ps: Fix possible buffer overflow in -C option

ps allocates memory using malloc(length of arg * len of struct). In certain strange circumstances, the arg length could be very large and the multiplecation will overflow, allocating a small amount of memory. Subsequent strncpy() will then write into unallocated memory. The fix is to use calloc. It's slower but this is a one-time allocation. Other malloc(x * y) calls have also been replaced by calloc(x, y) References: https://www.freelists.org/post/procps/ps-buffer-overflow-CVE-20234016 https://nvd.nist.gov/vuln/detail/CVE-2023-4016 https://gitlab.com/procps-ng/procps/-/issues/297 https://bugs.debian.org/1042887 Signed-off-by: Craig Small <csmall@dropbear.xyz>
2024-11-27 12:04:28 +08:00 · 2023-08-10 21:18:38 +10:00 · 2023-08-10 21:18:38 +10:00 · 2c933ecba3
commit 2c933ecba3
parent dd95215280
2 changed files with 5 additions and 4 deletions
--- a/1
+++ b/1
@ -8,6 +8,7 @@ procps-ng-NEXT
  * pgrep: Use only --signal option for signal             Debian #1031765
  * pgrep: suppress >15 warning if using regex             Debian #1037450
  * ps: fixed missing or corrupted fields with -m option   Debian #1036631, issue #279
+  * ps: Fix buffer overflow in -C option CVE-2023-4016     Debian #1042887, issue #297
  * sysctl: -N show names                                  merge #198, RH #2222056
  * tests: dont compare floats with ==                     issue #271
  * tests: skips tests if maps missing                     merge #197, Gentoo #583036
--- a/src/ps/parser.c
+++ b/src/ps/parser.c
@ -189,7 +189,6 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s
  const char *err;       /* error code that could or did happen */
  /*** prepare to operate ***/
  node = xmalloc(sizeof(selection_node));
-  node->u = xmalloc(strlen(arg)*sizeof(sel_union)); /* waste is insignificant */
  node->n = 0;
  buf = strdup(arg);
  /*** sanity check and count items ***/
@ -210,6 +209,7 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s
  } while (*++walk);
  if(need_item) goto parse_error;
  node->n = items;
+  node->u = xcalloc(items, sizeof(sel_union));
  /*** actually parse the list ***/
  walk = buf;
  while(items--){
@ -1050,15 +1050,15 @@ static const char *parse_trailing_pids(void){
  thisarg = ps_argc - 1;   /* we must be at the end now */

  pidnode = xmalloc(sizeof(selection_node));
-  pidnode->u = xmalloc(i*sizeof(sel_union)); /* waste is insignificant */
+  pidnode->u = xcalloc(i, sizeof(sel_union)); /* waste is insignificant */
  pidnode->n = 0;

  grpnode = xmalloc(sizeof(selection_node));
-  grpnode->u = xmalloc(i*sizeof(sel_union)); /* waste is insignificant */
+  grpnode->u = xcalloc(i,sizeof(sel_union)); /* waste is insignificant */
  grpnode->n = 0;

  sidnode = xmalloc(sizeof(selection_node));
-  sidnode->u = xmalloc(i*sizeof(sel_union)); /* waste is insignificant */
+  sidnode->u = xcalloc(i, sizeof(sel_union)); /* waste is insignificant */
  sidnode->n = 0;

  while(i--){