bin/50934: pkill/pgrep segfaults in some cases

[marcotte%panix.com@localhost]

>Number:         50934
>Category:       bin
>Synopsis:       pkill/pgrep segfaults in some cases
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Mar 10 18:30:00 +0000 2016
>Originator:     Brian Marcotte
>Release:        7.0
>Organization:
Public Access Networks, Corp.
>Environment:
NetBSD panix5.panix.com 7.0 NetBSD 7.0 (PANIX-XEN-USER) #1: Tue Jan 19 00:58:25 EST 2016  root%juggler.panix.com@localhost:/misc/obj/misc/devel/netbsd/7.0/src/sys/arch/i386/compile/PANIX-XEN-USER 
>Description:
pkill/pgrep can sigfault when looking at the list of processes.

Somehow it's possible that pargv[0] can be NULL and it segfaults on this line:

    strlcpy(buf, pargv[0], sizeof(buf));

That appeared in revision 1.28 of pkill.c


>How-To-Repeat:
I don't know how to duplicate the process which is causing it's argv[0] to be NULL, but I can test changes on the machine that currently has the issue.

>Fix:
Perhaps fall back to using p_comm when pargv[0] is NULL:


--- /devel/netbsd/7.0/src/usr.bin/pkill/pkill.c 2015-01-27 08:39:31.000000000 -0500
+++ pkill.c     2016-03-10 13:19:17.000000000 -0500
@@ -296,8 +296,12 @@
                                            pargv[0]);
                                        pargv++;
                                }
-                       } else
-                               strlcpy(buf, pargv[0], sizeof(buf));
+                       } else {
+                               if (pargv[0] == NULL)
+                                       strlcpy(buf, kp->p_comm, sizeof(buf));
+                               else
+                                       strlcpy(buf, pargv[0], sizeof(buf));
+                       }

                        rv = regexec(&reg, buf, 1, &regmatch, 0);
                        if (rv == 0) {