emo/procps
1
0
Fork 0
Code Issues Pull Requests Packages Releases Activity

top: Check sortindx.

Browse Source 
Every time sortindx is used as an index, or loaded from the
configuration file. Otherwise it leads to out-of-bounds reads and
arbitrary code execution.
This commit is contained in:
Qualys Security Advisory 1970-01-01 00:00:00 +00:00 committed by Craig Small
parent bbe58d7e0a
commit d5b8ac7139
1 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
top/top.c
View File

@ -1854,6 +1854,9 @@ end_justifies:
// for calibrate_fields and summary_show 1st pass // for calibrate_fields and summary_show 1st pass
#define L_DEFAULT PROC_FILLSTAT #define L_DEFAULT PROC_FILLSTAT
#define UNSAFE_SORTINDX(indx, size) \
((indx) < 0 || (size_t)(indx) >= (size))
/* These are our gosh darn 'Fields' ! /* These are our gosh darn 'Fields' !
They MUST be kept in sync with pflags !! */ They MUST be kept in sync with pflags !! */
static FLD_t Fieldstab[] = { static FLD_t Fieldstab[] = {
@ -2042,6 +2045,8 @@ static void build_headers (void) {
do { do {
if (VIZISw(w)) { if (VIZISw(w)) {
if (UNSAFE_SORTINDX(w->rc.sortindx, sizeof(Fieldstab) / sizeof(Fieldstab[0])))
w->rc.sortindx = EU_PID;
memset((s = w->columnhdr), 0, sizeof(w->columnhdr)); memset((s = w->columnhdr), 0, sizeof(w->columnhdr));
if (Rc.mode_altscr) s = scat(s, fmtmk("%d", w->winnum)); if (Rc.mode_altscr) s = scat(s, fmtmk("%d", w->winnum));
for (i = 0; i < w->maxpflgs; i++) { for (i = 0; i < w->maxpflgs; i++) {
@ -2314,7 +2319,8 @@ static void fields_utility (void) {
#endif #endif
#define swapEM { char c; unSCRL; c = w->rc.fieldscur[i]; \ #define swapEM { char c; unSCRL; c = w->rc.fieldscur[i]; \
w->rc.fieldscur[i] = *p; *p = c; p = &w->rc.fieldscur[i]; } w->rc.fieldscur[i] = *p; *p = c; p = &w->rc.fieldscur[i]; }
#define spewFI { char *t; f = w->rc.sortindx; t = strchr(w->rc.fieldscur, f + FLD_OFFSET); \ #define spewFI { char *t; if (UNSAFE_SORTINDX(w->rc.sortindx, EU_MAXPFLGS)) w->rc.sortindx = EU_PID; \
f = w->rc.sortindx; t = strchr(w->rc.fieldscur, f + FLD_OFFSET); \
if (!t) t = strchr(w->rc.fieldscur, (f + FLD_OFFSET) | 0x80); \ if (!t) t = strchr(w->rc.fieldscur, (f + FLD_OFFSET) | 0x80); \
i = (t) ? (int)(t - w->rc.fieldscur) : 0; } i = (t) ? (int)(t - w->rc.fieldscur) : 0; }
WIN_t *w = Curwin; // avoid gcc bloat with a local copy WIN_t *w = Curwin; // avoid gcc bloat with a local copy
@ -3669,6 +3675,8 @@ static int config_cvt (WIN_t *q) {
strcpy(q->rc.fieldscur, fields_dst); strcpy(q->rc.fieldscur, fields_dst);
// lastly, we must adjust the old sort field enum... // lastly, we must adjust the old sort field enum...
if (UNSAFE_SORTINDX(q->rc.sortindx, sizeof(fields_src) / sizeof(fields_src[0])))
return 1;
x = q->rc.sortindx; x = q->rc.sortindx;
q->rc.sortindx = fields_src[x] - FLD_OFFSET; q->rc.sortindx = fields_src[x] - FLD_OFFSET;
@ -3718,6 +3726,8 @@ error Hey, fix the above fscanf 'PFLAGSSIZ' dependency !
if (3 > fscanf(fp, "\twinflags=%d, sortindx=%d, maxtasks=%d, graph_cpus=%d, graph_mems=%d\n" if (3 > fscanf(fp, "\twinflags=%d, sortindx=%d, maxtasks=%d, graph_cpus=%d, graph_mems=%d\n"
, &w->rc.winflags, &w->rc.sortindx, &w->rc.maxtasks, &w->rc.graph_cpus, &w->rc.graph_mems)) , &w->rc.winflags, &w->rc.sortindx, &w->rc.maxtasks, &w->rc.graph_cpus, &w->rc.graph_mems))
return p; return p;
if (UNSAFE_SORTINDX(w->rc.sortindx, sizeof(Fieldstab) / sizeof(Fieldstab[0])))
return p;
if (4 != fscanf(fp, "\tsummclr=%d, msgsclr=%d, headclr=%d, taskclr=%d\n" if (4 != fscanf(fp, "\tsummclr=%d, msgsclr=%d, headclr=%d, taskclr=%d\n"
, &w->rc.summclr, &w->rc.msgsclr , &w->rc.summclr, &w->rc.msgsclr
, &w->rc.headclr, &w->rc.taskclr)) , &w->rc.headclr, &w->rc.taskclr))
@ -5924,6 +5934,8 @@ static int window_show (WIN_t *q, int wmax) {
else Frame_srtflg = -1; else Frame_srtflg = -1;
Frame_ctimes = CHKw(q, Show_CTIMES); // this & next, only maybe Frame_ctimes = CHKw(q, Show_CTIMES); // this & next, only maybe
Frame_cmdlin = CHKw(q, Show_CMDLIN); Frame_cmdlin = CHKw(q, Show_CMDLIN);
if (UNSAFE_SORTINDX(q->rc.sortindx, sizeof(Fieldstab) / sizeof(Fieldstab[0])))
q->rc.sortindx = EU_PID;
qsort(q->ppt, Frame_maxtask, sizeof(proc_t*), Fieldstab[q->rc.sortindx].sort); qsort(q->ppt, Frame_maxtask, sizeof(proc_t*), Fieldstab[q->rc.sortindx].sort);
} }