Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

unix: fix format string vulnerability in freebsd.c

uv_set_process_title() was susceptible to a format string vulnerability:

  $ node -e 'process.title = Array(42).join("%s")'
  Segmentation fault: 11 (core dumped)

The fix is trivial - call setproctitle("%s", s) instead of setproctitle(s) -
but valgrind complains loudly about reads from and writes to uninitialized
memory in libc. It's not a libuv bug because the test case below triggers the
same warnings:

  #include <sys/types.h>
  #include <unistd.h>

  int main(void)
  {
    setproctitle("%s", "test");
    return 0;
  }

That's why this commit replaces setproctitle() with sysctl(KERN_PROC_ARGS).

This commit reapplies commit a9f6f06, which got reverted in 69a6afe. The revert
turned out to be unnecessary.
  • Loading branch information...
commit 94355e4718a788c5f2d97f1d9da34cbcd2c74b03 1 parent ff59525
@bnoordhuis bnoordhuis authored
Showing with 25 additions and 4 deletions.
  1. +15 −1 src/unix/freebsd.c
  2. +10 −3 test/test-process-title.c
View
16 src/unix/freebsd.c
@@ -139,9 +139,23 @@ char** uv_setup_args(int argc, char** argv) {
uv_err_t uv_set_process_title(const char* title) {
+ int oid[4];
+
if (process_title) free(process_title);
process_title = strdup(title);
- setproctitle(title);
+
+ oid[0] = CTL_KERN;
+ oid[1] = KERN_PROC;
+ oid[2] = KERN_PROC_ARGS;
+ oid[3] = getpid();
+
+ sysctl(oid,
+ ARRAY_SIZE(oid),
+ NULL,
+ NULL,
+ process_title,
+ strlen(process_title) + 1);
+
return uv_ok_;
}
View
13 test/test-process-title.c
@@ -23,20 +23,27 @@
#include "task.h"
#include <string.h>
-TEST_IMPL(process_title) {
+
+static void set_title(const char* title) {
char buffer[512];
uv_err_t err;
err = uv_get_process_title(buffer, sizeof(buffer));
ASSERT(UV_OK == err.code);
- err = uv_set_process_title("new title");
+ err = uv_set_process_title(title);
ASSERT(UV_OK == err.code);
err = uv_get_process_title(buffer, sizeof(buffer));
ASSERT(UV_OK == err.code);
- ASSERT(strcmp(buffer, "new title") == 0);
+ ASSERT(strcmp(buffer, title) == 0);
+}
+
+TEST_IMPL(process_title) {
+ /* Check for format string vulnerabilities. */
+ set_title("%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s");
+ set_title("new title");
return 0;
}
Please sign in to comment.
Something went wrong with that request. Please try again.