Bug 1099091 - ps command is broken
ps command is broken
Status: RESOLVED UPSTREAM
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Basesystem
Current
Other Neutrino
: P5 - None : Normal (vote)
: ---
Assigned To: Johannes Segitz
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-06-26 05:47 UTC by Thomas Hänig
Modified: 2018-06-28 15:47 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Hänig 2018-06-26 05:47:10 UTC
with yesterday's update the '-C' switch of the 'ps' command works not as before.

1.) process(es) it does not find:
tslb:~ # ps -ef | grep lightdm-gtk-greeter
lightdm   6858  6840  0 07:25 ?        00:00:00 /usr/sbin/lightdm-gtk-greeter
root      8069  7970  0 07:33 pts/1    00:00:00 grep --color=auto lightdm-gtk-greeter

tslb:~ # ps -C lightdm-gtk-greeter
  PID TTY          TIME CMD
=> nothing

tslb:~ # ps -C /usr/sbin/lightdm-gtk-greeter
  PID TTY          TIME CMD
=> nothing

2.) process(es) it finds:
tslb:~ # ps -ef | grep -i cron
root      3079     1  0 06:59 ?        00:00:00 /usr/sbin/cron -n
root      3342  3079  0 07:01 ?        00:00:00 /usr/sbin/CRON -n
root      9820  7970  0 07:46 pts/1    00:00:00 grep --color=auto -i cron

tslb:~ # ps -C cron
  PID TTY          TIME CMD
 3079 ?        00:00:00 cron
 3342 ?        00:00:00 cron


tslb:~ # rpm -qi procps
Name        : procps
Version     : 3.3.15
Release     : 1.1
Architecture: x86_64
Install Date: Mo 25 Jun 2018 07:53:07 CEST
Group       : System/Monitoring
Size        : 640751
License     : GPL-2.0-or-later AND LGPL-2.1-or-later
Signature   : RSA/SHA256, Fr 22 Jun 2018 13:41:02 CEST, Key ID b88b2fd43dbdc284
Source RPM  : procps-3.3.15-1.1.src.rpm
Build Date  : Fr 22 Jun 2018 13:40:25 CEST
Build Host  : lamb55
Comment 1 Thomas Hänig 2018-06-26 07:52:09 UTC
when playing with an older Version the following behaviour occured:

tslb:~ # ps -C lightdm-gtk-greeter
  PID TTY          TIME CMD
 2648 ?        00:00:00 lightdm-gtk-gre

the value spit out for CMD is truncated after 15 characters. when using this crippled cmd for 'ps -C' a result is produced for either the older or the newer version

tslb:~ # ps -C lightdm-gtk-gre
  PID TTY          TIME CMD
 2648 ?        00:00:00 lightdm-gtk-gre


another example (agian with the newer, broken Version)

tslb:~ # ps -ef | grep qemu
qemu      2719     1 22 09:27 ?        00:03:06 /usr/bin/qemu-system-x86_64 ...

tslb:~ # ps -C qemu-system-x86_64
  PID TTY          TIME CMD
=> nothing

tslb:~ # ps -C qemu-system-x86
  PID TTY          TIME CMD
 2719 ?        00:03:10 qemu-system-x86


the "first 15 characters substring" working here, so apparently the problem is not with the search term but the list of binaries "grep-ed through".
Comment 2 Dr. Werner Fink 2018-06-26 10:56:28 UTC
The option -C is described as

       -C cmdlist
              Select by command name.  This selects the processes whose
              executable name is given in cmdlist.

and the command name is NOT the command line, that is that ps does search for the fist 15 bytes in the second field of

      /proc/<pid>/stat

or 

      /proc/<pid>/task/<pid>/comm

where the command name is given in () ... and the string within the () is not longer as 16 bytes including the ASCII 0 (which is kernel related!).

The security fix for CVE-2018-1124, CVE-2018-1126, CVE-2018-1125, CVE-2018-1123, and CVE-2018-1122 has included the change that if the string is longer than 15 bytes you will not find the command name as it does not fit.

If you think this is a bug report it to Qualys, which had written those patches. Note that I'm not sure if it is safe to change anything at this behaviour without breaking one of the fixes.

Also I'm not sure if Qualys know a bout prctl(2) with PR_SET_NAME
Comment 3 Thomas Hänig 2018-06-26 11:38:32 UTC
So essentially what you are saying is, the mechanism has alwas been the same but there has been some lazyness in looking up then cmd's name which is no longer permitted?

Someone should at least update the manpage accordingly.
Comment 4 Dr. Werner Fink 2018-06-26 12:30:34 UTC
(In reply to Thomas Hänig from comment #3)
> So essentially what you are saying is, the mechanism has alwas been the same
> but there has been some lazyness in looking up then cmd's name which is no
> longer permitted?
> 
> Someone should at least update the manpage accordingly.

I simply do not know if this change is essential and if so then Qualys had forgotten the manual page, yes
Comment 5 Johannes Segitz 2018-06-28 15:47:39 UTC
Qualys is a security company that provided an excellent writeup and patches for the issues they found. This was done as part of auditing the procps codebase, they will not continually fix issues in the codebase. 

I opened 
https://gitlab.com/procps-ng/procps/issues/101
to get this fixed upstream.

@Thomas: If you want to have this fixed in Tumbleweed please reopen and assign to the maintainer