), "%Y-%m-%d %H:%M:%S", tm_ptr)) {
+ ;
+ } else {
+ timebuf[0] = '\0';
+ }
}
if (!moreheaders)
@@ -630,7 +642,11 @@ static void diskformat(void)
if (t_option) {
(void) time( &the_time );
tm_ptr = localtime( &the_time );
- strftime(timebuf, sizeof(timebuf), "%Y-%m-%d %H:%M:%S", tm_ptr);
+ if (tm_ptr && strftime(timebuf, sizeof(timebuf), "%Y-%m-%d %H:%M:%S", tm_ptr)) {
+ ;
+ } else {
+ timebuf[0] = '\0';
+ }
}
for (i = 0; i < ndisks; i++, k++) {
--
2.6.4.windows.1

43
vmstat-Prevent-out-of-bounds-writes-in-new_header-an.patch
View File

@ -1,43 +0,0 @@
From 0bfe708c4b22d901ded1148e5771946568817326 Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Thu, 1 Jan 1970 00:00:00 +0000
Subject: [PATCH 17/65] vmstat: Prevent out-of-bounds writes in new_header()
and diskheader().
This does not happen with the default string (" -----timestamp-----"),
but this string is translated (to unknown lengths).
---
vmstat.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/vmstat.c b/vmstat.c
index 837244a..e0fe5f6 100644
--- a/vmstat.c
+++ b/vmstat.c
@@ -256,7 +256,10 @@ static void new_header(void)
(void) time( &the_time );
tm_ptr = localtime( &the_time );
if (tm_ptr && strftime(timebuf, sizeof(timebuf), "%Z", tm_ptr)) {
- timebuf[strlen(timestamp_header) - 1] = '\0';
+ const size_t len = strlen(timestamp_header);
+ if (len >= 1 && len - 1 < sizeof(timebuf)) {
+ timebuf[len - 1] = '\0';
+ }
} else {
timebuf[0] = '\0';
}
@@ -566,7 +569,10 @@ static void diskheader(void)
(void) time( &the_time );
tm_ptr = localtime( &the_time );
if (tm_ptr && strftime(timebuf, sizeof(timebuf), "%Z", tm_ptr)) {
- timebuf[strlen(timestamp_header) - 1] = '\0';
+ const size_t len = strlen(timestamp_header);
+ if (len >= 1 && len - 1 < sizeof(timebuf)) {
+ timebuf[len - 1] = '\0';
+ }
} else {
timebuf[0] = '\0';
}
--
2.6.4.windows.1

27
vmstat-Replace-memcmp-with-strncmp.patch
View File

@ -1,27 +0,0 @@
From b4f471848111948d6edd9132b3619869cf89971a Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Thu, 1 Jan 1970 00:00:00 +0000
Subject: [PATCH 15/65] vmstat: Replace memcmp() with strncmp().
Otherwise this may read out-of-bounds (there is no guarantee that 5
bytes are actually available at partition/optarg).
---
vmstat.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/vmstat.c b/vmstat.c
index 6eca2c4..c5f6d62 100644
--- a/vmstat.c
+++ b/vmstat.c
@@ -909,7 +909,7 @@ int main(int argc, char *argv[])
case 'p':
statMode |= PARTITIONSTAT;
partition = optarg;
- if (memcmp(partition, "/dev/", 5) == 0)
+ if (strncmp(partition, "/dev/", 5) == 0)
partition += 5;
break;
case 'S':
--
2.6.4.windows.1

26
vmstat-getopt-returns-1-when-done-not-EOF.patch
View File

@ -1,26 +0,0 @@
From 4ce81d4dccbf74bc20e049b08cf4fc712168fdf4 Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Thu, 1 Jan 1970 00:00:00 +0000
Subject: [PATCH 14/65] vmstat: getopt*() returns -1 when done, not EOF.
Luckily, EOF is usually -1, but this is not guaranteed by the standard.
---
vmstat.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/vmstat.c b/vmstat.c
index f2aa2f4..6eca2c4 100644
--- a/vmstat.c
+++ b/vmstat.c
@@ -878,7 +878,7 @@ int main(int argc, char *argv[])
while ((c =
getopt_long(argc, argv, "afmnsdDp:S:wthV", longopts,
- NULL)) != EOF)
+ NULL)) != -1)
switch (c) {
case 'V':
printf(PROCPS_NG_VERSION);
--
2.6.4.windows.1

