From 1539c135071694ba6074b29a68ba08eeb3d59dfb Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Thu, 1 Jan 1970 00:00:00 +0000
Subject: [PATCH] proc/readproc.c: Fix use-after-free in readproctab2().

The memset() in the PROC_LOOSE_TASKS loop leaves a struct proc_t
uninitialized (the one at data+n_used), which leads to a use-after-free.

ps calls readproctab2(), but only if !TF_loose_tasks, and this U-A-F is
triggered only if PROC_LOOSE_TASKS, so there seems to be no vulnerable
call in the procps package itself (other users of the libprocps may be
vulnerable, though).
---
 proc/readproc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/proc/readproc.c b/proc/readproc.c
index 03014b62..8caa3920 100644
--- a/proc/readproc.c
+++ b/proc/readproc.c
@@ -1565,7 +1565,7 @@ proc_data_t *readproctab2(int(*want_proc)(proc_t *buf), int(*want_task)(proc_t *
             data = xrealloc(data,sizeof(proc_t)*n_alloc);
             // have to move tmp too
             tmp = data+(tmp-old);
-            memset(data+n_used+1, 0, sizeof(proc_t)*(n_alloc-(n_used+1)));
+            memset(data+n_used, 0, sizeof(proc_t)*(n_alloc-n_used));
           }
           if(n_task_alloc == n_task){
             //proc_t **old = ttab;