oss-sec mailing list archives
[Linux] /proc/pid/stat parsing bugs
From: Dmitry Vyukov <dvyukov () google com>
Date: Wed, 21 Dec 2022 18:13:17 +0100
Hello, This is not a single vulnerability, the list of affected software is large, but it's not a security issue for all of it. It occurred to me that most of the Linux procfs /proc/pid/stat and /proc/pid/task/tid/stat parsing code out there is buggy. The fine contains a set of numbers about the task: https://man7.org/linux/man-pages/man5/proc.5.html e.g. $ cat /proc/self/stat 1715376 (cat) R 1544883 1715376 1544883 34819 1715376 4194304 106 0 0 0 0 0 0 0 20 0 1 0 42505561 9207808 237 18446744073709551615 93955355631616 93955355651497 140737444557056 0 0 0 0 0 0 0 0 0 17 36 0 0 0 0 0 93955355667504 93955355669120 93955385581568 140737444559745 140737444559765 140737444559765 140737444564971 0 Most of the code splits it by space and takes an N-th field. The problem is that the process name "(cat)" can contain spaces (and brackets). Potentially some important software (containers/sandboxes) can be tricked into getting wrong data, and I've seen cases close to stack overflows (buffer for a fixed number of fields is allocated on stack). Some examples: OpenJDK: https://sourcegraph.com/github.com/openjdk/jdk/-/blob/src/jdk.management/unix/native/libmanagement_ext/OperatingSystemImpl.c?L133-139 https://sourcegraph.com/github.com/openjdk/jdk8u/-/blob/jdk/src/solaris/native/sun/management/OperatingSystemImpl.c?L223-229 Ansible: https://sourcegraph.com/github.com/ansible/ansible/-/blob/lib/ansible/modules/yum.py?L507-510 Libuv: https://sourcegraph.com/github.com/libuv/libuv/-/blob/src/unix/linux.c?L674-701 bdwgc: https://sourcegraph.com/github.com/mono/linux-packaging-mono/-/blob/external/bdwgc/os_dep.c?L1138-1155 But really most of the code that does it: https://sourcegraph.com/search?q=context:global+/%5C%22%5C/proc%5C/.*%5C/stat%5C%22/ The only way to parse it is to do strrchr(')') first (fortunately it contains just one unescaped string). Thanks
Current thread:
- [Linux] /proc/pid/stat parsing bugs Dmitry Vyukov (Dec 21)
- Re: [Linux] /proc/pid/stat parsing bugs Demi Marie Obenour (Dec 21)
- Re: [Linux] /proc/pid/stat parsing bugs Yann Droneaud (Dec 21)
- Re: [Linux] /proc/pid/stat parsing bugs Dmitry Vyukov (Dec 21)
- Re: [Linux] /proc/pid/stat parsing bugs Shawn Webb (Dec 21)
- Re: [Linux] /proc/pid/stat parsing bugs Shawn Webb (Dec 22)
- Re: [Linux] /proc/pid/stat parsing bugs Jakub Wilk (Dec 22)
- Re: [Linux] /proc/pid/stat parsing bugs Shawn Webb (Dec 22)
- Re: [Linux] /proc/pid/stat parsing bugs Simon McVittie (Dec 23)
- Re: [Linux] /proc/pid/stat parsing bugs Dominik Czarnota (Dec 25)
- Re: [Linux] /proc/pid/stat parsing bugs Shawn Webb (Dec 22)