lib: (pidutils.c) allow zero and negative numbers for PIDs
kill(1) and kill(2) man pages clearly state that 0 and negative
numbers can be used. Therefore let us adapt the internal helper
function ul_parse_pid_str() to permit this value range, as the
previous behavior regressed the kill(1) PID parsing behavior.
The uncommon value range can be controlled with two new flags
UL_PID_ZERO and UL_PID_NEGATIVE, ORed together they will allow
0 and negative values down to INT_MIN. Otherwise they can be
passed individually to only allow either. If 0 is passed only
1 upto INT_MAX values are allowed.
Closes: #4194 Closes: #4195 Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
libblkid: Ignore secondary LUKS2 header in blkid_do_safeprobe()
The secondary LUKS2 header can match file data content on other
filesystems (e.g. an image file of a LUKS2 device stored on XFS whose
data blocks happen to land at device offsets where blkid looks for the
secondary LUKS2 header). This causes blkid to report a crypto_LUKS
superblock instead of the real filesystem.
Add a new flag BLKID_PROBE_FL_SAFEPROBE and skip scanning for the
secondary LUKS2 header in blkid_do_safeprobe(). The secondary LUKS2
header is only important for wipefs which uses a promiscuous probe.
Fixes: #4170 Fixes: 8bee1a2 Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
--
v2: Fix conflict with BLKID_FL_TINY_DEV flag
v3: Use pr->prob_flags instead of pr->flags
v4: Use original mask again as the use prob_flags resolves the conflict
If PAM_REINITIALIZEE_CRED fails at this point, PAM_ESTABLISH_CRED
succeeded before. Clean up credentials with PAM_DELETE_CRED in this case
just to be sure.
The CI fails the kill/name_to_number test when SIGRTMAX-0 (64)
is checked for s390x packaging. Although SIGRTMAX is a valid
signal number, kill(2) still returns EINVAL. This seems to be
related to the fact that QEMU reserves a signal number from
the high real-time signal range for internal usage, which
limits the maximum real-time signal number range.
We already check for the QEMU_USER environment variable, let us
also check if the QEMU emulator is mapped in memory for PID 1
to get more reliable information. In addition to that lets skip
RTMAX checks on s390x and QEMU emulated environments.
Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
Karel Zak [Tue, 7 Apr 2026 18:59:42 +0000 (20:59 +0200)]
Merge branch 'PR/script-fix-arg-permutation' of https://github.com/karelzak/util-linux-work
* 'PR/script-fix-arg-permutation' of https://github.com/karelzak/util-linux-work:
script: fix command and command_norm memory leaks
script: fix backward compatibility for options after non-option args
No known systems exist which use agetty and are neither Linux, GNU,
nor FreeBSD. Even MinGW/MSYS use syslog.
Alternative systems which could use the fallback do not build agetty,
e.g. OpenIndiana or other such systems.
This gets rid of a bug in custom /dev/console code in which the
formatter could be modified by a link to agetty containing more
printf modifiers in its name.
Since chroot only changes the root directory but not current working
directory, change the current working directory as well. This rebases
all possible future relative paths into the chroot environment as well.
Karel Zak [Tue, 7 Apr 2026 16:04:30 +0000 (18:04 +0200)]
Merge branch 'PR/libmount-btrfs-raid-mounted' of https://github.com/karelzak/util-linux-work
* 'PR/libmount-btrfs-raid-mounted' of https://github.com/karelzak/util-linux-work:
tests: add btrfs RAID is-mounted test for libmount
libmount: return btrfs rootfs from get_btrfs_fs_root()
libmount: use match_source for mountinfo comparison
The file-existing subtest fails on platforms with large native page
sizes (e.g. 64 KiB on aarch64) because the 40 KiB swap image is
too small. Add -p 4096 to match the other subtests.
