Reorder check to avoid crash on invalid process field setting #122

cgzones · 2020-09-12T17:06:43Z

If using a setting from a different development version with an
unsupported process field, first dereferencing Process_fields[id] yields
to a crash:

=================================================================
==19530==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000612800 at pc 0x000000521d1a bp 0x7ffec47a5ff0 sp 0x7ffec47a5fe8
READ of size 8 at 0x000000612800 thread T0
#0 0x521d19 in readFields .htop/Settings.c:107:40
#1 0x51d117 in Settings_read .htop/Settings.c:141:10
#2 0x51c0c4 in Settings_new .htop/Settings.c:382:12
#3 0x4eafe2 in main .htop/htop.c:220:25
#4 0x7fa450570cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
#5 0x427a59 in _start (.htop/htop+0x427a59)

0x000000612800 is located 0 bytes to the right of global variable 'Process_fields' defined in 'linux/LinuxProcess.c:24:18' (0x6118a0) of size 3936
SUMMARY: AddressSanitizer: global-buffer-overflow .htop/Settings.c:107:40 in readFields
Shadow bytes around the buggy address:
0x0000800ba4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800ba4c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800ba4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800ba4e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800ba4f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800ba500:[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000800ba510: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000800ba520: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000800ba530: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000800ba540: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000800ba550: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==19530==ABORTING

If using a setting from a different development version with an unsupported process field, first dereferencing Process_fields[id] yields to a crash: ================================================================= ==19530==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000612800 at pc 0x000000521d1a bp 0x7ffec47a5ff0 sp 0x7ffec47a5fe8 READ of size 8 at 0x000000612800 thread T0 #0 0x521d19 in readFields .htop/Settings.c:107:40 #1 0x51d117 in Settings_read .htop/Settings.c:141:10 #2 0x51c0c4 in Settings_new .htop/Settings.c:382:12 htop-dev#3 0x4eafe2 in main .htop/htop.c:220:25 htop-dev#4 0x7fa450570cc9 in __libc_start_main csu/../csu/libc-start.c:308:16 htop-dev#5 0x427a59 in _start (.htop/htop+0x427a59) 0x000000612800 is located 0 bytes to the right of global variable 'Process_fields' defined in 'linux/LinuxProcess.c:24:18' (0x6118a0) of size 3936 SUMMARY: AddressSanitizer: global-buffer-overflow .htop/Settings.c:107:40 in readFields Shadow bytes around the buggy address: 0x0000800ba4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800ba4c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800ba4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800ba4e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800ba4f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0000800ba500:[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0000800ba510: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0000800ba520: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0000800ba530: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0000800ba540: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0000800ba550: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==19530==ABORTING

cgzones added the bug 🐛 Something isn't working label Sep 12, 2020

cgzones requested a review from natoscott September 12, 2020 17:06

BenBE approved these changes Sep 13, 2020

View reviewed changes

cgzones merged commit ffc65b3 into htop-dev:master Sep 17, 2020

cgzones deleted the settings_crash branch September 17, 2020 19:46

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Reorder check to avoid crash on invalid process field setting #122

Reorder check to avoid crash on invalid process field setting #122

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reorder check to avoid crash on invalid process field setting #122

Reorder check to avoid crash on invalid process field setting #122

Uh oh!

Conversation

Uh oh!

Uh oh!