pmap: Prevent buffer overflow in sscanf().

vmflags[] is a 27*(2+1)=81 char array, but there are 30 flags now (not
27), and even with 27 flags this was an off-by-one overflow (the kernel
always outputs a flag with "%c%c ", so the last +1 is for a space, not
for the terminating null byte). Protect vmflags[] with a maximum field
width, as in the surrounding sscanf() calls.
This commit is contained in:
Qualys Security Advisory 1970-01-01 00:00:00 +00:00 committed by Craig Small
parent 0d9d0a5206
commit 62de3a2aa7

5
pmap.c
View File

@ -247,7 +247,8 @@ static char *mapping_name(proc_t * p, unsigned KLONG addr,
#define DETL "31" /* for format strings */ #define DETL "31" /* for format strings */
#define NUM_LENGTH 21 /* python says: len(str(2**64)) == 20 */ #define NUM_LENGTH 21 /* python says: len(str(2**64)) == 20 */
#define NUML "20" /* for format strings */ #define NUML "20" /* for format strings */
#define VMFLAGS_LENGTH 81 /* There are 27 posible 2 character vmflags as of this patch */ #define VMFLAGS_LENGTH 128 /* 30 2-char space-separated flags == 90+1, but be safe */
#define VMFL "127" /* for format strings */
struct listnode { struct listnode {
char description[DETAIL_LENGTH]; char description[DETAIL_LENGTH];
@ -389,7 +390,7 @@ loop_end:
} }
/* === GET VMFLAGS === */ /* === GET VMFLAGS === */
nfields = ret ? sscanf(mapbuf, "VmFlags: %[a-z ]", vmflags) : 0; nfields = ret ? sscanf(mapbuf, "VmFlags: %"VMFL"[a-z ]", vmflags) : 0;
if (nfields == 1) { if (nfields == 1) {
if (! has_vmflags) has_vmflags = 1; if (! has_vmflags) has_vmflags = 1;
ret = fgets(mapbuf, sizeof mapbuf, f); ret = fgets(mapbuf, sizeof mapbuf, f);