marco/i3status
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1e36324ef1
i3status/include/i3status.h
Orestis Floros 10397688c9
maybe_escape_markup: Make function memory-safe (#526) 
* maybe_escape_markup: Make function memory-safe

This fixes #492 and an additional buffer overflow that can happen when
pango markup is enabled.

Using config
```
general {
        output_format = "none"
        markup = "pango"
}

order += "wireless _first_"

wireless _first_ {
  format_up = "W: (%quality at %essid, %bitrate) %ip"
}
```

and renaming my phone's hotspot to `Hello world &<<<<<<hello world>>`
i3status will throw an AddressSanitizer error:
```
==1373240==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7411d720923e at pc 0x7411daa7cee9 bp 0x7ffdae6ce070 sp 0x7ffdae6cd800
WRITE of size 5 at 0x7411d720923e thread T0
    #0 0x7411daa7cee8 in __interceptor_vsprintf /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1765
    #1 0x7411daa7d0ff in __interceptor_sprintf /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1808
    #2 0x653b2764cdaf in maybe_escape_markup ../src/output.c:102
    #3 0x653b27677df9 in print_wireless_info ../src/print_wireless_info.c:607
    #4 0x653b27640bf1 in main ../i3status.c:709
    #5 0x7411da641ccf  (/usr/lib/libc.so.6+0x25ccf) (BuildId: 6542915cee3354fbcf2b3ac5542201faec43b5c9)
    #6 0x7411da641d89 in __libc_start_main (/usr/lib/libc.so.6+0x25d89) (BuildId: 6542915cee3354fbcf2b3ac5542201faec43b5c9)
    #7 0x653b27633f24 in _start (/tmp/xx/i3status/build/i3status+0x4ff24) (BuildId: c737ce6288265fa02a7617c66f51ddd16b5a8275)

Address 0x7411d720923e is located in stack of thread T0 at offset 574 in frame
    #0 0x653b276750ed in print_wireless_info ../src/print_wireless_info.c:513

  This frame has 10 object(s):
    [48, 56) 'tmp' (line 604)
    [80, 168) 'info' (line 516)
    [208, 320) 'placeholders' (line 623)
    [352, 382) 'string_quality' (line 569)
    [416, 446) 'string_signal' (line 570)
    [480, 510) 'string_noise' (line 571)
    [544, 574) 'string_essid' (line 572) <== Memory access at offset 574 overflows this variable
    [608, 638) 'string_frequency' (line 573)
    [672, 702) 'string_ip' (line 574)
    [736, 766) 'string_bitrate' (line 575)
```

With pango disabled, the error is thrown elsewhere (#492):
```
==1366779==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7bab43a0923e at pc 0x7bab4727cee9 bp 0x7ffc289d2540 sp 0x7ffc289d1cd0
WRITE of size 33 at 0x7bab43a0923e thread T0
    #0 0x7bab4727cee8 in __interceptor_vsprintf /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1765
    #1 0x7bab4727d0ff in __interceptor_sprintf /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1808
    #2 0x5dd180858aa4 in maybe_escape_markup ../src/output.c:93
    #3 0x5dd180883df9 in print_wireless_info ../src/print_wireless_info.c:607
    #4 0x5dd18084cbf1 in main ../i3status.c:709
    #5 0x7bab46843ccf  (/usr/lib/libc.so.6+0x25ccf) (BuildId: 6542915cee3354fbcf2b3ac5542201faec43b5c9)
    #6 0x7bab46843d89 in __libc_start_main (/usr/lib/libc.so.6+0x25d89) (BuildId: 6542915cee3354fbcf2b3ac5542201faec43b5c9)
    #7 0x5dd18083ff24 in _start (/tmp/xx/i3status/build/i3status+0x4ff24) (BuildId: c737ce6288265fa02a7617c66f51ddd16b5a8275)

Address 0x7bab43a0923e is located in stack of thread T0 at offset 574 in frame
    #0 0x5dd1808810ed in print_wireless_info ../src/print_wireless_info.c:513

  This frame has 10 object(s):
    [48, 56) 'tmp' (line 604)
    [80, 168) 'info' (line 516)
    [208, 320) 'placeholders' (line 623)
    [352, 382) 'string_quality' (line 569)
    [416, 446) 'string_signal' (line 570)
    [480, 510) 'string_noise' (line 571)
    [544, 574) 'string_essid' (line 572) <== Memory access at offset 574 overflows this variable
    [608, 638) 'string_frequency' (line 573)
    [672, 702) 'string_ip' (line 574)
    [736, 766) 'string_bitrate' (line 575)
```

With the patch output is correct:
```
W: ( 72% at Hello world &amp;&lt;&lt;&lt;&lt;&lt;&lt;hello world&gt;&gt;, 1,2009 Gb/s) 192.168.26.237
```
and
```
W: ( 73% at Hello world &<<<<<<hello world>>, 1,1342 Gb/s) 192.168.26.237
```

The patch changes the maybe_escape_markup function to use dynamic
allocation instead of a static buffer. Confusing pointer arithmetic is
replaced with index-based memory access. The `buffer` pointer does not
move around except for `realloc`ations.