Karel Zak [Tue, 7 Apr 2026 13:25:17 +0000 (15:25 +0200)]
script: fix command and command_norm memory leaks
Always own ctl.command by using xstrdup() for the -c optarg path
(the -- path already allocates via ul_strv_join), and free both
ctl.command and ctl.command_norm at exit.
Karel Zak [Tue, 7 Apr 2026 13:20:04 +0000 (15:20 +0200)]
script: fix backward compatibility for options after non-option args
The commit 7268e79b added "+" to the getopt_long() options string to
support the "--" separator for specifying commands. The "+" prefix
makes getopt stop processing at the first non-option argument, which
breaks the traditional "script file -c command" usage.
Fix this by pre-scanning argv for "--" before getopt, separating the
command arguments, and removing the "+" prefix to restore GNU getopt
argument permutation.
bits: prevent unsigned integer underflow and long-lived loop
If 0 is allowed for --width it will culminate to a wraparound
due to an unsigned integer underflow when a size_t for-loop
control variable, namely 'n', is setup. n is the result of
cpuset_nbits(size) - 1, where size is set by cpuset_alloc()
which was called with 0 (width) for the @ncpus parameter that
will make it so that @size remains 0 as the calculated memory
allocation size yields zero as well. Therefore the sum for 'n'
will be -1 that wraps around to UINT_MAX and end creates a
long-lived for loop.
Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
Adding sys/mount.h, sys/vfs.h, and related includes to statfs_magic.h
caused build failures on older systems (e.g., Ubuntu) due to a
collision between sys/mount.h and linux/fs.h -- both define MS_RDONLY,
the first as an enum and the second as a macro.
The previous fix (guarding sys/mount.h with !defined(MS_RDONLY)) was
insufficient because on some systems linux/fs.h itself chains into
sys/mount.h, making the guard unreachable.
The correct approach is to keep statfs_magic.h minimal (only magic
numbers and sys/statfs.h) and let callers include the necessary
struct statfs headers. Currently, all callers of statfs_magic.h are
Linux-only (libmount requires sys/vfs.h, hardlink's USE_REFLINK
requires HAVE_LINUX_FIEMAP_H), so the Darwin-specific sys/mount.h
include is unreachable anyway.
Sorry for the mess, and sorry I had not used a PR for this.
Fixes: 1af964d935 ("include/statfs_magic.h: add portable struct statfs headers for Darwin") Fixes: 5f66e252c1 ("include/statfs_magic.h: avoid sys/mount.h and linux/fs.h collision") Signed-off-by: Karel Zak <kzak@redhat.com>
lib: (cpuset.c) dont calculate allocation size for 0 ncpus
If ncpus is not checked against the value 0, subsequent macros
CPU_ALLOC_SIZE and cpuset_nbits() will return garbage (0), which
can cause issues when memory has to be allocated or initialized
in callers where the size is assumed to be > 0. So let us return
NULL for 0 ncpus.
Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
Karel Zak [Tue, 7 Apr 2026 13:34:13 +0000 (15:34 +0200)]
include/statfs_magic.h: avoid sys/mount.h and linux/fs.h collision
Guard the sys/mount.h include with !defined(MS_RDONLY) to prevent
redefinition errors when linux/fs.h has already been included (e.g.,
in fstrim.c). This follows the same pattern used in libmount.h.in.
Fixes: 1af964d935 ("include/statfs_magic.h: add portable struct statfs headers for Darwin") Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Tue, 7 Apr 2026 12:46:06 +0000 (14:46 +0200)]
libcommon: move pidfd-utils.c to Linux-only sources
The pidfd-utils.c uses Linux-specific APIs (pidfd_open, statx, etc.)
and all its consumers are Linux-only tools. Move it under the LINUX
guard in both meson and autotools build systems.
