[Linux] /proc/pid/stat parsing bugs

[Dmitry Vyukov <dvyukov () google com>]

Hello,

This is not a single vulnerability, the list of affected software is
large, but it's not a security issue for all of it.

It occurred to me that most of the Linux procfs /proc/pid/stat and
/proc/pid/task/tid/stat parsing code out there is buggy. The fine
contains a set of numbers about the task:
https://man7.org/linux/man-pages/man5/proc.5.html

e.g. $ cat /proc/self/stat
1715376 (cat) R 1544883 1715376 1544883 34819 1715376 4194304 106 0 0
0 0 0 0 0 20 0 1 0 42505561 9207808 237 18446744073709551615
93955355631616 93955355651497 140737444557056 0 0 0 0 0 0 0 0 0 17 36
0 0 0 0 0 93955355667504 93955355669120 93955385581568 140737444559745
140737444559765 140737444559765 140737444564971 0

Most of the code splits it by space and takes an N-th field.
The problem is that the process name "(cat)" can contain spaces (and
brackets). Potentially some important software (containers/sandboxes)
can be tricked into getting wrong data, and I've seen cases close to
stack overflows (buffer for a fixed number of fields is allocated on
stack).

Some examples:
OpenJDK:
https://sourcegraph.com/github.com/openjdk/jdk/-/blob/src/jdk.management/unix/native/libmanagement_ext/OperatingSystemImpl.c?L133-139
https://sourcegraph.com/github.com/openjdk/jdk8u/-/blob/jdk/src/solaris/native/sun/management/OperatingSystemImpl.c?L223-229

Ansible:
https://sourcegraph.com/github.com/ansible/ansible/-/blob/lib/ansible/modules/yum.py?L507-510

Libuv:
https://sourcegraph.com/github.com/libuv/libuv/-/blob/src/unix/linux.c?L674-701

bdwgc:
https://sourcegraph.com/github.com/mono/linux-packaging-mono/-/blob/external/bdwgc/os_dep.c?L1138-1155

But really most of the code that does it:
https://sourcegraph.com/search?q=context:global+/%5C%22%5C/proc%5C/.*%5C/stat%5C%22/

The only way to parse it is to do strrchr(')') first (fortunately it
contains just one unescaped string).

Thanks