39
w-Clamp-maxcmd-to-the-MIN-MAX_CMD_WIDTH-range.patch
View File

@ -1,39 +0,0 @@
From 2503ec36304d961fb7b8eebb5f6a38ba58247bb1 Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Thu, 1 Jan 1970 00:00:00 +0000
Subject: [PATCH 13/65] w: Clamp maxcmd to the MIN/MAX_CMD_WIDTH range.
The current checks allow out-of-range values (for example, if
getenv/atoi returns ~-2GB, maxcmd becomes ~+2GB after the subtraction).
This is not a security problem, none of this is under an attacker's
control.
---
w.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/w.c b/w.c
index b3c0644..35710a3 100644
--- a/w.c
+++ b/w.c
@@ -579,11 +579,14 @@ int main(int argc, char **argv)
maxcmd = atoi(p);
else
maxcmd = MAX_CMD_WIDTH;
- if (MAX_CMD_WIDTH < maxcmd)
- maxcmd = MAX_CMD_WIDTH;
+#define CLAMP_CMD_WIDTH(cw) do { \
+ if ((cw) < MIN_CMD_WIDTH) (cw) = MIN_CMD_WIDTH; \
+ if ((cw) > MAX_CMD_WIDTH) (cw) = MAX_CMD_WIDTH; \
+} while (0)
+ CLAMP_CMD_WIDTH(maxcmd);
maxcmd -= 21 + userlen + (from ? fromlen : 0) + (longform ? 20 : 0);
- if (maxcmd < MIN_CMD_WIDTH)
- maxcmd = MIN_CMD_WIDTH;
+ CLAMP_CMD_WIDTH(maxcmd);
+#undef CLAMP_CMD_WIDTH
procs = readproctab(PROC_FILLCOM | PROC_FILLUSR | PROC_FILLSTAT);
--
2.6.4.windows.1

68
w-Prevent-out-of-bounds-reads-in-print_display_or_in.patch
View File

@ -1,68 +0,0 @@
From 3a437012f0e4041c2c1e9cbf0f08ad4b880fe80f Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Thu, 1 Jan 1970 00:00:00 +0000
Subject: [PATCH 12/65] w: Prevent out-of-bounds reads in
print_display_or_interface().
They occur if disp or tmp reaches host + len: add checks. Also, constify
everything.
---
w.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/w.c b/w.c
index 2bee396..b3c0644 100644
--- a/w.c
+++ b/w.c
@@ -113,21 +113,22 @@ static void print_host(const char *restrict host, int len, const int fromlen)
/* This routine prints the display part of the host or IPv6 link address interface */
static void print_display_or_interface(const char *restrict host, int len, int restlen)
{
- char *disp,*tmp;
+ const char *const end = host + (len > 0 ? len : 0);
+ const char *disp, *tmp;
if (restlen <= 0) return; /* not enough space for printing anything */
/* search for a collon (might be a display) */
- disp = (char *)host;
- while ( (disp < (host + len)) && (*disp != ':') && isprint(*disp) ) disp++;
+ disp = host;
+ while ( (disp < end) && (*disp != ':') && isprint(*disp) ) disp++;
/* colon found */
- if (*disp == ':') {
+ if (disp < end && *disp == ':') {
/* detect multiple colons -> IPv6 in the host (not a display) */
tmp = disp+1;
- while ( (tmp < (host + len)) && (*tmp != ':') && isprint(*tmp) ) tmp++;
+ while ( (tmp < end) && (*tmp != ':') && isprint(*tmp) ) tmp++;
- if (*tmp != ':') { /* multiple colons not found - it's a display */
+ if (tmp >= end || *tmp != ':') { /* multiple colons not found - it's a display */
/* number of chars till the end of the input field */
len -= (disp - host);
@@ -149,9 +150,9 @@ static void print_display_or_interface(const char *restrict host, int len, int r
} else { /* multiple colons found - it's an IPv6 address */
/* search for % (interface separator in case of IPv6 link address) */
- while ( (tmp < (host + len)) && (*tmp != '%') && isprint(*tmp) ) tmp++;
+ while ( (tmp < end) && (*tmp != '%') && isprint(*tmp) ) tmp++;
- if (*tmp == '%') { /* interface separator found */
+ if (tmp < end && *tmp == '%') { /* interface separator found */
/* number of chars till the end of the input field */
len -= (tmp - host);
@@ -170,7 +171,6 @@ static void print_display_or_interface(const char *restrict host, int len, int r
fputc('-', stdout);
}
}
-
}
}
--
2.6.4.windows.1