From 94355e4718a788c5f2d97f1d9da34cbcd2c74b03 Mon Sep 17 00:00:00 2001
From: Ben Noordhuis <info@bnoordhuis.nl>
Date: Fri, 13 Jul 2012 17:07:11 +0200
Subject: [PATCH] unix: fix format string vulnerability in freebsd.c

uv_set_process_title() was susceptible to a format string vulnerability:

  $ node -e 'process.title = Array(42).join("%s")'
  Segmentation fault: 11 (core dumped)

The fix is trivial - call setproctitle("%s", s) instead of setproctitle(s) -
but valgrind complains loudly about reads from and writes to uninitialized
memory in libc. It's not a libuv bug because the test case below triggers the
same warnings:

  #include <sys/types.h>
  #include <unistd.h>

  int main(void)
  {
    setproctitle("%s", "test");
    return 0;
  }

That's why this commit replaces setproctitle() with sysctl(KERN_PROC_ARGS).

This commit reapplies commit a9f6f06, which got reverted in 69a6afe. The revert
turned out to be unnecessary.
---
 src/unix/freebsd.c        | 16 +++++++++++++++-
 test/test-process-title.c | 13 ++++++++++---
 2 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/src/unix/freebsd.c b/src/unix/freebsd.c
index f6f441ff..be8006c5 100644
--- a/src/unix/freebsd.c
+++ b/src/unix/freebsd.c
@@ -139,9 +139,23 @@ char** uv_setup_args(int argc, char** argv) {
 
 
 uv_err_t uv_set_process_title(const char* title) {
+  int oid[4];
+
   if (process_title) free(process_title);
   process_title = strdup(title);
-  setproctitle(title);
+
+  oid[0] = CTL_KERN;
+  oid[1] = KERN_PROC;
+  oid[2] = KERN_PROC_ARGS;
+  oid[3] = getpid();
+
+  sysctl(oid,
+         ARRAY_SIZE(oid),
+         NULL,
+         NULL,
+         process_title,
+         strlen(process_title) + 1);
+
   return uv_ok_;
 }
 
diff --git a/test/test-process-title.c b/test/test-process-title.c
index 59fceda3..13d9dddf 100644
--- a/test/test-process-title.c
+++ b/test/test-process-title.c
@@ -23,20 +23,27 @@
 #include "task.h"
 #include <string.h>
 
-TEST_IMPL(process_title) {
+
+static void set_title(const char* title) {
   char buffer[512];
   uv_err_t err;
 
   err = uv_get_process_title(buffer, sizeof(buffer));
   ASSERT(UV_OK == err.code);
 
-  err = uv_set_process_title("new title");
+  err = uv_set_process_title(title);
   ASSERT(UV_OK == err.code);
 
   err = uv_get_process_title(buffer, sizeof(buffer));
   ASSERT(UV_OK == err.code);
 
-  ASSERT(strcmp(buffer, "new title") == 0);
+  ASSERT(strcmp(buffer, title) == 0);
+}
 
+
+TEST_IMPL(process_title) {
+  /* Check for format string vulnerabilities. */
+  set_title("%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s");
+  set_title("new title");
   return 0;
 }