https://github.com/osquery/osquery logo
Powered by
#macos
Title
# macos
a

Andrea

08/02/2022, 11:54 AM
Hi everyone, I am running in a crash when using 
proc_pidpath
from 
libproc.h
to get the path of the process from the pid. The code is pretty standard :
Copy code
char path[PROC_PIDPATHINFO_MAXSIZE] = {0};
int bufsize = proc_pidpath(pid, path, sizeof(path));
if(bufsize > 0)
   return std::string(path);
return {};
Also osquery already uses it so it should work fine. Am I missing something? Anybody experienced the same ?
s

sharvil

08/02/2022, 12:40 PM
Can you share the stacktrace?
And what macOS version are you on?
a

Andrea

08/02/2022, 1:22 PM
Copy code
ProductName:    macOS
ProductVersion: 12.1
BuildVersion:   21C52
Everything I can get is this:
Copy code
Process 6936 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0x7ff7bf6ffff8)
    frame #0: 0x0000000100025615 processinfo-test`std::__1::basic_ostream<char, std::__1::char_traits<char> >& std::__1::__put_character_sequence<char, std::__1::char_traits<char> >(std::__1::basic_ostream<char, std::__1::char_traits<char> >&, char const*, unsigned long) + 47
processinfo-test`std::__1::__put_character_sequence<char, std::__1::char_traits<char> >:
->  0x100025615 <+47>: callq  0x10002c558               ; symbol stub for: std::__1::basic_ostream<char, std::__1::char_traits<char> >::sentry::sentry(std::__1::basic_ostream<char, std::__1::char_traits<char> >&)
    0x10002561a <+52>: cmpb   $0x0, -0x40(%rbp)
    0x10002561e <+56>: je     0x1000256a8               ; <+194>
    0x100025624 <+62>: movq   (%r14), %rax
s

sharvil

08/02/2022, 1:26 PM
can you try replacing 
PROC_PIDPATHINFO_MAXSIZE
with something like 
4096
in the char array and try again? I think 
PROC_PIDPATHINFO_MAXSIZE
doesn't come from libproc.h header, it might be coming from somewhere else
Just tried it locally, PROC_PIDPATHINFO_MAXSIZE does get include, and is defined as 4*PATHMAX -- is it crashing on a particularly long path?
Copy code
➜  pidpath clang++ pidpath.cpp -o pidpath

➜  pidpath ./pidpath 1
proc 1: /sbin/launchd
➜  pidpath ./pidpath 350
proc 350: /System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer
➜  pidpath ./pidpath 69115
proc 69115: /Applications/Microsoft <http://Excel.app/Contents/MacOS/Microsoft|Excel.app/Contents/MacOS/Microsoft> Excel
➜  pidpath ./pidpath 59177
proc 59177: /Applications/Google <http://Chrome.app/Contents/Frameworks/Google|Chrome.app/Contents/Frameworks/Google> Chrome Framework.framework/Versions/103.0.5060.134/Helpers/Google Chrome Helper (GPU).app/Contents/MacOS/Google Chrome Helper (GPU)
➜  pidpath
a

Andrea

08/02/2022, 1:39 PM
I have tried with the numeric value too. same crash. 🤔
let me check the length of the path..
s

sharvil

08/02/2022, 1:44 PM
What's the locale on the machine? Does the path have any non-ascii characters? Perhaps something like that..?
a

Andrea

08/02/2022, 1:45 PM
the path is definitely under 4096 and definitely ASCII
s

sharvil

08/02/2022, 1:52 PM
weird..not sure, since this works locally for me..probably attach a debugger?
a

Andrea

08/02/2022, 1:56 PM
the simplest example works here too :
Copy code
andrea@andrea-macbook ~ % ./pidpath 543
proc 543: /Applications/Google <http://Chrome.app/Contents/Frameworks/Google|Chrome.app/Contents/Frameworks/Google> Chrome Framework.framework/Versions/103.0.5060.134/Helpers/chrome_crashpad_handler %                                      
andrea@andrea-macbook ~ % ./pidpath 883
proc 883: /Applications/Slack.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Helpers/chrome_crashpad_handler %
lol
I am speechless now
s

sharvil

08/02/2022, 1:59 PM
Is this code part of an osquery extension? I wonder if codesign or something comes into play
Anything in the 
<http://Console.app|Console.app>
/ Crash Report? 
EXC_BAD_ACCESS, code=2
seems to imply 
KERN_PROTECTION_FAILURE
which could be permissions related
a

Andrea

08/02/2022, 2:04 PM
I thought about it too but I find out because the app, signed and notarised was crashing 😕
s

sharvil

08/02/2022, 2:05 PM
I thought about it too but I find out because the app, signed and notarised was crashing
Which app? Is the crash happening in osquery?
a

Andrea

08/02/2022, 2:13 PM
no no don't worry. it's not osquery
s

sharvil

08/02/2022, 2:17 PM
ah..still quite an interesting crash though..the only other thing I can think of is when a 
pid
doesn’t have a path in the filesystem (kinda zombie like process), but that’s far fetched
a

Andrea

08/02/2022, 2:24 PM
so apparently the function was written as part of a Objective C file (.mm).. so defining the function in that context was creating some issues
moved the function in a c++ file and it works fine
s

sharvil

08/02/2022, 2:26 PM
Ah, I guess ARC may not play that nicely..I am sure there is a way to guard/retain that memory
a

Andrea

08/02/2022, 2:30 PM
not sure what ARC is but I ll have a look. Anyway, thank you for your help!! very appreciated!
s

sharvil

08/02/2022, 2:32 PM
cool, no problem — arc is the reference counting in Objective-C
a

Andrea

08/02/2022, 2:35 PM
ahh ok
Powered by