Your message dated Sun, 18 May 2008 12:34:23 +1200
with message-id <[EMAIL PROTECTED]>
has caused the report #481578,
regarding unhide: Ignoring SIGCHLD gives tons of false positives
to be marked as having been forwarded to the upstream software
author(s) [EMAIL PROTECTED]
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
481578: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481578
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Hello Yago,
Here's a problem that a Debian user has encountered with unhide reporting
too many hidden processes.
He attached a simple patch for it and it looks reasonable to me. Can you see
anything wrong with it? Is there any reason why I should avoid making that
change?
You will find the patch and the strace output attached to this email.
Cheers,
Francois
----- Forwarded message from Johan Walles <[EMAIL PROTECTED]> -----
"unhide sys" works like this:
* Do a syscall on a PID.
* If that PID exists:
* Launch ps using popen()
* Verify that the PID is listed
* Close the popen()ed stream with pclose()
* pclose() implicitly calls wait() to make sure the ps process has finished.
However, since the main() function does signal(SIGCHLD, SIG_IGN), the wait()
call will just return ECHILD, regardless of whether ps has finished or not.
Then, the next syscall finds the ps process that is still alive. But before
launching the next ps process, the previous one dies. And we have a hidden
process!
Since this is a race, it behaves erratically, but I sometimes get a list of
over 20 hidden processes this way. This got much more obvious after
upgrading from 2.6.22 to 2.6.24.
Regards //Johan
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (990, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-1-686 (SMP w/2 CPU cores)
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
----- End forwarded message -----
diff -ur unhide-20071102.orig/unhide-linux26.c unhide-20071102/unhide-linux26.c
--- unhide-20071102.orig/unhide-linux26.c 2007-11-12 22:23:39.000000000 +0100
+++ unhide-20071102/unhide-linux26.c 2008-05-17 09:53:11.000000000 +0200
@@ -466,8 +466,6 @@
int main (int argc, char *argv[]) {
- signal(SIGCHLD, SIG_IGN);
-
printf ("Unhide 02-11-2007 \n") ;
printf ("[EMAIL PROTECTED]") ;
Search for "= 3180". That will get you to the clone() call launching ps:
clone(child_stack=0,
flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0x80ca878) = 3180
Note the result of the wait() call following it:
waitpid(3180, 0xbf982e08, 0) = -1 ECHILD (No child processes)
That's because SIGCHLD is being ignored.
Later, we find the ps process we just launched, and warn about it.
Note that 0xc6c == 3180:
getpgid(0xc6c) = 2179
...
write(1, "Found HIDDEN PID: 3180\n", 23) = 23
Not ignoring SIGCHLD (see patch attached previously) fixes this.
Regards //Johan
--- End Message ---
