10397688c9
* maybe_escape_markup: Make function memory-safe This fixes #492 and an additional buffer overflow that can happen when pango markup is enabled. Using config ``` general { output_format = "none" markup = "pango" } order += "wireless _first_" wireless _first_ { format_up = "W: (%quality at %essid, %bitrate) %ip" } ``` and renaming my phone's hotspot to `Hello world &<<<<<<hello world>>` i3status will throw an AddressSanitizer error: ``` ==1373240==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7411d720923e at pc 0x7411daa7cee9 bp 0x7ffdae6ce070 sp 0x7ffdae6cd800 WRITE of size 5 at 0x7411d720923e thread T0 #0 0x7411daa7cee8 in __interceptor_vsprintf /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1765 #1 0x7411daa7d0ff in __interceptor_sprintf /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1808 #2 0x653b2764cdaf in maybe_escape_markup ../src/output.c:102 #3 0x653b27677df9 in print_wireless_info ../src/print_wireless_info.c:607 #4 0x653b27640bf1 in main ../i3status.c:709 #5 0x7411da641ccf (/usr/lib/libc.so.6+0x25ccf) (BuildId: 6542915cee3354fbcf2b3ac5542201faec43b5c9) #6 0x7411da641d89 in __libc_start_main (/usr/lib/libc.so.6+0x25d89) (BuildId: 6542915cee3354fbcf2b3ac5542201faec43b5c9) #7 0x653b27633f24 in _start (/tmp/xx/i3status/build/i3status+0x4ff24) (BuildId: c737ce6288265fa02a7617c66f51ddd16b5a8275) Address 0x7411d720923e is located in stack of thread T0 at offset 574 in frame #0 0x653b276750ed in print_wireless_info ../src/print_wireless_info.c:513 This frame has 10 object(s): [48, 56) 'tmp' (line 604) [80, 168) 'info' (line 516) [208, 320) 'placeholders' (line 623) [352, 382) 'string_quality' (line 569) [416, 446) 'string_signal' (line 570) [480, 510) 'string_noise' (line 571) [544, 574) 'string_essid' (line 572) <== Memory access at offset 574 overflows this variable [608, 638) 'string_frequency' (line 573) [672, 702) 'string_ip' (line 574) [736, 766) 'string_bitrate' (line 575) ``` With pango disabled, the error is thrown elsewhere (#492): ``` ==1366779==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7bab43a0923e at pc 0x7bab4727cee9 bp 0x7ffc289d2540 sp 0x7ffc289d1cd0 WRITE of size 33 at 0x7bab43a0923e thread T0 #0 0x7bab4727cee8 in __interceptor_vsprintf /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1765 #1 0x7bab4727d0ff in __interceptor_sprintf /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1808 #2 0x5dd180858aa4 in maybe_escape_markup ../src/output.c:93 #3 0x5dd180883df9 in print_wireless_info ../src/print_wireless_info.c:607 #4 0x5dd18084cbf1 in main ../i3status.c:709 #5 0x7bab46843ccf (/usr/lib/libc.so.6+0x25ccf) (BuildId: 6542915cee3354fbcf2b3ac5542201faec43b5c9) #6 0x7bab46843d89 in __libc_start_main (/usr/lib/libc.so.6+0x25d89) (BuildId: 6542915cee3354fbcf2b3ac5542201faec43b5c9) #7 0x5dd18083ff24 in _start (/tmp/xx/i3status/build/i3status+0x4ff24) (BuildId: c737ce6288265fa02a7617c66f51ddd16b5a8275) Address 0x7bab43a0923e is located in stack of thread T0 at offset 574 in frame #0 0x5dd1808810ed in print_wireless_info ../src/print_wireless_info.c:513 This frame has 10 object(s): [48, 56) 'tmp' (line 604) [80, 168) 'info' (line 516) [208, 320) 'placeholders' (line 623) [352, 382) 'string_quality' (line 569) [416, 446) 'string_signal' (line 570) [480, 510) 'string_noise' (line 571) [544, 574) 'string_essid' (line 572) <== Memory access at offset 574 overflows this variable [608, 638) 'string_frequency' (line 573) [672, 702) 'string_ip' (line 574) [736, 766) 'string_bitrate' (line 575) ``` With the patch output is correct: ``` W: ( 72% at Hello world &<<<<<<hello world>>, 1,2009 Gb/s) 192.168.26.237 ``` and ``` W: ( 73% at Hello world &<<<<<<hello world>>, 1,1342 Gb/s) 192.168.26.237 ``` The patch changes the maybe_escape_markup function to use dynamic allocation instead of a static buffer. Confusing pointer arithmetic is replaced with index-based memory access. The `buffer` pointer does not move around except for `realloc`ations. Fixes #492 Closes #525 (alternative PR) * Revert to snprintf |
||
|---|---|---|
| .github/workflows | ||
| contrib | ||
| etc | ||
| include | ||
| man | ||
| meson | ||
| src | ||
| testcases | ||
| travis | ||
| .clang-format | ||
| .gitignore | ||
| CHANGELOG | ||
| CONTRIBUTING.md | ||
| i3status.c | ||
| I3STATUS_VERSION | ||
| LICENSE | ||
| meson_options.txt | ||
| meson.build | ||
| README.md | ||
i3status
Description
i3status is a small program for generating a status bar for i3bar, dzen2, xmobar or similar programs. It is designed to be very efficient by issuing a very small number of system calls, as one generally wants to update such a status line every second. This ensures that even under high load, your status bar is updated correctly. Also, it saves a bit of energy by not hogging your CPU as much as spawning the corresponding amount of shell commands would.
Development
i3status has the following dependencies:
- libconfuse-dev
- libyajl-dev
- libasound2-dev
- libnl-genl-3-dev
- meson (compile-time only dependency)
- asciidoc (only for the documentation)
- libpulse-dev (for getting the current volume using PulseAudio)
On debian-based systems, the following line will install all requirements:
apt-get install autoconf libconfuse-dev libyajl-dev libasound2-dev libiw-dev asciidoc libpulse-dev libnl-genl-3-dev meson
Upstream
i3status is developed at https://github.com/i3/i3status
Compilation
Prefer installing i3status via your Linux distribution’s package manager.
If you absolutely have to build from source, use:
mkdir build
cd build
meson ..
ninja
sudo ninja install