emo/procps
1
0
Fork 0
Code Issues Pull Requests Packages Releases Activity

proc/readproc.c: Fix use-after-free in readproctab2().

Browse Source 
The memset() in the PROC_LOOSE_TASKS loop leaves a struct proc_t
uninitialized (the one at data+n_used), which leads to a use-after-free.

ps calls readproctab2(), but only if !TF_loose_tasks, and this U-A-F is
triggered only if PROC_LOOSE_TASKS, so there seems to be no vulnerable
call in the procps package itself (other users of the libprocps may be
vulnerable, though).
This commit is contained in:
Qualys Security Advisory 1970-01-01 00:00:00 +00:00 committed by Craig Small
parent a4d82a2c2c
commit 1539c13507
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
proc/readproc.c
View File

@ -1565,7 +1565,7 @@ proc_data_t *readproctab2(int(*want_proc)(proc_t *buf), int(*want_task)(proc_t *
data = xrealloc(data,sizeof(proc_t)*n_alloc); data = xrealloc(data,sizeof(proc_t)*n_alloc);
// have to move tmp too // have to move tmp too
tmp = data+(tmp-old); tmp = data+(tmp-old);
memset(data+n_used+1, 0, sizeof(proc_t)*(n_alloc-(n_used+1))); memset(data+n_used, 0, sizeof(proc_t)*(n_alloc-n_used));
} }
if(n_task_alloc == n_task){ if(n_task_alloc == n_task){
//proc_t **old = ttab; //proc_t **old = ttab;