Fixes #492
Closes #525 (alternative PR)

* Revert to snprintf
2024-05-08 17:51:40 +02:00

454 lines
18 KiB
C
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#ifndef _I3STATUS_H
#define _I3STATUS_H
typedef enum {
O_DZEN2,
O_XMOBAR,
O_I3BAR,
O_LEMONBAR,
O_TERM,
O_NONE
} output_format_t;
extern output_format_t output_format;
typedef enum {
M_PANGO,
M_NONE
} markup_format_t;
extern markup_format_t markup_format;
extern char *pct_mark;
#include <stdbool.h>
#include <confuse.h>
#include <time.h>
#include <yajl/yajl_gen.h>
#include <yajl/yajl_version.h>
#include <unistd.h>
#include <string.h>
#include <pthread.h>
#include <stdint.h>
#define BEGINS_WITH(haystack, needle) (strncmp(haystack, needle, strlen(needle)) == 0)
#define max(a, b) ((a) > (b) ? (a) : (b))
#define DEFAULT_SINK_INDEX UINT32_MAX
#define COMPOSE_VOLUME_MUTE(vol, mute) ((vol) | ((mute) ? (1 << 30) : 0))
#define DECOMPOSE_VOLUME(cvol) ((cvol) & ~(1 << 30))
#define DECOMPOSE_MUTED(cvol) (((cvol) & (1 << 30)) != 0)
#define MAX_SINK_DESCRIPTION_LEN (128) /* arbitrary */
#if defined(__linux__)
#define THERMAL_ZONE "/sys/class/thermal/thermal_zone%d/temp"
#elif defined(__FreeBSD__) || defined(__FreeBSD_kernel__) || defined(__DragonFly__)
/* this needs the coretemp module to be loaded */
#if defined(__DragonFly__)
#define THERMAL_ZONE "hw.sensors.cpu%d.temp0"
#else
#define THERMAL_ZONE "dev.cpu.%d.temperature"
#endif
#define BATT_LIFE "hw.acpi.battery.life"
#define BATT_TIME "hw.acpi.battery.time"
#define BATT_STATE "hw.acpi.battery.state"
#elif defined(__OpenBSD__) || defined(__NetBSD__)
/* Default to acpitz(4) if no path is set. */
#define THERMAL_ZONE "acpitz%d"
#endif
#if defined(__FreeBSD_kernel__) && defined(__GLIBC__)
#include <sys/stat.h>
#include <sys/param.h>
#endif
/* Allows for the definition of a variable without opening a new scope, thus
* suited for usage in a macro. Idea from wmii. */
#define with(type, var, init) \
for (type var = (type)-1; (var == (type)-1) && ((var = (init)) || 1); var = (type)1)
#define CASE_SEC(name) \
if (BEGINS_WITH(current, name)) \
with(cfg_t *, sec, cfg_section = cfg_getsec(cfg, name)) if (sec != NULL)
#define CASE_SEC_TITLE(name) \
if (BEGINS_WITH(current, name)) \
with(const char *, title, current + strlen(name) + 1) \
with(cfg_t *, sec, cfg_section = cfg_gettsec(cfg, name, title)) if (sec != NULL)
/* Macro which any plugin can use to output the full_text part (when the output
* format is JSON) or just output to stdout (any other output format). */
#define OUTPUT_FULL_TEXT(text) \
do { \
/* Terminate the output buffer here in any case, so that its \
* not forgotten in the module */ \
*outwalk = '\0'; \
if (output_format == O_I3BAR) { \
char *_markup = cfg_getstr(cfg_general, "markup"); \
yajl_gen_string(ctx->json_gen, (const unsigned char *)"markup", strlen("markup")); \
yajl_gen_string(ctx->json_gen, (const unsigned char *)_markup, strlen(_markup)); \
yajl_gen_string(ctx->json_gen, (const unsigned char *)"full_text", strlen("full_text")); \
yajl_gen_string(ctx->json_gen, (const unsigned char *)text, strlen(text)); \
} else { \
printf("%s", text); \
} \
} while (0)
#define SEC_OPEN_MAP(name) \
do { \
if (output_format == O_I3BAR) { \
yajl_gen_map_open(json_gen); \
yajl_gen_string(json_gen, (const unsigned char *)"name", strlen("name")); \
yajl_gen_string(json_gen, (const unsigned char *)name, strlen(name)); \
} \
} while (0)
#define SEC_CLOSE_MAP \
do { \
if (output_format == O_I3BAR) { \
char *_align = cfg_getstr(sec, "align"); \
if (_align) { \
yajl_gen_string(json_gen, (const unsigned char *)"align", strlen("align")); \
yajl_gen_string(json_gen, (const unsigned char *)_align, strlen(_align)); \
} \
struct min_width *_width = cfg_getptr(sec, "min_width"); \
if (_width) { \
/* if the value can be parsed as a number, we use the numerical value */ \
if (_width->num > 0) { \
yajl_gen_string(json_gen, (const unsigned char *)"min_width", strlen("min_width")); \
