404 lines
14 KiB
Diff
404 lines
14 KiB
Diff
diff -Naurp pcp-5.3.7.orig/qa/1518 pcp-5.3.7/qa/1518
|
|
--- pcp-5.3.7.orig/qa/1518 1970-01-01 10:00:00.000000000 +1000
|
|
+++ pcp-5.3.7/qa/1518 2024-09-09 13:13:14.561437414 +1000
|
|
@@ -0,0 +1,75 @@
|
|
+#!/bin/sh
|
|
+# PCP QA Test No. 1518
|
|
+# SUSE Issue A)
|
|
+# __pmDecodeValueSet() Miscalculates Available Buffer Space
|
|
+# Leading to a Possible Heap Corruption
|
|
+#
|
|
+# Copyright (c) 2024 Ken McDonell. All Rights Reserved.
|
|
+# Copyright (c) 2024 Matthias Gerstner. All Rights Reserved.
|
|
+#
|
|
+
|
|
+if [ $# -eq 0 ]
|
|
+then
|
|
+ seq=`basename $0`
|
|
+ echo "QA output created by $seq"
|
|
+else
|
|
+ # use $seq from caller, unless not set
|
|
+ [ -n "$seq" ] || seq=`basename $0`
|
|
+ echo "QA output created by `basename $0` $*"
|
|
+fi
|
|
+
|
|
+# get standard environment, filters and checks
|
|
+. ./common.product
|
|
+. ./common.filter
|
|
+. ./common.check
|
|
+
|
|
+$sudo rm -rf $tmp $tmp.* $seq.full
|
|
+
|
|
+which nc >/dev/null 2>&1 || _notrun "no nc executable installed"
|
|
+_check_valgrind
|
|
+
|
|
+_cleanup()
|
|
+{
|
|
+ cat pmcd.log >>$here/$seq.full
|
|
+ cd $here
|
|
+ $sudo rm -rf $tmp $tmp.*
|
|
+}
|
|
+
|
|
+status=0 # success is the default!
|
|
+trap "_cleanup; exit \$status" 0 1 2 3 15
|
|
+
|
|
+_filter()
|
|
+{
|
|
+ sed \
|
|
+ -e '/^Command: /d' \
|
|
+ # end
|
|
+}
|
|
+
|
|
+mkdir $tmp || exit 1
|
|
+cd $tmp
|
|
+grep sampledso $PCP_PMCDCONF_PATH >pmcd.conf
|
|
+cat pmcd.conf >>$here/$seq.full
|
|
+port=`_find_free_port`
|
|
+echo "port=$port" >>$here/$seq.full
|
|
+
|
|
+# real QA test starts here
|
|
+valgrind $PCP_BINADM_DIR/pmcd -f -Dpdu -c ./pmcd.conf -s ./pmcd.socket -p $port >out 2>err &
|
|
+valgrind_pid=$!
|
|
+sleep 2
|
|
+pmcd_pid=`$PCP_PS_PROG $PCP_PS_ALL_FLAGS | grep '[p]mcd -f -Dpdu' | $PCP_AWK_PROG '{ print $2 }'`
|
|
+echo "pmcd_pid=$pmcd_pid" >>$here/$seq.full
|
|
+nc -N -U ./pmcd.socket <$here/binary/decode-value-set-out-of-bound-write 2>&1 \
|
|
+| od -c >>$here/$seq.full
|
|
+sleep 2
|
|
+kill -TERM $pmcd_pid
|
|
+wait
|
|
+
|
|
+echo "expect error to be logged ..."
|
|
+grep __pmDecodeValueSet pmcd.log
|
|
+
|
|
+echo
|
|
+echo "and no valgrind badness ..."
|
|
+cat out err | _filter_valgrind | _filter
|
|
+
|
|
+# success, all done
|
|
+exit
|
|
diff -Naurp pcp-5.3.7.orig/qa/1518.out pcp-5.3.7/qa/1518.out
|
|
--- pcp-5.3.7.orig/qa/1518.out 1970-01-01 10:00:00.000000000 +1000
|
|
+++ pcp-5.3.7/qa/1518.out 2024-09-09 13:13:14.561437414 +1000
|
|
@@ -0,0 +1,11 @@
|
|
+QA output created by 1518
|
|
+expect error to be logged ...
