Ubuntu
procps package

ps SIGABRT with -o something -p 1,2,

Bug #2077938 reported by Walter
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
procps (Ubuntu)
New
Undecided
Unassigned

Bug Description

## PROBLEM ##

$ ps -p 1,2,
error: improper list

$ ps -o anything -p 1,2,
free(): invalid pointer
Signal 6 (ABRT) caught by ps (3.3.17).
ps:ps/display.c:70: please report this bug
Aborted (core dumped)

## VERSION ##

$ dpkg -l procps | grep ^ii
ii procps 2:3.3.17-6ubuntu2.1 amd64 /proc file system utilities

$ ps --version
ps from procps-ng 3.3.17

## CAUSE ##

(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737347729344) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=140737347729344) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=140737347729344, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3 0x00007ffff7d7c476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4 0x00007ffff7d627f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007ffff7dc3676 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7f15b77 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#6 0x00007ffff7ddacfc in malloc_printerr (str=str@entry=0x7ffff7f13744 "free(): invalid pointer") at ./malloc/malloc.c:5664
#7 0x00007ffff7ddca44 in _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at ./malloc/malloc.c:4439
#8 0x00007ffff7ddf453 in __GI___libc_free (mem=<optimized out>) at ./malloc/malloc.c:3391
#9 0x0000555555565d07 in parse_list (arg=<optimized out>, parse_fn=parse_fn@entry=0x5555555657f0 <parse_pid>) at ps/parser.c:222
#10 0x0000555555566d94 in parse_bsd_option () at ps/parser.c:682
#11 parse_all_options () at ps/parser.c:1122
#12 0x000055555555f38d in arg_parse (argv=0x7fffffffdd58, argc=5) at ps/parser.c:1196
#13 main (argc=5, argv=0x7fffffffdd58) at ps/display.c:682

That's here in ps/parser.c:

parse_error:
  free(buf);
  free(node->u); /* <-- uninitialized memory */
  free(node);
  return err;
}

## FIX ##

Index: procps-3.3.17/ps/parser.c
===================================================================
--- procps-3.3.17.orig/ps/parser.c
+++ procps-3.3.17/ps/parser.c
@@ -185,6 +185,7 @@ static const char *parse_list(const char
   /*** prepare to operate ***/
   node = malloc(sizeof(selection_node));
   node->n = 0;
+ node->u = NULL;
   buf = strdup(arg);
   /*** sanity check and count items ***/
   need_item = 1; /* true */

## FIX IN UPSTREAM ##

$ git show f5f843e257daeceaac2504b8957e84f4bf87a8f2
commit f5f843e257daeceaac2504b8957e84f4bf87a8f2
Author: Roman Žilka <email address hidden>
Date: Thu Aug 10 21:56:00 2023 +0200

    ps/parser: parse_list(): int overflow for large arg, free() of uninit. ptr

$ git describe f5f843e257daeceaac2504b8957e84f4bf87a8f2
v4.0.3-62-gf5f843e2

Patch attached.

Cheers,
Walter Doekes
OSSO B.V.

Tags: patch
Revision history for this message
Walter (wdoekes) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "fix-sigabrt-on-improper-list.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.