Karel Zak [Tue, 7 Apr 2026 11:49:32 +0000 (13:49 +0200)]
Merge branch 'chrt_elaborate_on_sched_ext_policy' of https://github.com/cgoesche/util-linux-fork
* 'chrt_elaborate_on_sched_ext_policy' of https://github.com/cgoesche/util-linux-fork:
chrt: (man) explain which kernel config options are needed for SCHED_EXT
Karel Zak [Tue, 7 Apr 2026 11:49:02 +0000 (13:49 +0200)]
write, mesg: add S_ISCHR() check for terminal device paths
Verify that the target path is a character device before proceeding.
This hardens both utilities against symlink-to-regular-file attacks
as a defense-in-depth measure.
Note that the TOCTOU race condition between stat() and freopen()/open()
is only theoretical -- on modern Linux systems /dev/pts/ is a
kernel-managed devpts filesystem where unprivileged users cannot create
or replace entries, and the setgid tty privilege only grants write
access to terminal devices, not to arbitrary files.
Johannes Wüller [Sat, 4 Apr 2026 18:03:06 +0000 (20:03 +0200)]
mkswap: Fix --file chmod(2) check when file exists
The documentation claims that `--size` will resize the `--file`, but
it ends up failing like this:
# mkswap --file /swapfile --size 4G
Setting up swapspace version 1, size = 4 GiB (4294963200 bytes)
no label, UUID=1523588e-412a-4f25-8fac-aeaf638101aa
# mkswap --file /swapfile --size 4G
mkswap: cannot set permissions on swap file /swapfile: Success
There seems to have been a typo in the chmod(2) return value comparison.
It checked for `< 9` rather than `< 0`, which would usually indicate
failure. After the fix:
# mkswap --file /swapfile --size 4G
Setting up swapspace version 1, size = 4 GiB (4294963200 bytes)
no label, UUID=6be7c450-761c-442d-8d9a-3e8cd93506b5
# mkswap --file /swapfile --size 4G
mkswap: /swapfile: warning: wiping old swap signature.
Setting up swapspace version 1, size = 4 GiB (4294963200 bytes)
no label, UUID=617a793e-84b1-471d-96c5-c099f8b157db
The operation no longer fails, as validated by the added test.
chrt: (man) explain which kernel config options are needed for SCHED_EXT
On systems running kernel version 6.12+ it is still possible
that the syscall to set SCHED_EXT fails with EINVAL, this can
happen when certain kernel configuration options have not been
set. The list of required options can be found here:
https://docs.kernel.org/scheduler/sched-ext.html#switching-to-and-from-sched-ext
Let's document this in the man page to give users a heads up.
Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
The maximum amount of records to print can be specified in two different
ways: Either with -n/--limit or by specifying the number as argument,
i.e. -number.
The current parser does not check for possible overflow with -number
arguments and mixes -number arguments with -n arguments.
Properly split these two notations and use strtou32_or_err for overflow
checks.
Reset the child pid only after comparison with waitpid result.
Currently, this leads to returning -1 or 1, which ultimately leads
to exit code 1 in case of a SIGPIPE. This is the behavior as of 2.41,
which means that no regression between releases occurred. Yet, fix it
nonetheless.
If a UID/GID is larger than its respective data type allows (but smaller
than uint64_t), then tools like newgrp erroneously assume that the user
or group simply does not exist.
Set errno to indicate that the supplied UID/GID is out of range instead.
bash-completion: complete relative path for filenames as well
Commit 1a76e3e only helped with the completion of directory
names for relative paths. Let us complete filenames too for
completeness (no pun intended).
Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
Karel Zak [Wed, 25 Mar 2026 10:54:42 +0000 (11:54 +0100)]
libfdisk: dos: validate EBR link within extended partition bounds
The read_extended() function follows EBR chain links without checking
that the target offset falls within the master extended partition.
A malformed EBR link can point outside the extended area.
Add a bounds check before read_pte() to stop the chain walk when the
next EBR offset is outside [ext_start, ext_end]. This is self-defense
during parsing; it does not restrict what the user can create.
