On Thu, Jul 27, 2017 at 02:03:05PM +0200, Jeremie Courreges-Anglas wrote:
> On Thu, Jul 27 2017, Klemens Nanni <k...@posteo.org> wrote:
> > Only main() calls pr_args() in L330 with ep->kp as argument which in
> > turn is set in L257 or L266 for every utmp entry. kp is checked against
> > NULL already in L229.
> >
> > Even if kp was somehow NULL chances are high we'd fail before pr_args()
> > was called anyway since L244, L256 and L265 would then cause a NULL pointer
> > dereference. In fact, proc_compare() even expects its second argument to
> > to be not NULL (only the first one is checked explicitly).
> >
> > Not that crashing is guaranteed upon undefined behaviour but noone
> > seems to have reported failure within the last 13 years, so I think it's
> > safe to remove that check.
> >
> > Feedback? Comments?
>
> I don't think this is correct. ep->kp is set only if we find a matching
> live process. If we don't, the diff results in a crash. I don't know
> all the details of utmp handling, but I really doubt that we can assume
> a 1->1 mapping between utmp entries and live processes (stale entries,
> race conditions, etc).
>
> Here's an example with a stale ssh entry:
>
> ritchie /usr/src/usr.bin/w$ w
> 1:59PM up 58 mins, 2 users, load averages: 0.27, 0.16, 0.14
> USER TTY FROM LOGIN@ IDLE WHAT
> jca p0 :0 1:03PM 0 tmux: client
> (/tmp/tmux-1000/default)
> jca pg 127.0.0.1 1:57PM 1 -
> ritchie /usr/src/usr.bin/w$ ./obj/w
> 1:59PM up 58 mins, 2 users, load averages: 0.21, 0.16, 0.13
> USER TTY FROM LOGIN@ IDLE WHAT
> jca p0 :0 1:03PM 0 tmux: client
> (/tmp/tmux-1000/default)
> Segmentation fault (core dumped)
>
>
> So the answer is "yes, this can happen".
Ah, I stand corrected about the 1->1 mapping, thanks a lot.
