Karel Zak [Thu, 26 Feb 2026 10:27:48 +0000 (11:27 +0100)]
tools/checkconfig: strip C comments before macro extraction
Strip C/C++ comments (// line comments, single-line /* */ and
multi-line /* */ blocks) before extracting HAVE_ and ENABLE_ macros.
This avoids false positives from macros mentioned in comments, e.g.
"when HAVE_PIDFD_* ..." in include/pidfd-utils.h.
Karel Zak [Thu, 26 Feb 2026 09:39:08 +0000 (10:39 +0100)]
tools: git-version-bump, accept X.Y-devel version on master branch
Allow "X.Y-devel" as a valid version format, restricted to the master
branch only. Release versions (X.Y, X.Y.Z, X.Y-rcN, X.Y.Z-rcN) still
require a stable/vX.Y branch.
lib/fileeq: Handle large files on 32 bit correctly
The size_t iterator in ul_fileeq could overflow on 32 bit systems with
large file support. If this happens, the intro array is erroneously
overwritten, which could lead to false positive matches later on.
The iterator is checked against a size_t limit in get_digest, which is a
safe operation on 32 and 64 bit architectures.
Karel Zak [Wed, 25 Feb 2026 10:01:02 +0000 (11:01 +0100)]
hexdump: sanitize fiemap ioctl output
Cap fm_mapped_extents to FIEMAP_EXTENTS_BATCH after each ioctl() call
to prevent potential out-of-bounds access if the kernel returns more
extents than requested.
Reported-by: Coverity Scan Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Wed, 25 Feb 2026 09:47:09 +0000 (10:47 +0100)]
dmesg: add bounds checking to parse_kmsg_timestamp()
Add 'end' pointer parameter to parse_kmsg_timestamp() to validate
buffer boundaries, consistent with parse_syslog_timestamp(),
parse_faclev(), parse_callerid(), and skip_item().
Also remove misleading "for debug messages" comment from the
null-termination in print_kmsg() -- the null-termination is required
for correctness.
Originally reported by Coverity (CID 501581, STRING_NULL). The
Coverity report itself is not valid (the buffer is properly
null-terminated before parsing), but the code was inconsistent --
parse_kmsg_timestamp() was the only parser without bounds checking.
Karel Zak [Wed, 25 Feb 2026 09:21:56 +0000 (10:21 +0100)]
libblkid: fix integer overflows in HFS+ offset calculations
Two 32-bit multiplications using on-disk values can overflow:
- leaf_node_head (uint32_t) * leaf_node_size (uint16_t) used to
calculate leaf_block; overflow produces a wrong block number,
causing reads from incorrect offsets.
- embed_first_block (uint16_t) * alloc_block_size (uint32_t) used to
calculate the embedded HFS+ volume offset; overflow truncates the
result, again causing reads from wrong offsets.
Fix by widening leaf_block and off to uint64_t and casting
multiplication operands. Bogus results from crafted images are then
safely rejected by blkid_probe_get_buffer() bounds checking and
the extent loop exhaustion.
Karel Zak [Wed, 25 Feb 2026 09:14:43 +0000 (10:14 +0100)]
libblkid: fix integer overflow in linux_raid checksum size
The checksum size calculation uses on-disk max_dev (uint32_t) multiplied
by sizeof(dev_roles[0]). On 32-bit systems, this overflows size_t,
resulting in a truncated buffer and checksum computed over wrong data,
potentially allowing crafted images to bypass validation.
Fix by computing in uint64_t. Note that blkid_probe_get_buffer() has
a hardcoded 8 MiB limit, so unreasonably large (but non-overflowed)
values are still safely rejected.
Karel Zak [Wed, 25 Feb 2026 08:58:32 +0000 (09:58 +0100)]
libblkid: fix integer overflow in nvidia_raid size check
The size validation `le32_to_cpu(nv->size) * 4 != NVIDIA_SUPERBLOCK_SIZE`
is subject to 32-bit unsigned integer overflow. A crafted value like
0x4000001E overflows when multiplied by 4, wrapping to 120 and passing
the check. The checksum loop then iterates ~1 billion times, reading
far beyond the 120-byte buffer.
Fix by comparing against the expected count directly without
multiplication. Also add a buffer size parameter to
nvraid_verify_checksum() as defense-in-depth against oversized reads.
Karel Zak [Wed, 25 Feb 2026 08:02:05 +0000 (09:02 +0100)]
Merge branch 'lsfd--socknetns-for-tuntap' of https://github.com/masatake/util-linux
* 'lsfd--socknetns-for-tuntap' of https://github.com/masatake/util-linux:
lsfd: fill SOCK.NETNS column for tuntap
lsfd: load the information of the network namespace behind a tun device
lsfd: (refactor) call ioctl(TUNGETDEVNETNS) from target_fd related methods
lsfd: add stubs of target_fd related methods to cdev_class
tests: (lsfd::*) revise the way to use "$?"
tests: (lsns::*) revise the way to use "$?"
