unix: fix format string vulnerability in freebsd.c

uv_set_process_title() was susceptible to a format string vulnerability: $ node -e 'process.title = Array(42).join("%s")' Segmentation fault: 11 (core dumped) The fix is trivial - call setproctitle("%s", s) instead of setproctitle(s) - but valgrind complains loudly about reads from and writes to uninitialized memory in libc. It's not a libuv bug because the test case below triggers the same warnings: #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <unistd.h> int main(void) { setproctitle("%s", "test"); return 0; } That's why this commit replaces setproctitle() with sysctl(KERN_PROC_ARGS).
joyent · Jul 13, 2012 · a9f6f06 · a9f6f06
1 parent a87abc7
commit a9f6f06
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 4 deletions.
diff --git a/src/unix/freebsd.c b/src/unix/freebsd.c
@@ -139,9 +139,23 @@ char** uv_setup_args(int argc, char** argv) {
 
 
 uv_err_t uv_set_process_title(const char* title) {
+  int oid[4];
+
   if (process_title) free(process_title);
   process_title = strdup(title);
-  setproctitle(title);
+
+  oid[0] = CTL_KERN;
+  oid[1] = KERN_PROC;
+  oid[2] = KERN_PROC_ARGS;
+  oid[3] = getpid();
+
+  sysctl(oid,
+         ARRAY_SIZE(oid),
+         NULL,
+         NULL,
+         process_title,
+         strlen(process_title) + 1);
+
   return uv_ok_;
 }
 

diff --git a/test/test-process-title.c b/test/test-process-title.c
@@ -23,20 +23,27 @@
 #include "task.h"
 #include <string.h>
 
-TEST_IMPL(process_title) {
+
+static void set_title(const char* title) {
   char buffer[512];
   uv_err_t err;
 
   err = uv_get_process_title(buffer, sizeof(buffer));
   ASSERT(UV_OK == err.code);
 
-  err = uv_set_process_title("new title");
+  err = uv_set_process_title(title);
   ASSERT(UV_OK == err.code);
 
   err = uv_get_process_title(buffer, sizeof(buffer));
   ASSERT(UV_OK == err.code);
 
-  ASSERT(strcmp(buffer, "new title") == 0);
+  ASSERT(strcmp(buffer, title) == 0);
+}
 
+
+TEST_IMPL(process_title) {
+  /* Check for format string vulnerabilities. */
+  set_title("%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s");
+  set_title("new title");
   return 0;
 }