|
|
+__pmDecodeValueSet: PM_ERR_IPC: pmid[0] value[0] vindex=1020 (max=255)
|
|
+
|
|
+and no valgrind badness ...
|
|
+Memcheck, a memory error detector
|
|
+LEAK SUMMARY:
|
|
+definitely lost: 0 bytes in 0 blocks
|
|
+indirectly lost: 0 bytes in 0 blocks
|
|
+Rerun with --leak-check=full to see details of leaked memory
|
|
+ERROR SUMMARY: 0 errors from 0 contexts ...
|
|
diff -Naurp pcp-5.3.7.orig/qa/group pcp-5.3.7/qa/group
|
|
--- pcp-5.3.7.orig/qa/group 2024-09-09 13:11:13.796450545 +1000
|
|
+++ pcp-5.3.7/qa/group 2024-09-09 13:13:49.419437747 +1000
|
|
@@ -1847,6 +1847,7 @@ x11
|
|
1490 python local labels
|
|
1495 pmlogrewrite labels pmdumplog local
|
|
1511 pmcd local pmda.sample
|
|
+1518 pmcd libpcp local
|
|
1530 pmda.zfs local valgrind
|
|
1531 pmda.zfs local valgrind
|
|
1532 pmda.zfs local
|
|
diff -Naurp pcp-5.3.7.orig/src/libpcp/src/endian.c pcp-5.3.7/src/libpcp/src/endian.c
|
|
--- pcp-5.3.7.orig/src/libpcp/src/endian.c 2022-04-05 09:05:43.000000000 +1000
|
|
+++ pcp-5.3.7/src/libpcp/src/endian.c 2024-09-09 13:20:56.967560588 +1000
|
|
@@ -268,13 +268,17 @@ ntohEventArray(pmValueBlock * const vb,
|
|
}
|
|
|
|
void
|
|
-__ntohpmValueBlock(pmValueBlock * const vb)
|
|
+__ntohpmValueBlock_hdr(pmValueBlock * const vb)
|
|
{
|
|
unsigned int *ip = (unsigned int *)vb;
|
|
|
|
/* Swab the first word, which contain vtype and vlen */
|
|
*ip = ntohl(*ip);
|
|
+}
|
|
|
|
+void
|
|
+__ntohpmValueBlock_buf(pmValueBlock * const vb)
|
|
+{
|
|
switch (vb->vtype) {
|
|
case PM_TYPE_U64:
|
|
case PM_TYPE_64:
|
|
@@ -298,6 +302,13 @@ __ntohpmValueBlock(pmValueBlock * const
|
|
break;
|
|
}
|
|
}
|
|
+
|
|
+void
|
|
+__ntohpmValueBlock(pmValueBlock * const vb)
|
|
+{
|
|
+ __ntohpmValueBlock_hdr(vb);
|
|
+ __ntohpmValueBlock_buf(vb);
|
|
+}
|
|
#endif
|
|
|
|
#ifndef __htonpmPDUInfo
|
|
diff -Naurp pcp-5.3.7.orig/src/libpcp/src/internal.h pcp-5.3.7/src/libpcp/src/internal.h
|
|
--- pcp-5.3.7.orig/src/libpcp/src/internal.h 2022-04-05 09:05:43.000000000 +1000
|
|
+++ pcp-5.3.7/src/libpcp/src/internal.h 2024-09-09 13:21:44.336608061 +1000
|
|
@@ -60,6 +60,8 @@ extern int __pmGetDate(struct timespec *
|
|
#define __ntohpmLabel(a) /* noop */
|
|
#define __htonpmValueBlock(a) /* noop */
|
|
#define __ntohpmValueBlock(a) /* noop */
|
|
+#define __ntohpmValueBlock_hdr(a) /* noop */
|
|
+#define __ntohpmValueBlock_buf(a) /* noop */
|
|
#define __htonpmTimespec(a) /* noop */
|
|
#define __ntohpmTimespec(a) /* noop */
|
|
#define __htonpmTimestamp(a) /* noop */
|
|
@@ -94,6 +96,8 @@ extern void __htonpmLabel(pmLabel * cons
|
|
extern void __ntohpmLabel(pmLabel * const) _PCP_HIDDEN;
|
|
extern void __htonpmValueBlock(pmValueBlock * const) _PCP_HIDDEN;
|
|