yajl_gen_integer(json_gen, _width->num); \
} else { \
yajl_gen_string(json_gen, (const unsigned char *)"min_width", strlen("min_width")); \
yajl_gen_string(json_gen, (const unsigned char *)_width->str, strlen(_width->str)); \
} \
} \
if (cfg_size(sec, "separator") > 0) { \
yajl_gen_string(json_gen, (const unsigned char *)"separator", strlen("separator")); \
yajl_gen_bool(json_gen, cfg_getbool(sec, "separator")); \
} \
if (cfg_size(sec, "separator_block_width") > 0) { \
yajl_gen_string(json_gen, (const unsigned char *)"separator_block_width", strlen("separator_block_width")); \
yajl_gen_integer(json_gen, cfg_getint(sec, "separator_block_width")); \
} \
const char *_sep = cfg_getstr(cfg_general, "separator"); \
if (strlen(_sep) == 0) { \
yajl_gen_string(json_gen, (const unsigned char *)"separator", strlen("separator")); \
yajl_gen_bool(json_gen, false); \
} \
yajl_gen_map_close(json_gen); \
} \
} while (0)
#define START_COLOR(colorstr) \
do { \
if (cfg_getbool(cfg_general, "colors")) { \
const char *_val = NULL; \
if (cfg_section) \
_val = cfg_getstr(cfg_section, colorstr); \
if (!_val) \
_val = cfg_getstr(cfg_general, colorstr); \
if (output_format == O_I3BAR) { \
yajl_gen_string(ctx->json_gen, (const unsigned char *)"color", strlen("color")); \
yajl_gen_string(ctx->json_gen, (const unsigned char *)_val, strlen(_val)); \
} else { \
outwalk += sprintf(outwalk, "%s", color(colorstr)); \
} \
} \
} while (0)
#define END_COLOR \
do { \
if (cfg_getbool(cfg_general, "colors") && output_format != O_I3BAR) { \
outwalk += sprintf(outwalk, "%s", endcolor()); \
} \
} while (0)
#define INSTANCE(instance) \
do { \
if (output_format == O_I3BAR) { \
yajl_gen_string(ctx->json_gen, (const unsigned char *)"instance", strlen("instance")); \
yajl_gen_string(ctx->json_gen, (const unsigned char *)instance, strlen(instance)); \
} \
} while (0)
#define OUTPUT_FORMATTED \
do { \
const size_t remaining = ctx->buflen - (outwalk - ctx->buf); \
strncpy(outwalk, formatted, remaining); \
outwalk += strlen(formatted); \
} while (0)
/*
* The "min_width" module option may either be defined as a string or a number.
*/
struct min_width {
long num;
const char *str;
};
/* src/general.c */
char *skip_character(char *input, char character, int amount);
void die(const char *fmt, ...) __attribute__((format(printf, 1, 2), noreturn));
bool slurp(const char *filename, char *destination, int size);
char *resolve_tilde(const char *path);
void *scalloc(size_t size);
char *sstrdup(const char *str);
/* src/output.c */
void print_separator(const char *separator);
char *color(const char *colorstr);
char *endcolor() __attribute__((pure));
void reset_cursor(void);
void maybe_escape_markup(char *text, char *buffer, size_t size);
char *rtrim(const char *s);
char *ltrim(const char *s);
char *trim(const char *s);
// copied from i3:libi3/format_placeholders.c
/* src/format_placeholders.c */
typedef struct {
/* The placeholder to be replaced, e.g., "%title". */
const char *name;
/* The value this placeholder should be replaced with. */
const char *value;
} placeholder_t;
char *format_placeholders(const char *format, placeholder_t *placeholders, int num);
/* src/auto_detect_format.c */
char *auto_detect_format();
/* src/print_time.c */
void set_timezone(const char *tz);
/* src/first_network_device.c */
typedef enum {
NET_TYPE_WIRELESS = 0,
NET_TYPE_ETHERNET = 1,
NET_TYPE_OTHER = 2
} net_type_t;
const char *first_eth_interface(const net_type_t type);
typedef struct {
yajl_gen json_gen;
char *buf;
const size_t buflen;
const char *format_up;
const char *format_down;
} ipv6_info_ctx_t;
void print_ipv6_info(ipv6_info_ctx_t *ctx);
typedef struct {
yajl_gen json_gen;
char *buf;
const size_t buflen;
const char *path;
const char *format;
const char *format_below_threshold;
const char *format_not_mounted;
const char *prefix_type;
const char *threshold_type;
const double low_threshold;
} disk_info_ctx_t;
