lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <alpine.LNX.2.21.1904052326230.3249@kich.toxcorp.com>
Date:   Fri, 5 Apr 2019 23:50:01 +0200 (CEST)
From:   Jakub Jankowski <shasta@...corp.com>
To:     linux-kernel@...r.kernel.org
Subject: get_mm_cmdline and userspace (Perl) changing argv0

Starting with 4.18 we noticed changing own commandline in Perl by setting 
$0 leads to (a bit) surprising results.

As long as we're setting $0 to something longer than the initial argv0, 
everything works (almost) as expected: reading from /proc/$$/cmdline 
yields what we set $0 to, followed by a single NULL byte.

However, when setting $0 to something shorter, doing the same yields what 
we set $0 to, then a single NULL byte, then thousands (depending on the 
size of the environment) of ' ' (0x20), and then a single NULL.

$ for i in $(seq 1 10); do
    perl -e '$0 = "1234567890"x'"$i"'; print `cat /proc/$$/cmdline`;' | wc -c;
   done
3291
3291
3291
3291
3291
3291
71
81
91
101
$

This leads to weird output of commands like "ps axufww", where a 
daemonized Perl script that had changed its $0 shows up as a long, mostly 
empty line on the process list.

We've seen this on both Perl 5.20 and 5.28, and Perl's code handling 
changes to $0 hasn't really changed since: 
https://perl5.git.perl.org/perl.git/blob/HEAD:/mg.c#l2673

Reverting commit 5ab8271899658042fabc5ae7e6a99066a210bc0e ("fs/proc: 
simplify and clarify get_mm_cmdline() function") in kernel, however, seems 
to restore previous behavior (no NULL byte at the end):

$ for i in $(seq 1 10); do
    perl -e '$0 = "1234567890"x'"$i"'; print `cat /proc/$$/cmdline`;' | wc -c;
   done
10
20
30
40
50
60
70
80
90
100
$

Has anybody else seen / been bothered by this?



Regards,
  Jakub.

-- 
Jakub Jankowski|shasta@...corp.com|https://toxcorp.com/
GPG: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