extern void __ntohpmValueBlock(pmValueBlock * const) _PCP_HIDDEN;
|
|
+extern void __ntohpmValueBlock_hdr(pmValueBlock * const) _PCP_HIDDEN;
|
|
+extern void __ntohpmValueBlock_buf(pmValueBlock * const) _PCP_HIDDEN;
|
|
extern void __htonpmTimespec(pmTimespec * const ) _PCP_HIDDEN;
|
|
extern void __ntohpmTimespec(pmTimespec * const ) _PCP_HIDDEN;
|
|
extern void __htonpmTimestamp(__pmTimestamp * const );
|
|
diff -Naurp pcp-5.3.7.orig/src/libpcp/src/p_result.c pcp-5.3.7/src/libpcp/src/p_result.c
|
|
--- pcp-5.3.7.orig/src/libpcp/src/p_result.c 2022-04-05 09:05:43.000000000 +1000
|
|
+++ pcp-5.3.7/src/libpcp/src/p_result.c 2024-09-09 13:27:16.651969214 +1000
|
|
@@ -277,6 +277,135 @@ __pmSendHighResResult(int fd, int from,
|
|
return __pmSendHighResResult_ctx(NULL, fd, from, result);
|
|
}
|
|
|
|
+/* Check that a network encoded event array is within a given buffer size */
|
|
+int
|
|
+__pmEventArrayCheck(pmValueBlock * const vb, int highres, int pmid, int value, size_t check)
|
|
+{
|
|
+ char *base;
|
|
+ int r; /* records */
|
|
+ int p; /* parameters in a record ... */
|
|
+ int nrecords;
|
|
+ int nparams;
|
|
+
|
|
+ if (highres) {
|
|
+ pmHighResEventArray *hreap = (pmHighResEventArray *)vb;
|
|
+ base = (char *)&hreap->ea_record[0];
|
|
+ if (base > (char *)vb + check) {
|
|
+ if (pmDebugOptions.pdu)
|
|
+ fprintf(stderr, "__pmEventArrayCheck #1: PM_ERR_IPC: pmid[%d] value[%d] highres event records past end of PDU buffer\n",
|
|
+ pmid, value);
|
|
+ return PM_ERR_IPC;
|
|
+ }
|
|
+ nrecords = ntohl(hreap->ea_nrecords);
|
|
+ }
|
|
+ else {
|
|
+ pmEventArray *eap = (pmEventArray *)vb;
|
|
+ base = (char *)&eap->ea_record[0];
|
|
+ if (base > (char *)vb + check) {
|
|
+ if (pmDebugOptions.pdu)
|
|
+ fprintf(stderr, "__pmEventArrayCheck #2: PM_ERR_IPC: pmid[%d] value[%d] event records past end of PDU buffer\n",
|
|
+ pmid, value);
|
|
+ return PM_ERR_IPC;
|
|
+ }
|
|
+ nrecords = ntohl(eap->ea_nrecords);
|
|
+ }
|
|
+
|
|
+ /* walk packed event record array */
|
|
+ for (r = 0; r < nrecords; r++) {
|
|
+ unsigned int flags, type;
|
|
+ size_t size, remaining;
|
|
+
|
|
+ remaining = check - (base - (char *)vb);
|
|
+ if (highres) {
|
|
+ pmHighResEventRecord *hrerp = (pmHighResEventRecord *)base;
|
|
+ size = sizeof(hrerp->er_timestamp) + sizeof(hrerp->er_flags) +
|
|
+ sizeof(hrerp->er_nparams);
|
|
+ if (size > remaining) {
|
|
+ if (pmDebugOptions.pdu)
|
|
+ fprintf(stderr, "__pmEventArrayCheck #3: PM_ERR_IPC: pmid[%d] value[%d] record[%d] highres event record past end of PDU buffer\n",
|
|
+ pmid, value, r);
|
|
+ return PM_ERR_IPC;
|
|
+ }
|
|
+ nparams = ntohl(hrerp->er_nparams);
|
|
+ flags = ntohl(hrerp->er_flags);
|
|
+ }
|
|
+ else {
|
|
+ pmEventRecord *erp = (pmEventRecord *)base;