Karel Zak [Wed, 25 Mar 2026 10:54:28 +0000 (11:54 +0100)]
libblkid: dos: validate EBR data and links within extended partition
The parse_dos_extended() function processes EBR (Extended Boot Record)
chains, but does not properly validate that partitions and links stay
within the master extended partition area [ex_start, ex_start+ex_size).
For EBR data partitions at index 0 and 1, there are no bounds checks
at all, unlike entries at index 2 and 3. This allows a crafted disk
image to register partitions at arbitrary sectors via uint32_t overflow
in the abs_start calculation (cur_start + start wraps to a small value).
Fix by:
- using 64-bit arithmetic for the abs_start calculation to avoid
uint32_t wraparound
- applying the extended partition area bounds check to all EBR data
entries, not just index >= 2
- validating EBR link targets stay within the extended area and
advance forward (preventing backward links that could loop)
Reported-by: Michele Piccinni <piccinni.michele@gmail.com> Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Thu, 19 Feb 2026 12:59:46 +0000 (13:59 +0100)]
loopdev: add LOOPDEV_FL_NOFOLLOW to prevent symlink attacks
Add a new LOOPDEV_FL_NOFOLLOW flag for loop device context that
prevents symlink following in both path canonicalization and file open.
When set:
- loopcxt_set_backing_file() uses strdup() instead of
ul_canonicalize_path() (which calls realpath() and follows symlinks)
- loopcxt_setup_device() adds O_NOFOLLOW to open() flags
The flag is set for non-root (restricted) mount operations in
libmount's loop device hook. This prevents a TOCTOU race condition
where an attacker could replace the backing file (specified in
/etc/fstab) with a symlink to an arbitrary root-owned file between
path resolution and open().
Vulnerable Code Flow:
mount /mnt/point (non-root, SUID)
mount.c: sanitize_paths() on user args (mountpoint only)
mnt_context_mount()
mnt_context_prepare_mount()
mnt_context_apply_fstab() <-- source path from fstab
hooks run at MNT_STAGE_PREP_SOURCE
hook_loopdev.c: setup_loopdev()
backing_file = fstab source path ("/home/user/disk.img")
loopcxt_set_backing_file() <-- calls realpath() as ROOT
ul_canonicalize_path() <-- follows symlinks!
loopcxt_setup_device()
open(lc->filename, O_RDWR|O_CLOEXEC) <-- no O_NOFOLLOW
Two vulnerabilities in the path:
1) loopcxt_set_backing_file() calls ul_canonicalize_path() which uses
realpath() -- this follows symlinks as euid=0. If the attacker swaps
the file to a symlink before this call, lc->filename becomes the
resolved target path (e.g., /root/secret.img).
2) loopcxt_setup_device() opens lc->filename without O_NOFOLLOW. Even
if canonicalization happened correctly, the file can be swapped to a
symlink between canonicalize and open.
Addresses: https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g Signed-off-by: Karel Zak <kzak@redhat.com>
Merge its functionality into ul_debug_prefix and use proper macros in
tools which still call it directly. This adjusts output, but makes it
actually more readable.
Merges debugobj.h into debug.c and increases flexibility in output:
Just like __UL_DBG any debug output function can be supplied.
Throughout the code, this is always ul_debug by today.
Karel Zak [Tue, 31 Mar 2026 10:10:28 +0000 (12:10 +0200)]
Merge branch 'less-header-support' of https://github.com/kurok/util-linux
* 'less-header-support' of https://github.com/kurok/util-linux:
libsmartcols: move scols_table_calculate to SMARTCOLS_2.43 symbol version
libsmartcols: document scols_table_calculate() constraints
libsmartcols: fix Since tag for scols_table_calculate()
build: link test_pager against lib_common in meson too
build: link test_pager against libcommon
pager: use ul_strfconcat() instead of fixed-size buffer
pager: support --header 0,M for column-only freezing
pager: address review feedback for less --header support
libsmartcols: add scols_table_calculate to docs sections
libsmartcols: add scols_table_calculate(), pager: add less --header support
projects / thirdparty / util-linux.git / log
