Feature Request -- Support format_down in path_exists #1
Comments
smaeul
pushed a commit
to smaeul/i3status
that referenced
this issue
Nov 6, 2016
smaeul
pushed a commit
to smaeul/i3status
that referenced
this issue
Nov 16, 2016
smaeul
pushed a commit
to smaeul/i3status
that referenced
this issue
Dec 13, 2016
orestisfl
added a commit
that referenced
this issue
May 5, 2024
This fixes #492 and an additional buffer overflow that can happen when pango markup is enabled. Using config ``` general { output_format = "none" markup = "pango" } order += "wireless _first_" wireless _first_ { format_up = "W: (%quality at %essid, %bitrate) %ip" } ``` and renaming my phone's hotspot to `Hello world &<<<<<<hello world>>` i3status will throw an AddressSanitizer error: ``` ==1373240==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7411d720923e at pc 0x7411daa7cee9 bp 0x7ffdae6ce070 sp 0x7ffdae6cd800 WRITE of size 5 at 0x7411d720923e thread T0 #0 0x7411daa7cee8 in __interceptor_vsprintf /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1765 #1 0x7411daa7d0ff in __interceptor_sprintf /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1808 #2 0x653b2764cdaf in maybe_escape_markup ../src/output.c:102 #3 0x653b27677df9 in print_wireless_info ../src/print_wireless_info.c:607 #4 0x653b27640bf1 in main ../i3status.c:709 #5 0x7411da641ccf (/usr/lib/libc.so.6+0x25ccf) (BuildId: 6542915cee3354fbcf2b3ac5542201faec43b5c9) #6 0x7411da641d89 in __libc_start_main (/usr/lib/libc.so.6+0x25d89) (BuildId: 6542915cee3354fbcf2b3ac5542201faec43b5c9) #7 0x653b27633f24 in _start (/tmp/xx/i3status/build/i3status+0x4ff24) (BuildId: c737ce6288265fa02a7617c66f51ddd16b5a8275) Address 0x7411d720923e is located in stack of thread T0 at offset 574 in frame #0 0x653b276750ed in print_wireless_info ../src/print_wireless_info.c:513 This frame has 10 object(s): [48, 56) 'tmp' (line 604) [80, 168) 'info' (line 516) [208, 320) 'placeholders' (line 623) [352, 382) 'string_quality' (line 569) [416, 446) 'string_signal' (line 570) [480, 510) 'string_noise' (line 571) [544, 574) 'string_essid' (line 572) <== Memory access at offset 574 overflows this variable [608, 638) 'string_frequency' (line 573) [672, 702) 'string_ip' (line 574) [736, 766) 'string_bitrate' (line 575) ``` With pango disabled, the error is thrown elsewhere (#492): ``` ==1366779==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7bab43a0923e at pc 0x7bab4727cee9 bp 0x7ffc289d2540 sp 0x7ffc289d1cd0 WRITE of size 33 at 0x7bab43a0923e thread T0 #0 0x7bab4727cee8 in __interceptor_vsprintf /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1765 #1 0x7bab4727d0ff in __interceptor_sprintf /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1808 #2 0x5dd180858aa4 in maybe_escape_markup ../src/output.c:93 #3 0x5dd180883df9 in print_wireless_info ../src/print_wireless_info.c:607 #4 0x5dd18084cbf1 in main ../i3status.c:709 #5 0x7bab46843ccf (/usr/lib/libc.so.6+0x25ccf) (BuildId: 6542915cee3354fbcf2b3ac5542201faec43b5c9) #6 0x7bab46843d89 in __libc_start_main (/usr/lib/libc.so.6+0x25d89) (BuildId: 6542915cee3354fbcf2b3ac5542201faec43b5c9) #7 0x5dd18083ff24 in _start (/tmp/xx/i3status/build/i3status+0x4ff24) (BuildId: c737ce6288265fa02a7617c66f51ddd16b5a8275) Address 0x7bab43a0923e is located in stack of thread T0 at offset 574 in frame #0 0x5dd1808810ed in print_wireless_info ../src/print_wireless_info.c:513 This frame has 10 object(s): [48, 56) 'tmp' (line 604) [80, 168) 'info' (line 516) [208, 320) 'placeholders' (line 623) [352, 382) 'string_quality' (line 569) [416, 446) 'string_signal' (line 570) [480, 510) 'string_noise' (line 571) [544, 574) 'string_essid' (line 572) <== Memory access at offset 574 overflows this variable [608, 638) 'string_frequency' (line 573) [672, 702) 'string_ip' (line 574) [736, 766) 'string_bitrate' (line 575) ``` With the patch output is correct: ``` W: ( 72% at Hello world &<<<<<<hello world>>, 1,2009 Gb/s) 192.168.26.237 ``` and ``` W: ( 73% at Hello world &<<<<<<hello world>>, 1,1342 Gb/s) 192.168.26.237 ``` The patch changes the maybe_escape_markup function to use dynamic allocation instead of a static buffer. Confusing pointer arithmetic is replaced with index-based memory access. The `buffer` pointer does not move around except for `realloc`ations. Fixes #492 Closes #525 (alternative PR)
stapelberg
pushed a commit
that referenced
this issue
May 8, 2024
