From 7e2bd279ed3fbe70a12b6dd54c6cd8239a449bee Mon Sep 17 00:00:00 2001 From: Qualys Security Advisory Date: Thu, 1 Jan 1970 00:00:00 +0000 Subject: [PATCH] 0089-pmap: Prevent buffer overflow in sscanf(). vmflags[] is a 27*(2+1)=81 char array, but there are 30 flags now (not 27), and even with 27 flags this was an off-by-one overflow (the kernel always outputs a flag with "%c%c ", so the last +1 is for a space, not for the terminating null byte). Protect vmflags[] with a maximum field width, as in the surrounding sscanf() calls. Signed-off-by: Craig Small --- pmap.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pmap.c b/pmap.c index b8ae1529..7b7e60b8 100644 --- a/pmap.c +++ b/pmap.c @@ -252,7 +252,8 @@ static char *mapping_name(struct pids_stack *p, unsigned long addr, #define DETL "31" /* for format strings */ #define NUM_LENGTH 21 /* python says: len(str(2**64)) == 20 */ #define NUML "20" /* for format strings */ -#define VMFLAGS_LENGTH 81 /* There are 27 posible 2 character vmflags as of this patch */ +#define VMFLAGS_LENGTH 128 /* 30 2-char space-separated flags == 90+1, but be safe */ +#define VMFL "127" /* for format strings */ struct listnode { char description[DETAIL_LENGTH]; @@ -394,7 +395,7 @@ loop_end: } /* === GET VMFLAGS === */ - nfields = ret ? sscanf(mapbuf, "VmFlags: %[a-z ]", vmflags) : 0; + nfields = ret ? sscanf(mapbuf, "VmFlags: %"VMFL"[a-z ]", vmflags) : 0; if (nfields == 1) { if (! has_vmflags) has_vmflags = 1; ret = fgets(mapbuf, sizeof mapbuf, f);