Karel Zak [Tue, 7 Apr 2026 11:49:32 +0000 (13:49 +0200)]
Merge branch 'chrt_elaborate_on_sched_ext_policy' of https://github.com/cgoesche/util-linux-fork
* 'chrt_elaborate_on_sched_ext_policy' of https://github.com/cgoesche/util-linux-fork:
chrt: (man) explain which kernel config options are needed for SCHED_EXT
Karel Zak [Tue, 7 Apr 2026 11:49:02 +0000 (13:49 +0200)]
write, mesg: add S_ISCHR() check for terminal device paths
Verify that the target path is a character device before proceeding.
This hardens both utilities against symlink-to-regular-file attacks
as a defense-in-depth measure.
Note that the TOCTOU race condition between stat() and freopen()/open()
is only theoretical -- on modern Linux systems /dev/pts/ is a
kernel-managed devpts filesystem where unprivileged users cannot create
or replace entries, and the setgid tty privilege only grants write
access to terminal devices, not to arbitrary files.
Johannes Wüller [Sat, 4 Apr 2026 18:03:06 +0000 (20:03 +0200)]
mkswap: Fix --file chmod(2) check when file exists
The documentation claims that `--size` will resize the `--file`, but
it ends up failing like this:
# mkswap --file /swapfile --size 4G
Setting up swapspace version 1, size = 4 GiB (4294963200 bytes)
no label, UUID=1523588e-412a-4f25-8fac-aeaf638101aa
# mkswap --file /swapfile --size 4G
mkswap: cannot set permissions on swap file /swapfile: Success
There seems to have been a typo in the chmod(2) return value comparison.
It checked for `< 9` rather than `< 0`, which would usually indicate
failure. After the fix:
# mkswap --file /swapfile --size 4G
Setting up swapspace version 1, size = 4 GiB (4294963200 bytes)
no label, UUID=6be7c450-761c-442d-8d9a-3e8cd93506b5
# mkswap --file /swapfile --size 4G
mkswap: /swapfile: warning: wiping old swap signature.
Setting up swapspace version 1, size = 4 GiB (4294963200 bytes)
no label, UUID=617a793e-84b1-471d-96c5-c099f8b157db
The operation no longer fails, as validated by the added test.
chrt: (man) explain which kernel config options are needed for SCHED_EXT
On systems running kernel version 6.12+ it is still possible
that the syscall to set SCHED_EXT fails with EINVAL, this can
happen when certain kernel configuration options have not been
set. The list of required options can be found here:
https://docs.kernel.org/scheduler/sched-ext.html#switching-to-and-from-sched-ext
Let's document this in the man page to give users a heads up.
Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
The maximum amount of records to print can be specified in two different
ways: Either with -n/--limit or by specifying the number as argument,
i.e. -number.
The current parser does not check for possible overflow with -number
arguments and mixes -number arguments with -n arguments.
Properly split these two notations and use strtou32_or_err for overflow
checks.
Reset the child pid only after comparison with waitpid result.
Currently, this leads to returning -1 or 1, which ultimately leads
to exit code 1 in case of a SIGPIPE. This is the behavior as of 2.41,
which means that no regression between releases occurred. Yet, fix it
nonetheless.
If a UID/GID is larger than its respective data type allows (but smaller
than uint64_t), then tools like newgrp erroneously assume that the user
or group simply does not exist.
Set errno to indicate that the supplied UID/GID is out of range instead.
bash-completion: complete relative path for filenames as well
Commit 1a76e3e only helped with the completion of directory
names for relative paths. Let us complete filenames too for
completeness (no pun intended).
Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
Karel Zak [Wed, 25 Mar 2026 10:54:42 +0000 (11:54 +0100)]
libfdisk: dos: validate EBR link within extended partition bounds
The read_extended() function follows EBR chain links without checking
that the target offset falls within the master extended partition.
A malformed EBR link can point outside the extended area.
Add a bounds check before read_pte() to stop the chain walk when the
next EBR offset is outside [ext_start, ext_end]. This is self-defense
during parsing; it does not restrict what the user can create.
Karel Zak [Wed, 25 Mar 2026 10:54:28 +0000 (11:54 +0100)]
libblkid: dos: validate EBR data and links within extended partition
The parse_dos_extended() function processes EBR (Extended Boot Record)
chains, but does not properly validate that partitions and links stay
within the master extended partition area [ex_start, ex_start+ex_size).
For EBR data partitions at index 0 and 1, there are no bounds checks
at all, unlike entries at index 2 and 3. This allows a crafted disk
image to register partitions at arbitrary sectors via uint32_t overflow
in the abs_start calculation (cur_start + start wraps to a small value).
Fix by:
- using 64-bit arithmetic for the abs_start calculation to avoid
uint32_t wraparound
- applying the extended partition area bounds check to all EBR data
entries, not just index >= 2
- validating EBR link targets stay within the extended area and
advance forward (preventing backward links that could loop)
Reported-by: Michele Piccinni <piccinni.michele@gmail.com> Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Thu, 19 Feb 2026 12:59:46 +0000 (13:59 +0100)]
loopdev: add LOOPDEV_FL_NOFOLLOW to prevent symlink attacks
Add a new LOOPDEV_FL_NOFOLLOW flag for loop device context that
prevents symlink following in both path canonicalization and file open.
When set:
- loopcxt_set_backing_file() uses strdup() instead of
ul_canonicalize_path() (which calls realpath() and follows symlinks)
- loopcxt_setup_device() adds O_NOFOLLOW to open() flags
The flag is set for non-root (restricted) mount operations in
libmount's loop device hook. This prevents a TOCTOU race condition
where an attacker could replace the backing file (specified in
/etc/fstab) with a symlink to an arbitrary root-owned file between
path resolution and open().
Vulnerable Code Flow:
mount /mnt/point (non-root, SUID)
mount.c: sanitize_paths() on user args (mountpoint only)
mnt_context_mount()
mnt_context_prepare_mount()
mnt_context_apply_fstab() <-- source path from fstab
hooks run at MNT_STAGE_PREP_SOURCE
hook_loopdev.c: setup_loopdev()
backing_file = fstab source path ("/home/user/disk.img")
loopcxt_set_backing_file() <-- calls realpath() as ROOT
ul_canonicalize_path() <-- follows symlinks!
loopcxt_setup_device()
open(lc->filename, O_RDWR|O_CLOEXEC) <-- no O_NOFOLLOW
Two vulnerabilities in the path:
1) loopcxt_set_backing_file() calls ul_canonicalize_path() which uses
realpath() -- this follows symlinks as euid=0. If the attacker swaps
the file to a symlink before this call, lc->filename becomes the
resolved target path (e.g., /root/secret.img).
2) loopcxt_setup_device() opens lc->filename without O_NOFOLLOW. Even
if canonicalization happened correctly, the file can be swapped to a
symlink between canonicalize and open.
Addresses: https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g Signed-off-by: Karel Zak <kzak@redhat.com>
Merge its functionality into ul_debug_prefix and use proper macros in
tools which still call it directly. This adjusts output, but makes it
actually more readable.
Merges debugobj.h into debug.c and increases flexibility in output:
Just like __UL_DBG any debug output function can be supplied.
Throughout the code, this is always ul_debug by today.
Karel Zak [Tue, 31 Mar 2026 10:10:28 +0000 (12:10 +0200)]
Merge branch 'less-header-support' of https://github.com/kurok/util-linux
* 'less-header-support' of https://github.com/kurok/util-linux:
libsmartcols: move scols_table_calculate to SMARTCOLS_2.43 symbol version
libsmartcols: document scols_table_calculate() constraints
libsmartcols: fix Since tag for scols_table_calculate()
build: link test_pager against lib_common in meson too
build: link test_pager against libcommon
pager: use ul_strfconcat() instead of fixed-size buffer
pager: support --header 0,M for column-only freezing
pager: address review feedback for less --header support
libsmartcols: add scols_table_calculate to docs sections
libsmartcols: add scols_table_calculate(), pager: add less --header support
Karel Zak [Tue, 31 Mar 2026 08:27:57 +0000 (10:27 +0200)]
Merge branch 'prlimit_pidino_support' of https://github.com/cgoesche/util-linux-fork
* 'prlimit_pidino_support' of https://github.com/cgoesche/util-linux-fork:
tests: (prlimit) add pid:ino address format test
prlimit: support 'PID:inode' process address format
Leonid Znamenok [Mon, 30 Mar 2026 20:33:46 +0000 (00:33 +0400)]
fincore: (tests) fix tmpfs detection for out-of-tree builds
The tmpfs check used $PWD which points to the source directory, not
to the output directory where test files are actually created. When
tests are run with --builddir on tmpfs (e.g. /tmp), the check fails
to detect it and the test produces wrong results because O_DIRECT
has no effect on tmpfs.
Use $TS_OUTDIR instead, which is the actual directory where dd
creates test files and fincore inspects them.
When setting the effective user fails the code prints a
misleading error message stating that 'group' privileges
could not be dropped, but it should state 'user' instead.
Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
The variable name 'match' naturally implies a binary
state e.g. true or false and is not appropriate for
the indexing of a string literal, it is better to
avoid this ambiguity and use a name that properly
conveys its purpose, in this case 'idx' is a better
choice.
Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
This patch improves the coding style in various places for
better readability, semantic clarity and alignment with
common best practices.
Changes include the transposition of a variable assignment
in a conditional statement to its own line for better
readability, the removal of defensive programming techniques
like 'yoda conditions' where constants are specified on the
left of variables, which reduce natural readability and are
not necessary as erroneous variable assignments will be
indicated by the compiler anyways. Lastly, the 'u' suffix is
extraneous for variable assignments to 'match' as it is a size_t.
Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
Clarify when mount IDs are available depending on how the mount table
was populated (mountinfo parsing vs listmount/statmount). Document
that mnt_fs_get_uniq_id() returns 0 for mountinfo-parsed tables and
point users to mnt_id_from_path() as the statx-based alternative.
Karel Zak [Tue, 24 Mar 2026 10:28:40 +0000 (11:28 +0100)]
tools: git-version-next fix -devel tag and rename variables
Fix UL_LAST_FINAL_RELEASE to not match -devel tags by using a
positive match for final release formats (vX.Y or vX.Y.Z) instead
of only excluding -rc suffixes.
Karel Zak [Thu, 19 Mar 2026 19:53:41 +0000 (20:53 +0100)]
liblastlog2: generate lastlog2.h from template
Convert lastlog2.h to lastlog2.h.in and add LIBLASTLOG2_VERSION,
LIBLASTLOG2_MAJOR_VERSION, LIBLASTLOG2_MINOR_VERSION, and
LIBLASTLOG2_PATCH_VERSION defines to follow the same pattern as
libmount, libfdisk, libsmartcols, and libblkid.
Update both autotools (configure.ac, Makemodule.am) and meson
(liblastlog2/meson.build) to generate the header.
Karel Zak [Thu, 19 Mar 2026 13:20:40 +0000 (14:20 +0100)]
libblkid: add LIBBLKID_VERSION to blkid.h, remove redundant config.h versions
Add LIBBLKID_VERSION, LIBBLKID_MAJOR_VERSION, LIBBLKID_MINOR_VERSION,
and LIBBLKID_PATCH_VERSION to blkid.h.in to follow the same pattern as
libmount, libfdisk, and libsmartcols. Keep BLKID_VERSION and BLKID_DATE
as backward-compatible aliases.
Remove redundant AC_DEFINE for library version strings from configure.ac
(LIBMOUNT_VERSION, LIBSMARTCOLS_VERSION, LIBFDISK_VERSION,
LIBLASTLOG2_VERSION). These were duplicated in config.h when the library
public headers already define them via .h.in templates.
Remove LIBBLKID_VERSION and LIBBLKID_DATE from meson config.h for the
same reason.
Karel Zak [Thu, 19 Mar 2026 12:44:16 +0000 (13:44 +0100)]
meson: add hwclock-gplv3 option
Add the missing hwclock-gplv3 option (default: true) to match
autotools --disable-hwclock-gplv3. Without the USE_HWCLOCK_GPLv3_DATETIME
define, meson builds used the minimalistic GPLv2 date parser even though
the GPLv3 parse-date.y was always compiled and linked.
Karel Zak [Thu, 19 Mar 2026 12:41:56 +0000 (13:41 +0100)]
meson: add login-stat-mail option
Add the missing login-stat-mail option (default: false) to match
autotools --enable-login-stat-mail. When enabled, login will stat()
the mailbox to check for new mail.
Karel Zak [Thu, 19 Mar 2026 12:39:52 +0000 (13:39 +0100)]
meson: add check for security_get_initial_context()
The mount command uses HAVE_SECURITY_GET_INITIAL_CONTEXT to enable
SELinux context warnings. This check was missing in meson, leaving
that code path dead in meson builds.
Autotools checks for this function in configure.ac since it may be
missing in old libselinux 1.xx versions.
Karel Zak [Thu, 19 Mar 2026 12:30:22 +0000 (13:30 +0100)]
meson: remove unused HAVE_NCURSES config define
No source code uses HAVE_NCURSES (without _W or _H suffix).
In autotools it only exists as an AM_CONDITIONAL for Makefile logic,
not as a config.h define.
Karel Zak [Thu, 19 Mar 2026 12:21:31 +0000 (13:21 +0100)]
meson: fix plymouth support macro name
The source code (agetty.c, sulogin.c) checks for USE_PLYMOUTH_SUPPORT,
but meson defined ENABLE_PLYMOUTH_SUPPORT, silently disabling plymouth
support in meson builds.
Rename to USE_PLYMOUTH_SUPPORT to match autotools and source code.
projects / thirdparty / util-linux.git / log