* maybe_escape_markup: Make function memory-safe This fixes #492 and an additional buffer overflow that can happen when pango markup is enabled. Using config ``` general { output_format = "none" markup = "pango" } order += "wireless _first_" wireless _first_ { format_up = "W: (%quality at %essid, %bitrate) %ip" } ``` and renaming my phone's hotspot to `Hello world &<<<<<<hello world>>` i3status will throw an AddressSanitizer error: ``` ==1373240==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7411d720923e at pc 0x7411daa7cee9 bp 0x7ffdae6ce070 sp 0x7ffdae6cd800 WRITE of size 5 at 0x7411d720923e thread T0 #0 0x7411daa7cee8 in __interceptor_vsprintf /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1765 #1 0x7411daa7d0ff in __interceptor_sprintf /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1808 #2 0x653b2764cdaf in maybe_escape_markup ../src/output.c:102 #3 0x653b27677df9 in print_wireless_info ../src/print_wireless_info.c:607 #4 0x653b27640bf1 in main ../i3status.c:709 #5 0x7411da641ccf (/usr/lib/libc.so.6+0x25ccf) (BuildId: 6542915cee3354fbcf2b3ac5542201faec43b5c9) #6 0x7411da641d89 in __libc_start_main (/usr/lib/libc.so.6+0x25d89) (BuildId: 6542915cee3354fbcf2b3ac5542201faec43b5c9) #7 0x653b27633f24 in _start (/tmp/xx/i3status/build/i3status+0x4ff24) (BuildId: c737ce6288265fa02a7617c66f51ddd16b5a8275) Address 0x7411d720923e is located in stack of thread T0 at offset 574 in frame #0 0x653b276750ed in print_wireless_info ../src/print_wireless_info.c:513 This frame has 10 object(s): [48, 56) 'tmp' (line 604) [80, 168) 'info' (line 516) [208, 320) 'placeholders' (line 623) [352, 382) 'string_quality' (line 569) [416, 446) 'string_signal' (line 570) [480, 510) 'string_noise' (line 571) [544, 574) 'string_essid' (line 572) <== Memory access at offset 574 overflows this variable [608, 638) 'string_frequency' (line 573) [672, 702) 'string_ip' (line 574) [736, 766) 'string_bitrate' (line 575) ``` With pango disabled, the error is thrown elsewhere (#492): ``` ==1366779==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7bab43a0923e at pc 0x7bab4727cee9 bp 0x7ffc289d2540 sp 0x7ffc289d1cd0 WRITE of size 33 at 0x7bab43a0923e thread T0 #0 0x7bab4727cee8 in __interceptor_vsprintf /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1765 #1 0x7bab4727d0ff in __interceptor_sprintf /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1808 #2 0x5dd180858aa4 in maybe_escape_markup ../src/output.c:93 #3 0x5dd180883df9 in print_wireless_info ../src/print_wireless_info.c:607 #4 0x5dd18084cbf1 in main ../i3status.c:709 #5 0x7bab46843ccf (/usr/lib/libc.so.6+0x25ccf) (BuildId: 6542915cee3354fbcf2b3ac5542201faec43b5c9) #6 0x7bab46843d89 in __libc_start_main (/usr/lib/libc.so.6+0x25d89) (BuildId: 6542915cee3354fbcf2b3ac5542201faec43b5c9) #7 0x5dd18083ff24 in _start (/tmp/xx/i3status/build/i3status+0x4ff24) (BuildId: c737ce6288265fa02a7617c66f51ddd16b5a8275) Address 0x7bab43a0923e is located in stack of thread T0 at offset 574 in frame #0 0x5dd1808810ed in print_wireless_info ../src/print_wireless_info.c:513 This frame has 10 object(s): [48, 56) 'tmp' (line 604) [80, 168) 'info' (line 516) [208, 320) 'placeholders' (line 623) [352, 382) 'string_quality' (line 569) [416, 446) 'string_signal' (line 570) [480, 510) 'string_noise' (line 571) [544, 574) 'string_essid' (line 572) <== Memory access at offset 574 overflows this variable [608, 638) 'string_frequency' (line 573) [672, 702) 'string_ip' (line 574) [736, 766) 'string_bitrate' (line 575) ``` With the patch output is correct: ``` W: ( 72% at Hello world &<<<<<<hello world>>, 1,2009 Gb/s) 192.168.26.237 ``` and ``` W: ( 73% at Hello world &<<<<<<hello world>>, 1,1342 Gb/s) 192.168.26.237 ``` The patch changes the maybe_escape_markup function to use dynamic allocation instead of a static buffer. Confusing pointer arithmetic is replaced with index-based memory access. The `buffer` pointer does not move around except for `realloc`ations. Fixes #492 Closes #525 (alternative PR) * Revert to snprintf
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Using the module path_exists... It will update the module with either red or green to indicate its status. I would like for that module to disappear when it is not available. This is possible in few other modules by issuing format_down = "" and path_exists does not have one.
The text was updated successfully, but these errors were encountered: