Brad Bishop | 220d553 | 2018-08-14 00:59:39 +0100 | [diff] [blame] | 1 | From bdd058a0e676d2f013027fcfb2b344c313112a50 Mon Sep 17 00:00:00 2001 |
| 2 | From: Qualys Security Advisory <qsa@qualys.com> |
| 3 | Date: Thu, 1 Jan 1970 00:00:00 +0000 |
| 4 | Subject: [PATCH 074/126] proc/readproc.c: Fix bugs and overflows in |
| 5 | file2strvec(). |
| 6 | |
| 7 | Note: this is by far the most important and complex patch of the whole |
| 8 | series, please review it carefully; thank you very much! |
| 9 | |
| 10 | For this patch, we decided to keep the original function's design and |
| 11 | skeleton, to avoid regressions and behavior changes, while fixing the |
| 12 | various bugs and overflows. And like the "Harden file2str()" patch, this |
| 13 | patch does not fail when about to overflow, but truncates instead: there |
| 14 | is information available about this process, so return it to the caller; |
| 15 | also, we used INT_MAX as a limit, but a lower limit could be used. |
| 16 | |
| 17 | The easy changes: |
| 18 | |
| 19 | - Replace sprintf() with snprintf() (and check for truncation). |
| 20 | |
| 21 | - Replace "if (n == 0 && rbuf == 0)" with "if (n <= 0 && tot <= 0)" and |
| 22 | do break instead of return: it simplifies the code (only one place to |
| 23 | handle errors), and also guarantees that in the while loop either n or |
| 24 | tot is > 0 (or both), even if n is reset to 0 when about to overflow. |
| 25 | |
| 26 | - Remove the "if (n < 0)" block in the while loop: it is (and was) dead |
| 27 | code, since we enter the while loop only if n >= 0. |
| 28 | |
| 29 | - Rewrite the missing-null-terminator detection: in the original |
| 30 | function, if the size of the file is a multiple of 2047, a null- |
| 31 | terminator is appended even if the file is already null-terminated. |
| 32 | |
| 33 | - Replace "if (n <= 0 && !end_of_file)" with "if (n < 0 || tot <= 0)": |
| 34 | originally, it was equivalent to "if (n < 0)", but we added "tot <= 0" |
| 35 | to handle the first break of the while loop, and to guarantee that in |
| 36 | the rest of the function tot is > 0. |
| 37 | |
| 38 | - Double-force ("belt and suspenders") the null-termination of rbuf: |
| 39 | this is (and was) essential to the correctness of the function. |
| 40 | |
| 41 | - Replace the final "while" loop with a "for" loop that behaves just |
| 42 | like the preceding "for" loop: in the original function, this would |
| 43 | lead to unexpected results (for example, if rbuf is |\0|A|\0|, this |
| 44 | would return the array {"",NULL} but should return {"","A",NULL}; and |
| 45 | if rbuf is |A|\0|B| (should never happen because rbuf should be null- |
| 46 | terminated), this would make room for two pointers in ret, but would |
| 47 | write three pointers to ret). |
| 48 | |
| 49 | The hard changes: |
| 50 | |
| 51 | - Prevent the integer overflow of tot in the while loop, but unlike |
| 52 | file2str(), file2strvec() cannot let tot grow until it almost reaches |
| 53 | INT_MAX, because it needs more space for the pointers: this is why we |
| 54 | introduced ARG_LEN, which also guarantees that we can add "align" and |
| 55 | a few sizeof(char*)s to tot without overflowing. |
| 56 | |
| 57 | - Prevent the integer overflow of "tot + c + align": when INT_MAX is |
| 58 | (almost) reached, we write the maximal safe amount of pointers to ret |
| 59 | (ARG_LEN guarantees that there is always space for *ret = rbuf and the |
| 60 | NULL terminator). |
| 61 | [carnil: backport for 3.3.9: Add include for limits.h and use of MAX_INT] |
| 62 | |
| 63 | CVE: CVE-2018-1124 |
| 64 | Upstream-Status: Backport [https://gitlab.com/procps-ng/procps/commit/36c350f07c75aabf747fb833f52a234ae5781b20] |
| 65 | |
| 66 | Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> |
| 67 | --- |
| 68 | proc/readproc.c | 53 ++++++++++++++++++++++++++++++++--------------------- |
| 69 | 1 file changed, 32 insertions(+), 21 deletions(-) |
| 70 | |
| 71 | diff -Naurp procps-ng-3.3.12_org/proc/readproc.c procps-ng-3.3.12/proc/readproc.c |
| 72 | --- procps-ng-3.3.12_org/proc/readproc.c 2016-07-09 14:49:25.825306872 -0700 |
| 73 | +++ procps-ng-3.3.12/proc/readproc.c 2018-07-24 00:46:49.366202531 -0700 |
| 74 | @@ -37,6 +37,7 @@ |
| 75 | #include <dirent.h> |
| 76 | #include <sys/types.h> |
| 77 | #include <sys/stat.h> |
| 78 | +#include <limits.h> |
| 79 | #ifdef WITH_SYSTEMD |
| 80 | #include <systemd/sd-login.h> |
| 81 | #endif |
| 82 | --- a/proc/readproc.c |
| 83 | +++ b/proc/readproc.c |
| 84 | @@ -600,11 +601,12 @@ static int file2str(const char *director |
| 85 | |
| 86 | static char** file2strvec(const char* directory, const char* what) { |
| 87 | char buf[2048]; /* read buf bytes at a time */ |
| 88 | - char *p, *rbuf = 0, *endbuf, **q, **ret; |
| 89 | + char *p, *rbuf = 0, *endbuf, **q, **ret, *strp; |
| 90 | int fd, tot = 0, n, c, end_of_file = 0; |
| 91 | int align; |
| 92 | |
| 93 | - sprintf(buf, "%s/%s", directory, what); |
| 94 | + const int len = snprintf(buf, sizeof buf, "%s/%s", directory, what); |
| 95 | + if(len <= 0 || (size_t)len >= sizeof buf) return NULL; |
| 96 | fd = open(buf, O_RDONLY, 0); |
| 97 | if(fd==-1) return NULL; |
| 98 | |
| 99 | @@ -612,18 +614,23 @@ static char** file2strvec(const char* di |
| 100 | while ((n = read(fd, buf, sizeof buf - 1)) >= 0) { |
| 101 | if (n < (int)(sizeof buf - 1)) |
| 102 | end_of_file = 1; |
| 103 | - if (n == 0 && rbuf == 0) { |
| 104 | - close(fd); |
| 105 | - return NULL; /* process died between our open and read */ |
| 106 | + if (n <= 0 && tot <= 0) { /* nothing read now, nothing read before */ |
| 107 | + break; /* process died between our open and read */ |
| 108 | } |
| 109 | - if (n < 0) { |
| 110 | - if (rbuf) |
| 111 | - free(rbuf); |
| 112 | - close(fd); |
| 113 | - return NULL; /* read error */ |
| 114 | + /* ARG_LEN is our guesstimated median length of a command-line argument |
| 115 | + or environment variable (the minimum is 1, the maximum is 131072) */ |
| 116 | + #define ARG_LEN 64 |
| 117 | + if (tot >= INT_MAX / (ARG_LEN + (int)sizeof(char*)) * ARG_LEN - n) { |
| 118 | + end_of_file = 1; /* integer overflow: null-terminate and break */ |
| 119 | + n = 0; /* but tot > 0 */ |
| 120 | } |
| 121 | - if (end_of_file && (n == 0 || buf[n-1]))/* last read char not null */ |
| 122 | + #undef ARG_LEN |
| 123 | + if (end_of_file && |
| 124 | + ((n > 0 && buf[n-1] != '\0') || /* last read char not null */ |
| 125 | + (n <= 0 && rbuf[tot-1] != '\0'))) /* last read char not null */ |
| 126 | buf[n++] = '\0'; /* so append null-terminator */ |
| 127 | + |
| 128 | + if (n <= 0) break; /* unneeded (end_of_file = 1) but avoid realloc */ |
| 129 | rbuf = xrealloc(rbuf, tot + n); /* allocate more memory */ |
| 130 | memcpy(rbuf + tot, buf, n); /* copy buffer into it */ |
| 131 | tot += n; /* increment total byte ctr */ |
| 132 | @@ -631,29 +638,34 @@ static char** file2strvec(const char* di |
| 133 | break; |
| 134 | } |
| 135 | close(fd); |
| 136 | - if (n <= 0 && !end_of_file) { |
| 137 | + if (n < 0 || tot <= 0) { /* error, or nothing read */ |
| 138 | if (rbuf) free(rbuf); |
| 139 | return NULL; /* read error */ |
| 140 | } |
| 141 | + rbuf[tot-1] = '\0'; /* belt and suspenders (the while loop did it, too) */ |
| 142 | endbuf = rbuf + tot; /* count space for pointers */ |
| 143 | align = (sizeof(char*)-1) - ((tot + sizeof(char*)-1) & (sizeof(char*)-1)); |
| 144 | - for (c = 0, p = rbuf; p < endbuf; p++) { |
| 145 | - if (!*p || *p == '\n') |
| 146 | + c = sizeof(char*); /* one extra for NULL term */ |
| 147 | + for (p = rbuf; p < endbuf; p++) { |
| 148 | + if (!*p || *p == '\n') { |
| 149 | + if (c >= INT_MAX - (tot + (int)sizeof(char*) + align)) break; |
| 150 | c += sizeof(char*); |
| 151 | + } |
| 152 | if (*p == '\n') |
| 153 | *p = 0; |
| 154 | } |
| 155 | - c += sizeof(char*); /* one extra for NULL term */ |
| 156 | |
| 157 | rbuf = xrealloc(rbuf, tot + c + align); /* make room for ptrs AT END */ |
| 158 | endbuf = rbuf + tot; /* addr just past data buf */ |
| 159 | q = ret = (char**) (endbuf+align); /* ==> free(*ret) to dealloc */ |
| 160 | - *q++ = p = rbuf; /* point ptrs to the strings */ |
| 161 | - endbuf--; /* do not traverse final NUL */ |
| 162 | - while (++p < endbuf) |
| 163 | - if (!*p) /* NUL char implies that */ |
| 164 | - *q++ = p+1; /* next string -> next char */ |
| 165 | - |
| 166 | + for (strp = p = rbuf; p < endbuf; p++) { |
| 167 | + if (!*p) { /* NUL char implies that */ |
| 168 | + if (c < 2 * (int)sizeof(char*)) break; |
| 169 | + c -= sizeof(char*); |
| 170 | + *q++ = strp; /* point ptrs to the strings */ |
| 171 | + strp = p+1; /* next string -> next char */ |
| 172 | + } |
| 173 | + } |
| 174 | *q = 0; /* null ptr list terminator */ |
| 175 | return ret; |
| 176 | } |