Hi everyone I am running in a crash when using `proc pidpath osquery #macos

Hi everyone, I am running in a crash when using `p...

Andrea

08/02/2022, 11:54 AM

Hi everyone, I am running in a crash when using

proc_pidpath

from

libproc.h

to get the path of the process from the pid. The code is pretty standard :

Copy code

char path[PROC_PIDPATHINFO_MAXSIZE] = {0};
int bufsize = proc_pidpath(pid, path, sizeof(path));
if(bufsize > 0)
   return std::string(path);
return {};

Also osquery already uses it so it should work fine. Am I missing something? Anybody experienced the same ?

sharvil

08/02/2022, 12:40 PM

Can you share the stacktrace?

sharvil

08/02/2022, 12:42 PM

And what macOS version are you on?

Andrea

08/02/2022, 1:22 PM

Copy code

ProductName:    macOS
ProductVersion: 12.1
BuildVersion:   21C52

Everything I can get is this:

Copy code

Process 6936 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0x7ff7bf6ffff8)
    frame #0: 0x0000000100025615 processinfo-test`std::__1::basic_ostream<char, std::__1::char_traits<char> >& std::__1::__put_character_sequence<char, std::__1::char_traits<char> >(std::__1::basic_ostream<char, std::__1::char_traits<char> >&, char const*, unsigned long) + 47
processinfo-test`std::__1::__put_character_sequence<char, std::__1::char_traits<char> >:
->  0x100025615 <+47>: callq  0x10002c558               ; symbol stub for: std::__1::basic_ostream<char, std::__1::char_traits<char> >::sentry::sentry(std::__1::basic_ostream<char, std::__1::char_traits<char> >&)
    0x10002561a <+52>: cmpb   $0x0, -0x40(%rbp)
    0x10002561e <+56>: je     0x1000256a8               ; <+194>
    0x100025624 <+62>: movq   (%r14), %rax

sharvil

08/02/2022, 1:26 PM

can you try replacing

PROC_PIDPATHINFO_MAXSIZE

with something like

in the char array and try again? I think

PROC_PIDPATHINFO_MAXSIZE

doesn't come from libproc.h header, it might be coming from somewhere else

sharvil

08/02/2022, 1:36 PM

Just tried it locally, PROC_PIDPATHINFO_MAXSIZE does get include, and is defined as 4*PATHMAX -- is it crashing on a particularly long path?

sharvil

08/02/2022, 1:37 PM

Copy code

➜  pidpath clang++ pidpath.cpp -o pidpath

➜  pidpath ./pidpath 1
proc 1: /sbin/launchd
➜  pidpath ./pidpath 350
proc 350: /System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer
➜  pidpath ./pidpath 69115
proc 69115: /Applications/Microsoft <http://Excel.app/Contents/MacOS/Microsoft|Excel.app/Contents/MacOS/Microsoft> Excel
➜  pidpath ./pidpath 59177
proc 59177: /Applications/Google <http://Chrome.app/Contents/Frameworks/Google|Chrome.app/Contents/Frameworks/Google> Chrome Framework.framework/Versions/103.0.5060.134/Helpers/Google Chrome Helper (GPU).app/Contents/MacOS/Google Chrome Helper (GPU)
➜  pidpath

Andrea

08/02/2022, 1:39 PM

I have tried with the numeric value too. same crash. 🤔

Andrea

08/02/2022, 1:39 PM

let me check the length of the path..

sharvil

08/02/2022, 1:44 PM

What's the locale on the machine? Does the path have any non-ascii characters? Perhaps something like that..?

Andrea

08/02/2022, 1:45 PM

the path is definitely under 4096 and definitely ASCII

sharvil

08/02/2022, 1:52 PM

weird..not sure, since this works locally for me..probably attach a debugger?

Andrea

08/02/2022, 1:56 PM

the simplest example works here too :

Copy code

andrea@andrea-macbook ~ % ./pidpath 543
proc 543: /Applications/Google <http://Chrome.app/Contents/Frameworks/Google|Chrome.app/Contents/Frameworks/Google> Chrome Framework.framework/Versions/103.0.5060.134/Helpers/chrome_crashpad_handler %                                      
andrea@andrea-macbook ~ % ./pidpath 883
proc 883: /Applications/Slack.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Helpers/chrome_crashpad_handler %

Andrea

08/02/2022, 1:56 PM

lol

Andrea

08/02/2022, 1:58 PM

I am speechless now

sharvil

08/02/2022, 1:59 PM

Is this code part of an osquery extension? I wonder if codesign or something comes into play

sharvil

08/02/2022, 2:00 PM

Anything in the

<http://Console.app|Console.app>

/ Crash Report?

EXC_BAD_ACCESS, code=2

seems to imply

KERN_PROTECTION_FAILURE

which could be permissions related

Andrea

08/02/2022, 2:04 PM

I thought about it too but I find out because the app, signed and notarised was crashing 😕

sharvil

08/02/2022, 2:05 PM

I thought about it too but I find out because the app, signed and notarised was crashing

Which app? Is the crash happening in osquery?

Andrea

08/02/2022, 2:13 PM

no no don't worry. it's not osquery

sharvil

08/02/2022, 2:17 PM

ah..still quite an interesting crash though..the only other thing I can think of is when a

pid

doesn’t have a path in the filesystem (kinda zombie like process), but that’s far fetched

Andrea

08/02/2022, 2:24 PM

so apparently the function was written as part of a Objective C file (.mm).. so defining the function in that context was creating some issues

Andrea

08/02/2022, 2:25 PM

moved the function in a c++ file and it works fine

sharvil

08/02/2022, 2:26 PM

Ah, I guess ARC may not play that nicely..I am sure there is a way to guard/retain that memory

Andrea

08/02/2022, 2:30 PM

not sure what ARC is but I ll have a look. Anyway, thank you for your help!! very appreciated!

sharvil

08/02/2022, 2:32 PM

cool, no problem — arc is the reference counting in Objective-C

Andrea

08/02/2022, 2:35 PM

ahh ok

Open in Slack

Previous Next