[Toybox] [PATCH] taskset: fix buffer overflow from long mask
Rob Landley
rob at landley.net
Tue Sep 2 14:39:24 PDT 2025
On 8/27/25 03:00, Jesse Rosenstock wrote:
> On Mon, Aug 4, 2025 at 7:58 PM Rob Landley <rob at landley.net> wrote:
>> I initially didn't use this because:
>>
>> $ ps -o PSR $$
>> error: unknown user-defined format specifier "PSR"
>
> It looks like case-insensitive output formats might be a toybox thing.
> macOS and procps-ng don't support it.
I did a patch in this area (commit b8186ba3c4d9) a couple weeks back,
but didn't follow up switching over the test in part because no target
has "taskset" without having /proc.
But mostly because I find it increasingly hard to get enthused about
poking at toybox recently.
Last week Android announced it was eliminating sideloading:
https://www.reddit.com/r/GooglePixel/comments/1n0h5cp/google_is_removing_the_ability_to_sideload/
Shortly before that AOSP stopped publishing device trees for new
hardware: https://www.androidauthority.com/google-not-killing-aosp-3566882/
Before that Android installed spyware on my phone (which hasn't had a
security update since 2022 but it got the spyware, installed without
asking or even notifying me, on an otherwise long out of support phone)
which as far as I can tell does nothing but see if I have local nudes
and upload all my crypto keys to google:
https://www.kaspersky.com/blog/what-are-android-safetycore-and-key-verifier/53171/
Those are specifically things _android_ is doing. It was easier to go
"the left hand doesn't know what the right hand is doing" for
https://www.wheresyoured.at/the-men-who-killed-google/ through
https://www.bbc.com/news/articles/c5yk5nj7p7ko but not when it's
SPECIFIC to Android.
Nor when it closely mirrors stuff they're doing in adjacent contexts,
ala https://www.youtube.com/live/CE0EB5bXj14 and yes I am still a
nudist, which is NORMAL in less prudish countries like
https://www.youtube.com/watch?v=T0NINJOuaf4 and
https://whereandwander.com/sukayu-konyaku-mixed-gender-bathing-onsen/
where the fallout from the british empire hasn't ENTIRELY shoved puritan
victorian prudery down everyone's throats. (Currently, via the payment
processors.)
I made excuses: the 12k layoffs in 2023 could easily have been because
interest rates went up from the zero lower bound and thus silicon
valley's balance sheets suddenly had large interest payments just to
break even (rather than being able to borrow to make payroll each month
at rates less than inflation, meaning the principal amount you owed went
down each year in real terms even if you never paid back a dime and let
all the interest compound). Or it could have been an obvious attempt to
break unions so the next time
https://www.cnbc.com/2019/08/19/google-employees-implore-leaders-to-stop-working-with-us-bcp-ice.html
happened they could quietly profit without fear of walkouts.
There are at least FOUR things that annoy me about Youtube using "AI" to
decide that my nearly 12 year old account isn't an adult unless I
provide government ID (even though if I was six when I made that account
I'd be 18 now): https://mstdn.jp/@landley/115108331241194928
1) The site's already been so heavily censored I've referred to it as
"prudetube" for years: https://mstdn.jp/@landley/109649922700077367
2) The censorship acts in uk/france/autralias aren't law here yet but
instead of pushback their preemptive compliance is locking the USA down
anyway. I've been personally highly concerned about this topic for YEARS
ala https://landley.net/notes-2022.html#23-01-2022 and Google is on the
WRONG SIDE of the issue, presumably because they want all the
information and all the control.
3) The "dox yourself" thing is a theme here, the elimination of
sideloading comes after an earlier lockdown of the play store:
https://landley.net/notes-2024.html#05-05-2024 but there's a zillion
other LITTLE things like moving maps.google.com to google.com/maps so
you can't give just the one site location access, now ALL google
services have location access because they took away the ability to
distinguish.
4) Google is just BAD at AI, but forces it on everybody. "Confidently
wrong" is what I expect from Google's AI summaries every day, here's
from this morning: https://mstdn.jp/@landley/115135240180510957
I worked with a company earlier this year to help migrate them off of
Google Cloud to a self-hosted NextCloud because they could no longer
prevent the proprietary data they had (both their own and received under
NDA) from being fed into AI training. They had to set up their own rack
hosting for hardware and get a "google takeout" of their data then
figure out how to convert it to nextcloud then submit a GPDR data
deletion request through a european partners (whose data was NDA'd) to
get the data actually removed from Google. (Presumably still ongoing, I
was helping with the server parts not the lawyer parts...)
I _think_ I've disabled the similarly forced "gemini" install on my
phone ala
https://www.kaspersky.com/blog/how-to-disable-gemini-on-android/53771/
but when I showed my sister where "android system safety core" was on
her phone it was there but wouldn't let her uninstall it, so I don't
think I'll be getting a new stock android phone _ever_. (It's in the
"facebook/windows" bucket.) If grapheneos isn't usable on a cheap
motorola when this one finally dies (or refuses to continue to play
netflix and such), I may actually get an iphone since that's not _less_
of a walled garden and not _less_ bad for privacy. Or a flip phone and a
wifi tablet.
My old goal of an 8 year old girl in rural india inheriting her mother's
old phone and scraping up a solar panel and USB hub/peripherals to teach
herself programming? Now she couldn't sideload her own apps onto her own
phone without getting government ID and paying Google for permission.
This is no longer a platform CAPABLE of addressing
http://lists.landley.net/pipermail/toybox-landley.net/2020-July/011898.html
it is instead another obstacle to overcome.
And when other companies pull
https://www.reddit.com/r/hardware/comments/1n4740y/ltt_switch_2_usb_c_compatibility_nintendos_greed/
I no longer expect Google to be on the right side of any given issue,
rather than joining in to make it worse. The employee walkouts of yore
pushing back were before the multiple rounds of mass layoffs, I dunno if
https://www.youtube.com/watch?v=MxGHQgmWYLk was 25k _more_ or bringing
the total up (it was on my watch later list before the youtube account
went away, but I never actually watched it) but it doesn't seem to
matter. Google's management treats its employees the same way it treats
regulators, it's hard NOT to read the end of sideloading as a direct
response to
https://www.reddit.com/r/technology/comments/1meuqnt/epic_just_won_its_google_lawsuit_again_and/
doubling down.
https://en.wikipedia.org/wiki/Don%27t_be_evil
Anyway, toybox was never about Google: I'm 90% of the way to another
release (all the mkroot targets I had working last release build under
6.16 again), I owe the QNX guys a fix, it's silly to let a toybox issue
remain broken just because microsoft or facebook reported it... I should
get back on the horse.
But this hobby hasn't exactly been "fun" in a while.
Rob
More information about the Toybox
mailing list