procps/proc
Qualys Security Advisory 86d3d37406 0074-proc/readproc.c: Fix bugs and overflows in file2strvec().
Note: this is by far the most important and complex patch of the whole
series, please review it carefully; thank you very much!

For this patch, we decided to keep the original function's design and
skeleton, to avoid regressions and behavior changes, while fixing the
various bugs and overflows. And like the "Harden file2str()" patch, this
patch does not fail when about to overflow, but truncates instead: there
is information available about this process, so return it to the caller;
also, we used INT_MAX as a limit, but a lower limit could be used.

The easy changes:

- Replace sprintf() with snprintf() (and check for truncation).

- Replace "if (n == 0 && rbuf == 0)" with "if (n <= 0 && tot <= 0)" and
  do break instead of return: it simplifies the code (only one place to
  handle errors), and also guarantees that in the while loop either n or
  tot is > 0 (or both), even if n is reset to 0 when about to overflow.

- Remove the "if (n < 0)" block in the while loop: it is (and was) dead
  code, since we enter the while loop only if n >= 0.

- Rewrite the missing-null-terminator detection: in the original
  function, if the size of the file is a multiple of 2047, a null-
  terminator is appended even if the file is already null-terminated.

- Replace "if (n <= 0 && !end_of_file)" with "if (n < 0 || tot <= 0)":
  originally, it was equivalent to "if (n < 0)", but we added "tot <= 0"
  to handle the first break of the while loop, and to guarantee that in
  the rest of the function tot is > 0.

- Double-force ("belt and suspenders") the null-termination of rbuf:
  this is (and was) essential to the correctness of the function.

- Replace the final "while" loop with a "for" loop that behaves just
  like the preceding "for" loop: in the original function, this would
  lead to unexpected results (for example, if rbuf is |\0|A|\0|, this
  would return the array {"",NULL} but should return {"","A",NULL}; and
  if rbuf is |A|\0|B| (should never happen because rbuf should be null-
  terminated), this would make room for two pointers in ret, but would
  write three pointers to ret).

The hard changes:

- Prevent the integer overflow of tot in the while loop, but unlike
  file2str(), file2strvec() cannot let tot grow until it almost reaches
  INT_MAX, because it needs more space for the pointers: this is why we
  introduced ARG_LEN, which also guarantees that we can add "align" and
  a few sizeof(char*)s to tot without overflowing.

- Prevent the integer overflow of "tot + c + align": when INT_MAX is
  (almost) reached, we write the maximal safe amount of pointers to ret
  (ARG_LEN guarantees that there is always space for *ret = rbuf and the
  NULL terminator).

---------------------------- adapted for newlib branch
. there were many formatting differences
. i introduced several myself (especially comments)
. stdlib 'realloc' used, not that home grown xrealloc
. stdlib 'realloc' required extra 'return NULL' statement

