Re: atop has issues(?)

John McCue <jmccue@qball.jmcunx.com> writes:

Hi All
>
Ran across this:
>
https://news.ycombinator.com/item?id=43477057
>
Seems atop may be 'bad':
>
Below from
https://rachelbythebay.com/w/2025/03/25/atop/
>

  You might want to stop running atop
>
  My life as a mercenary sysadmin can be
  interesting. Sometimes I find things, and
  sometimes I hear things. Now and then I say
  things.
>
  Right now, I think it's probably best if you
  uninstall atop. I don't mean just stopping it, but
  actually keep it from being executed.
>
  I'm not talking about the OG top, or htop, iftop,
  or anything else with a "top" name. Just atop.
>
  I can go into why another time.

Frustratingly vague.

1) atop installs a background service, and can optionally be accompanied
   by a kernel module, both of which could contain a vulnerability the
   remains relevant when not currently running the command-line tool.

2) Of recent commits, nothing stands out apart from [1], but looking at
   the surrounding context I don’t think that’s fixing anything
   exploitable, it’s just making some grotty code a little more
   defensive.

[1] https://github.com/Atoptool/atop/commit/a0e96f124f93

Speculation:

a) If the grottiness in a0e96f124f93 is consistent throughout the code
   then more serious problems are to be expected.

b) It’s possible whatever exercise led to a0e96f124f93 that could have
   found something more serious which is not yet disclosed anywhere
   public.

By grottiness I mean:

* makeargv() makes assumptions about the size of the array it populates

* makeargv()’s bounds checks are distant from array use

* make_sys_prints()’s bounds check is, bizarrely, based on a parameter
  rather than the actual array size (it just happens, by luck or
  something, that the two always match)

--
https://www.greenend.org.uk/rjk/