[Toybox] [PATCH] taskset: fix buffer overflow from long mask

Jesse Rosenstock jmr at google.com
Mon Jun 23 08:38:02 PDT 2025


Previously, a long mask on the command line would overrun toybuf.

Use sizeof(toybuf) rather than 4096 when calling sched_getaffinity;
maybe toybuf's size will change.

Tested:
% toybox taskset $( yes f | head -n 8193 | tr -d '\n' ) true
taskset: mask too long

The util-linux taskset handles masks longer than zsh can construct:
taskset $( yes f | head -n 131000 | tr -d '\n' ) true

--- a/toys/other/taskset.c      2019-06-12 19:36:37.000000000 +0200
+++ b/toys/other/taskset.c      2025-06-23 14:47:26.000000000 +0200
@@ -74,6 +74,7 @@

     memset(toybuf, 0, sizeof(toybuf));
     k = strlen(s = *toys.optargs);
+    if (k > 2*sizeof(toybuf)) error_exit("mask too long");
     s += k;
     for (j = 0; j<k; j++) {
       unsigned long digit = *(--s) - '0';
@@ -121,8 +122,9 @@
   unsigned i, j, nproc = 0;

   // This can only detect 32768 processors. Call getaffinity and count bits.
-  if (!toys.optflags && -1!=sched_getaffinity(getpid(), 4096, toybuf)) {
-    for (i = 0; i<4096; i++)
+  if (!toys.optflags
+      && -1 != sched_getaffinity(getpid(), sizeof(toybuf), toybuf)) {
+    for (i = 0; i<sizeof(toybuf); i++)
       if (toybuf[i]) for (j=0; j<8; j++) if (toybuf[i]&(1<<j)) nproc++;
   }


More information about the Toybox mailing list