Andrew Geissler | 5082cc7 | 2023-09-11 08:41:39 -0400 | [diff] [blame] | 1 | From 2c933ecba3bb1d3041a5a7a53a7b4078a6003413 Mon Sep 17 00:00:00 2001 |
| 2 | From: Craig Small <csmall@dropbear.xyz> |
| 3 | Date: Thu, 10 Aug 2023 21:18:38 +1000 |
| 4 | Subject: [PATCH] ps: Fix possible buffer overflow in -C option |
| 5 | |
| 6 | ps allocates memory using malloc(length of arg * len of struct). |
| 7 | In certain strange circumstances, the arg length could be very large |
| 8 | and the multiplecation will overflow, allocating a small amount of |
| 9 | memory. |
| 10 | |
| 11 | Subsequent strncpy() will then write into unallocated memory. |
| 12 | The fix is to use calloc. It's slower but this is a one-time |
| 13 | allocation. Other malloc(x * y) calls have also been replaced |
| 14 | by calloc(x, y) |
| 15 | |
| 16 | References: |
| 17 | https://www.freelists.org/post/procps/ps-buffer-overflow-CVE-20234016 |
| 18 | https://nvd.nist.gov/vuln/detail/CVE-2023-4016 |
| 19 | https://gitlab.com/procps-ng/procps/-/issues/297 |
| 20 | https://bugs.debian.org/1042887 |
| 21 | |
| 22 | Signed-off-by: Craig Small <csmall@dropbear.xyz> |
| 23 | |
| 24 | CVE: CVE-2023-4016 |
| 25 | Upstream-Status: Backport [https://gitlab.com/procps-ng/procps/-/commit/2c933ecba3bb1d3041a5a7a53a7b4078a6003413] |
| 26 | Signed-off-by: Ross Burton <ross.burton@arm.com> |
| 27 | --- |
| 28 | NEWS | 1 + |
| 29 | src/ps/parser.c | 8 ++++---- |
| 30 | 2 files changed, 5 insertions(+), 4 deletions(-) |
| 31 | |
| 32 | diff --git a/src/ps/parser.c b/src/ps/parser.c |
| 33 | index 248aa741..15873dfa 100644 |
| 34 | --- a/src/ps/parser.c |
| 35 | +++ b/src/ps/parser.c |
| 36 | @@ -189,7 +189,6 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s |
| 37 | const char *err; /* error code that could or did happen */ |
| 38 | /*** prepare to operate ***/ |
| 39 | node = xmalloc(sizeof(selection_node)); |
| 40 | - node->u = xmalloc(strlen(arg)*sizeof(sel_union)); /* waste is insignificant */ |
| 41 | node->n = 0; |
| 42 | buf = strdup(arg); |
| 43 | /*** sanity check and count items ***/ |
| 44 | @@ -210,6 +209,7 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s |
| 45 | } while (*++walk); |
| 46 | if(need_item) goto parse_error; |
| 47 | node->n = items; |
| 48 | + node->u = xcalloc(items, sizeof(sel_union)); |
| 49 | /*** actually parse the list ***/ |
| 50 | walk = buf; |
| 51 | while(items--){ |
| 52 | @@ -1050,15 +1050,15 @@ static const char *parse_trailing_pids(void){ |
| 53 | thisarg = ps_argc - 1; /* we must be at the end now */ |
| 54 | |
| 55 | pidnode = xmalloc(sizeof(selection_node)); |
| 56 | - pidnode->u = xmalloc(i*sizeof(sel_union)); /* waste is insignificant */ |
| 57 | + pidnode->u = xcalloc(i, sizeof(sel_union)); /* waste is insignificant */ |
| 58 | pidnode->n = 0; |
| 59 | |
| 60 | grpnode = xmalloc(sizeof(selection_node)); |
| 61 | - grpnode->u = xmalloc(i*sizeof(sel_union)); /* waste is insignificant */ |
| 62 | + grpnode->u = xcalloc(i,sizeof(sel_union)); /* waste is insignificant */ |
| 63 | grpnode->n = 0; |
| 64 | |
| 65 | sidnode = xmalloc(sizeof(selection_node)); |
| 66 | - sidnode->u = xmalloc(i*sizeof(sel_union)); /* waste is insignificant */ |
| 67 | + sidnode->u = xcalloc(i, sizeof(sel_union)); /* waste is insignificant */ |
| 68 | sidnode->n = 0; |
| 69 | |
| 70 | while(i--){ |
| 71 | -- |
| 72 | GitLab |
| 73 | |