From 6fb2bbaa0dea7c0df4ad75e9b6cd8700456b0005 Mon Sep 17 00:00:00 2001 From: Qualys Security Advisory Date: Thu, 1 Jan 1970 00:00:00 +0000 Subject: [PATCH] proc/readproc.c: Harden status2proc(). 1/ Do not read past the terminating null byte when hashing the name. 2/ S[x] is used as an index, but S is "char *S" (signed) and hence may index the array out-of-bounds. Bit-mask S[x] with 127 (the array has 128 entries). 3/ Use a size_t for j, not an int (strlen() returns a size_t). Notes: - These are (mostly) theoretical problems, because the contents of /proc/PID/status are (mostly) trusted. - The "name" member of the status_table_struct has 8 bytes, and "RssShmem" occupies exactly 8 bytes, which means that "name" is not null-terminated. This is fine right now, because status2proc() uses memcmp(), not strcmp(), but it is worth mentioning. --- proc/readproc.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/proc/readproc.c b/proc/readproc.c index db90a2e9..855e0c17 100644 --- a/proc/readproc.c +++ b/proc/readproc.c @@ -37,6 +37,7 @@ #include #include #include +#include #ifdef WITH_SYSTEMD #include #endif @@ -252,8 +253,8 @@ ENTER(0x220); // examine a field name (hash and compare) base: - if(unlikely(!*S)) break; - entry = table[(GPERF_TABLE_SIZE -1) & (asso[(int)S[3]] + asso[(int)S[2]] + asso[(int)S[0]])]; + if(unlikely(!S[0] || !S[1] || !S[2] || !S[3])) break; + entry = table[(GPERF_TABLE_SIZE -1) & (asso[S[3]&127] + asso[S[2]&127] + asso[S[0]&127])]; colon = strchr(S, ':'); if(unlikely(!colon)) break; if(unlikely(colon[1]!='\t')) break; @@ -386,9 +387,9 @@ ENTER(0x220); continue; case_Groups: { char *nl = strchr(S, '\n'); - int j = nl ? (nl - S) : strlen(S); + size_t j = nl ? (size_t)(nl - S) : strlen(S); - if (j) { + if (j > 0 && j < INT_MAX) { P->supgid = xmalloc(j+1); // +1 in case space disappears memcpy(P->supgid, S, j); if (unlikely(' ' != P->supgid[--j])) ++j;