| From 2c933ecba3bb1d3041a5a7a53a7b4078a6003413 Mon Sep 17 00:00:00 2001 |
| From: Craig Small <csmall@dropbear.xyz> |
| Date: Thu, 10 Aug 2023 21:18:38 +1000 |
| Subject: [PATCH] ps: Fix possible buffer overflow in -C option |
| |
| ps allocates memory using malloc(length of arg * len of struct). |
| In certain strange circumstances, the arg length could be very large |
| and the multiplecation will overflow, allocating a small amount of |
| memory. |
| |
| Subsequent strncpy() will then write into unallocated memory. |
| The fix is to use calloc. It's slower but this is a one-time |
| allocation. Other malloc(x * y) calls have also been replaced |
| by calloc(x, y) |
| |
| References: |
| https://www.freelists.org/post/procps/ps-buffer-overflow-CVE-20234016 |
| https://nvd.nist.gov/vuln/detail/CVE-2023-4016 |
| https://gitlab.com/procps-ng/procps/-/issues/297 |
| https://bugs.debian.org/1042887 |
| |
| Signed-off-by: Craig Small <csmall@dropbear.xyz> |
| |
| CVE: CVE-2023-4016 |
| Upstream-Status: Backport [https://gitlab.com/procps-ng/procps/-/commit/2c933ecba3bb1d3041a5a7a53a7b4078a6003413] |
| Signed-off-by: Ross Burton <ross.burton@arm.com> |
| --- |
| NEWS | 1 + |
| src/ps/parser.c | 8 ++++---- |
| 2 files changed, 5 insertions(+), 4 deletions(-) |
| |
| diff --git a/src/ps/parser.c b/src/ps/parser.c |
| index 248aa741..15873dfa 100644 |
| --- a/src/ps/parser.c |
| +++ b/src/ps/parser.c |
| @@ -189,7 +189,6 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s |
| const char *err; /* error code that could or did happen */ |
| /*** prepare to operate ***/ |
| node = xmalloc(sizeof(selection_node)); |
| - node->u = xmalloc(strlen(arg)*sizeof(sel_union)); /* waste is insignificant */ |
| node->n = 0; |
| buf = strdup(arg); |
| /*** sanity check and count items ***/ |
| @@ -210,6 +209,7 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s |
| } while (*++walk); |
| if(need_item) goto parse_error; |
| node->n = items; |
| + node->u = xcalloc(items, sizeof(sel_union)); |
| /*** actually parse the list ***/ |
| walk = buf; |
| while(items--){ |
| @@ -1050,15 +1050,15 @@ static const char *parse_trailing_pids(void){ |
| thisarg = ps_argc - 1; /* we must be at the end now */ |
| |
| pidnode = xmalloc(sizeof(selection_node)); |
| - pidnode->u = xmalloc(i*sizeof(sel_union)); /* waste is insignificant */ |
| + pidnode->u = xcalloc(i, sizeof(sel_union)); /* waste is insignificant */ |
| pidnode->n = 0; |
| |
| grpnode = xmalloc(sizeof(selection_node)); |
| - grpnode->u = xmalloc(i*sizeof(sel_union)); /* waste is insignificant */ |
| + grpnode->u = xcalloc(i,sizeof(sel_union)); /* waste is insignificant */ |
| grpnode->n = 0; |
| |
| sidnode = xmalloc(sizeof(selection_node)); |
| - sidnode->u = xmalloc(i*sizeof(sel_union)); /* waste is insignificant */ |
| + sidnode->u = xcalloc(i, sizeof(sel_union)); /* waste is insignificant */ |
| sidnode->n = 0; |
| |
| while(i--){ |
| -- |
| GitLab |
| |