Karel Zak [Wed, 25 Feb 2026 07:55:42 +0000 (08:55 +0100)]
fsck.cramfs: fix off-by-one heap write in do_symlink()
In do_symlink(), the decompressed symlink target is NUL-terminated by
writing outbuffer[size] = 0. The outbuffer is allocated as blksize * 2
bytes, but uncompress_block() can return up to blksize * 2, so when
size == blksize * 2 the NUL write lands one byte past the heap
allocation. Allocating one extra byte ensures the NUL terminator stays
within bounds. The stream.avail_out value remains blksize * 2, so
decompression behavior is unchanged.
Reported-by: Pavel Kohout, Aisle Research, www.aisle.com Signed-off-by: Karel Zak <kzak@redhat.com>
Masatake YAMATO [Wed, 4 Feb 2026 21:14:52 +0000 (06:14 +0900)]
lsfd: fill SOCK.NETNS column for tuntap
There are two network namespaces associated with a file descriptor
opening /dev/net/tun.
One is the device network namespace (devnetns). A tun/tap file
descriptor is associated with a network device, and the devnetns
is the namespace in which that device exists. lsfd already provides
this information via the TUN.DEVNETNS column.
The other is the socket network namespace (socknetns). A tun/tap
file descriptor is also associated with a socket, and the socknetns
is the namespace in which that socket was created. lsfd already
has the SOCK.NETNS column for reporting this information, but it
was not filled for file descriptors opening /dev/net/tun.
Masatake YAMATO [Wed, 4 Feb 2026 20:42:16 +0000 (05:42 +0900)]
lsfd: (refactor) call ioctl(TUNGETDEVNETNS) from target_fd related methods
In the original code, the attach_xinfo method of the cdev_tun_ops
struct called the ioctl. The attach_xinfo method retrieved the fd
passing to the ioctl by calling call_with_foreign_fd utility function.
In the last commit, we added the target_fd related methods in
cdev_tun_ops struct. The caller side of the target_fd related methods
calls call_with_foreign_fd.
We can reduce the code calling call_with_foreign_fd by moving the code
calling ioctl from the attach_xinfo method to the target_fd related
methods.
Karel Zak [Tue, 24 Feb 2026 08:54:12 +0000 (09:54 +0100)]
man pages: consolidate libsmartcols environment variables
Introduce man-common/env-smartcols.adoc to describe all libsmartcols
environment variables (LIBSMARTCOLS_DEBUG, LIBSMARTCOLS_DEBUG_PADDING,
LIBSMARTCOLS_JSON) in one place.
Replace duplicated LIBSMARTCOLS_DEBUG descriptions in cfdisk, fdisk,
sfdisk, findmnt, lsblk, and column man pages with an include of the
new common file.
Addresses: https://github.com/util-linux/util-linux/issues/3971 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Tue, 24 Feb 2026 11:41:39 +0000 (12:41 +0100)]
libblkid: iso9660: validate root directory to reduce false positives
The CD001 magic signature at 32KB offset can match file data content
on other filesystems (e.g. an .iso file stored on XFS whose data
blocks happen to land at the device offset where blkid looks for the
ISO 9660 Primary Volume Descriptor). This causes blkid to report
ambivalent results for a device that has only one real filesystem.
Add validation of the root directory record from the PVD: read the
root directory extent and verify that the first entry is a valid "."
self-reference (file_id_len == 1, file_id == 0x00, extent location
pointing back to itself). This check reliably rejects false positive
CD001 signatures because the root directory LBA from the PVD points
to a different location on the device that contains unrelated data.
Addresses: https://github.com/util-linux/util-linux/issues/4031 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Tue, 24 Feb 2026 08:38:09 +0000 (09:38 +0100)]
Merge branch 'feat/3971_compact_json_and_jsonl_support' of https://github.com/echoechoin/util-linux
* 'feat/3971_compact_json_and_jsonl_support' of https://github.com/echoechoin/util-linux:
jsonwrt: simplify ul_jsonwrt_empty() and add comments for COMPACT format
column: using switch-case replaces if-else
column: add JSON compact format output subtest.
column: add JSON LINES format output subtest.
column: introduce LIBSMARTCOLS_JSON environment argument
jsonwrt: support Compact JSON format output
libsmartcols: support JSON Lines format output
Karel Zak [Tue, 24 Feb 2026 08:13:15 +0000 (09:13 +0100)]
Merge branch 'libblkid_fix_cache_garbage_collection' of https://github.com/cgoesche/util-linux-fork
* 'libblkid_fix_cache_garbage_collection' of https://github.com/cgoesche/util-linux-fork:
blkid: add --garbage-collect test
libblkid: remove empty loop devices from cache when garbage collecting
Wilfred Mallawa [Mon, 23 Feb 2026 23:43:29 +0000 (09:43 +1000)]
blkzone: add more checks when printing zone write_pointer
The zone write pointer is also invalid for READONLY and OFFLINE zones, so
handle such cases appropriately by not displaying a write pointer for
READONLY and OFFLINE zones.