void print_disk_info(disk_info_ctx_t *ctx);
typedef struct {
yajl_gen json_gen;
char *buf;
const size_t buflen;
int number;
const char *path;
const char *format;
const char *format_down;
const char *status_chr;
const char *status_bat;
const char *status_unk;
const char *status_full;
const char *status_idle;
int low_threshold;
char *threshold_type;
bool last_full_capacity;
const char *format_percentage;
bool hide_seconds;
} battery_info_ctx_t;
void print_battery_info(battery_info_ctx_t *ctx);
typedef struct {
yajl_gen json_gen;
char *buf;
const size_t buflen;
const char *title;
const char *format;
const char *tz;
const char *locale;
const char *format_time;
bool hide_if_equals_localtime;
time_t t;
} time_ctx_t;
void print_time(time_ctx_t *ctx);
typedef struct {
yajl_gen json_gen;
char *buf;
const size_t buflen;
const char *format;
time_t t;
} ddate_ctx_t;
void print_ddate(ddate_ctx_t *ctx);
const char *get_ip_addr(const char *interface, int family);
typedef struct {
yajl_gen json_gen;
char *buf;
const size_t buflen;
const char *interface;
const char *format_up;
const char *format_down;
const char *format_bitrate;
const char *format_noise;
const char *format_quality;
const char *format_signal;
} wireless_info_ctx_t;
void print_wireless_info(wireless_info_ctx_t *ctx);
typedef struct {
yajl_gen json_gen;
char *buf;
const size_t buflen;
const char *title;
const char *pidfile;
const char *format;
const char *format_down;
} run_watch_ctx_t;
void print_run_watch(run_watch_ctx_t *ctx);
typedef struct {
yajl_gen json_gen;
char *buf;
const size_t buflen;
const char *title;
const char *path;
const char *format;
const char *format_down;
} path_exists_ctx_t;
void print_path_exists(path_exists_ctx_t *ctx);
typedef struct {
yajl_gen json_gen;
char *buf;
const size_t buflen;
int zone;
const char *path;
const char *format;
const char *format_above_threshold;
int max_threshold;
} cpu_temperature_ctx_t;
void print_cpu_temperature_info(cpu_temperature_ctx_t *ctx);
typedef struct {
yajl_gen json_gen;
char *buf;
const size_t buflen;
const char *format;
const char *format_above_threshold;
const char *format_above_degraded_threshold;
const char *path;
const float max_threshold;
const float degraded_threshold;
} cpu_usage_ctx_t;
void print_cpu_usage(cpu_usage_ctx_t *ctx);
typedef struct {
yajl_gen json_gen;
char *buf;
const size_t buflen;
const char *interface;
const char *format_up;
const char *format_down;
} eth_info_ctx_t;
void print_eth_info(eth_info_ctx_t *ctx);
typedef struct {
yajl_gen json_gen;
char *buf;
const size_t buflen;
const char *format;
const char *format_above_threshold;
const float max_threshold;
} load_ctx_t;
void print_load(load_ctx_t *ctx);
typedef struct {
yajl_gen json_gen;
char *buf;
const size_t buflen;
const char *format;
const char *format_degraded;
const char *threshold_degraded;
const char *threshold_critical;
const char *memory_used_method;
const char *unit;
const int decimals;
} memory_ctx_t;
void print_memory(memory_ctx_t *ctx);
typedef struct {
yajl_gen json_gen;
char *buf;
const size_t buflen;
const char *fmt;
const char *fmt_muted;
const char *device;
const char *mixer;
int mixer_idx;
} volume_ctx_t;
void print_volume(volume_ctx_t *ctx);
bool process_runs(const char *path);
int volume_pulseaudio(uint32_t sink_idx, const char *sink_name);
bool description_pulseaudio(uint32_t sink_idx, const char *sink_name, char buffer[MAX_SINK_DESCRIPTION_LEN]);
bool pulse_initialize(void);
typedef struct {
yajl_gen json_gen;
char *buf;
const size_t buflen;
const char *title;
const char *path;
const char *format;
const char *format_bad;
const int max_chars;
} file_contents_ctx_t;
void print_file_contents(file_contents_ctx_t *ctx);
/* socket file descriptor for general purposes */
extern int general_socket;
extern cfg_t *cfg, *cfg_general, *cfg_section;
extern void **cur_instance;
extern pthread_t main_thread;
#endif
Reference in New Issue View Git Blame Copy Permalink