Signed-off-by: Jim Warner <james.warner@comcast.net>
2018-06-09 21:35:19 +10:00
..
.gitignore tests: update template and add pids 2016-04-19 21:33:02 +10:00
COPYING miscellaneous: clean up trailing whitespace once again 2013-04-07 18:05:01 +10:00
devname.c 0040-proc/devname.c: Never write more than "chop" (part 2). 2018-06-09 21:35:19 +10:00
devname.h library: eliminate inappropriate '__BEGIN_DECLS' macro 2018-05-06 07:19:38 +10:00
diskstats.c library: delete some obsolete parameter checking logic 2017-12-20 21:18:54 +11:00
diskstats.h library: replace the troublesome '__BEGIN_DECLS' macro 2018-05-06 07:19:38 +10:00
escape.c 0051-proc/escape.c: Prevent buffer overflows in escape_command(). 2018-06-09 21:35:19 +10:00
escape.h library: eliminate inappropriate '__BEGIN_DECLS' macro 2018-05-06 07:19:38 +10:00
libprocps.pc.in Renaming libprocfs to libprocps 2011-12-23 09:18:43 +11:00
libprocps.sym library: provide for validating result type references 2016-08-07 21:40:48 +10:00
meminfo.c library: delete some obsolete parameter checking logic 2017-12-20 21:18:54 +11:00
meminfo.h library: replace the troublesome '__BEGIN_DECLS' macro 2018-05-06 07:19:38 +10:00
namespace.c library: ensure 'namespace' types treated consistently 2017-01-04 08:29:44 +11:00
namespace.h library: replace the troublesome '__BEGIN_DECLS' macro 2018-05-06 07:19:38 +10:00
numa.c library: set stage for NUMA node field display support 2017-05-22 21:38:10 +10:00
numa.h library: eliminate inappropriate '__BEGIN_DECLS' macro 2018-05-06 07:19:38 +10:00
pids.c library: expanded to provide for the UID used at login 2018-02-19 20:33:59 +11:00
pids.h library: replace the troublesome '__BEGIN_DECLS' macro 2018-05-06 07:19:38 +10:00
procps-private.h library: please keep procps-private.h free of #include 2016-06-11 11:50:37 +10:00
procps.h library: provide for validating result type references 2016-08-07 21:40:48 +10:00
pwcache.c library: eliminate all dependencies on alloc.h/alloc.c 2017-12-20 21:18:53 +11:00
pwcache.h library: eliminate inappropriate '__BEGIN_DECLS' macro 2018-05-06 07:19:38 +10:00
readproc.c 0074-proc/readproc.c: Fix bugs and overflows in file2strvec(). 2018-06-09 21:35:19 +10:00
readproc.h library: eliminate inappropriate '__BEGIN_DECLS' macro 2018-05-06 07:19:38 +10:00
slabinfo.c 0042-proc/slab.h: Fix off-by-one overflow in sscanf(). 2018-06-09 21:35:19 +10:00
slabinfo.h library: replace the troublesome '__BEGIN_DECLS' macro 2018-05-06 07:19:38 +10:00
stat.c library: delete some obsolete parameter checking logic 2017-12-20 21:18:54 +11:00
stat.h library: replace the troublesome '__BEGIN_DECLS' macro 2018-05-06 07:19:38 +10:00
sysinfo.c library: eliminate all dependencies on alloc.h/alloc.c 2017-12-20 21:18:53 +11:00
sysinfo.h library: replace the troublesome '__BEGIN_DECLS' macro 2018-05-06 07:19:38 +10:00
test_namespace.c tests: update template and add pids 2016-04-19 21:33:02 +10:00
test_pids.c related: change for lost 'PROCPS_' enumerator prefixes 2016-07-26 20:49:44 +10:00
test_sysinfo.c tests: update template and add pids 2016-04-19 21:33:02 +10:00
test_uptime.c library: procps_uptime() return value is a status 2016-05-01 16:50:25 +10:00
test_version.c library: Fix LINUX_VERSION macro 2016-05-01 17:46:25 +10:00
uptime.c 0047-proc/whattime.c: Always initialize buf. 2018-06-09 21:35:19 +10:00
uptime.h library: replace the troublesome '__BEGIN_DECLS' macro 2018-05-06 07:19:38 +10:00
version.c miscellaneous: remove some trailing whitespace buildup 2015-06-20 07:46:23 +10:00
version.h library: replace the troublesome '__BEGIN_DECLS' macro 2018-05-06 07:19:38 +10:00
vmstat.c library: delete some obsolete parameter checking logic 2017-12-20 21:18:54 +11:00
vmstat.h library: replace the troublesome '__BEGIN_DECLS' macro 2018-05-06 07:19:38 +10:00
wchan.c library: don't strip off prefixes from the wchan names 2016-12-07 22:07:00 +11:00
wchan.h library: eliminate inappropriate '__BEGIN_DECLS' macro 2018-05-06 07:19:38 +10:00
xtra-procps-debug.h library: strengthen the VAL macro validation functions 2016-08-08 22:01:37 +10:00