Signed-off-by: Wilfred Mallawa <wilfred.mallawa@wdc.com> Fixes: b032247f48 ("blkzone: don't show wptr when zones are full")
Accessing pager_process.pid from within a signal handler is, by strict C
language interpretation, not signal safe.
Wait for all children (and thus for pager_process.pid as well) instead.
The current users dmesg and fdisk have no further children so this is a
good compromise here.
The signal handler is used for SIGINT, SIGHUP, SIGTERM, SIGQUIT. From a
terminal perspective, these are normally intercepted by the child, not
the parent.
Since wait_for_pager is never reached by a signal handler anymore, a
regular err() call is now possible. Just make sure that no exit function
handler could ever loop endlessly.
Karel Zak [Mon, 23 Feb 2026 13:06:57 +0000 (14:06 +0100)]
Merge branch 'lsmem_show_zones_on_uncommon_phy_mem_layout' of https://github.com/cgoesche/util-linux-fork
* 'lsmem_show_zones_on_uncommon_phy_mem_layout' of https://github.com/cgoesche/util-linux-fork:
lsmem: fix missing zone info when memory blocks start at an index other than 0
libblkid: remove empty loop devices from cache when garbage collecting
The cache garbage collection (blkid --garbage-collect) does not work for
entries of loop devices even when these have been detached. The previous
logic performed a simple stat() on the dev node path, however this is not
enough for loop devices as their nodes can remain present even if they
aren't backed by any file or other block device.
Therefore, it is more sane to verify if the loop device has a backing file
and if not, we remove it from the cache.
Closes: #4061 Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
Karel Zak [Mon, 23 Feb 2026 10:00:20 +0000 (11:00 +0100)]
login: improve comments for signal handling in fork_session()
Add more detailed comments explaining the signal blocking and
sigsuspend() pattern introduced by the previous commit. The key
insight is that sigsuspend() is the actual wait point where
SIGTERM/SIGHUP are forwarded to the child, while waitpid() with
WNOHANG only performs non-blocking checks for terminated children.
lsmem: fix missing zone info when memory blocks start at an index other than 0
On systems that have an uncommon physical memory layout, e.g. where hotpluggable
memory blocks start at an offset greater than 0, we failed to set the 'have_zones'
control flag, which caused an omission of the ZONES information of the listed
individual memory block or a block range. This is because we explicitly tested for
/sys/devices/system/memory/memory0/valid_zones, however it is better to simply
look for any memory<n> directory entry and validate the existence of the valid_zones
attribute.
Closes: #4055 Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
Two cases exist in which login might send signals to a process which is
actually not a child process:
- If SIGCHLD is set to SIG_IGN by login's parent process (unlikely),
then no zombie process exists. The kernel could already reuse the PID
for another process just before login's signal_handler function sends
a signal to its stored child PID -- which was already reused
- If wait succeeds, the PID can be reused by the kernel for another
process. The registered signal_handlers could still use the stored
child PID to send signals -- but erroneously to a wrong process
Fix these cases by blocking and unblocking SIGCHLD and signal_handler
triggering signals around the wait call. Set child_pid to 0 after wait
succeeded and before signal_handler signals are unblocked again.
A user might prematurely close the pager before the parent wrote its
full output into the pipe. This triggers SIGPIPE, which would eventually
lead to an error return value.
The programs dmesg and fdisk can keep running just fine in these cases.
In fact, dmesg's source code was already prepared for EPIPE error return
values.
If the pager returns with a success return value, ignore SIGPIPE. If
there was an error within the pager, stop the parent as well.
With this, dmesg does not return an error anymore if the ring buffer was
not fully sent to the pager before it was closed.
Just calling exit with a success return value in case of an EPIPE error
in safe_fwrite is not precise enough. If dmesg was called with "-c",
i.e. to print and then clear the ring buffer, a successful return value
should mean that the ring buffer is cleared as well.
Instead, continue operation on EPIPE error but stop any further regular
output.
projects / thirdparty / util-linux.git / log