|
|
+ size = sizeof(erp->er_timestamp) + sizeof(erp->er_flags) +
|
|
+ sizeof(erp->er_nparams);
|
|
+ if (size > remaining) {
|
|
+ if (pmDebugOptions.pdu)
|
|
+ fprintf(stderr, "__pmEventArrayCheck #4: PM_ERR_IPC: pmid[%d] value[%d] record[%d] event record past end of PDU buffer\n",
|
|
+ pmid, value, r);
|
|
+ return PM_ERR_IPC;
|
|
+ }
|
|
+ nparams = ntohl(erp->er_nparams);
|
|
+ flags = ntohl(erp->er_flags);
|
|
+ }
|
|
+
|
|
+ if (flags & PM_EVENT_FLAG_MISSED)
|
|
+ nparams = 0;
|
|
+
|
|
+ base += size;
|
|
+ remaining = check - (base - (char *)vb);
|
|
+
|
|
+ for (p = 0; p < nparams; p++) {
|
|
+ __uint32_t *tp; /* points to int holding vtype/vlen */
|
|
+ pmEventParameter *epp = (pmEventParameter *)base;
|
|
+
|
|
+ if (sizeof(pmEventParameter) > remaining) {
|
|
+ if (pmDebugOptions.pdu)
|
|
+ fprintf(stderr, "__pmEventArrayCheck #5: PM_ERR_IPC: pmid[%d] value[%d] record[%d] param[%d] event record past end of PDU buffer\n",
|
|
+ pmid, value, r, p);
|
|
+ return PM_ERR_IPC;
|
|
+ }
|
|
+
|
|
+ tp = (__uint32_t *)&epp->ep_pmid;
|
|
+ tp++; /* now points to ep_type/ep_len */
|
|
+ *tp = ntohl(*tp);
|
|
+ type = epp->ep_type;
|
|
+ size = epp->ep_len;
|
|
+ *tp = htonl(*tp); /* leave the buffer how we found it */
|
|
+
|
|
+ if (sizeof(pmID) + size > remaining) {
|
|
+ if (pmDebugOptions.pdu)
|
|
+ fprintf(stderr, "__pmEventArrayCheck #6: PM_ERR_IPC: pmid[%d] value[%d] record[%d] param[%d] event record past end of PDU buffer\n",
|
|
+ pmid, value, r, p);
|
|
+ return PM_ERR_IPC;
|
|
+ }
|
|
+
|
|
+ base += sizeof(pmID) + PM_PDU_SIZE_BYTES(size);
|
|
+
|
|
+ /*
|
|
+ * final check for the types below, ep_len should be 4 or
|
|
+ * 8, but a malformed PDU could have smaller ep_len values
|
|
+ * and then unpacking these types risk going past the end
|
|
+ * of the PDU buffer
|
|
+ */
|
|
+ size = 0;
|
|
+ switch (type) {
|
|
+ case PM_TYPE_32:
|
|
+ case PM_TYPE_U32:
|
|
+ case PM_TYPE_FLOAT:
|
|
+ size = 4; /* 32-bit types */
|
|
+ break;
|
|
+ case PM_TYPE_64:
|
|
+ case PM_TYPE_U64:
|
|
+ case PM_TYPE_DOUBLE:
|
|
+ size = 8; /* 64-bit types */
|
|
+ break;
|
|
+ }
|
|
+ if (size > 0 && sizeof(pmID) + size > remaining) {
|
|
+ if (pmDebugOptions.pdu)
|
|
+ fprintf(stderr, "__pmEventArrayCheck #7: PM_ERR_IPC: pmid[%d] value[%d] record[%d] param[%d] event record past end of PDU buffer\n",
|
|
+ pmid, value, r, p);
|
|
+ return PM_ERR_IPC;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ return 0;
|
|
+}
|
|
+
|
|
#if defined(HAVE_64BIT_PTR)
|
|
static int
|
|
__pmDecodeValueSet(__pmPDU *pdubuf, int pdulen, __pmPDU *data, char *pduend,
|
|
@@ -290,7 +419,7 @@ __pmDecodeValueSet(__pmPDU *pdubuf, int
|
|
int i, j;
|
|
/*
|
|
* Note: all sizes are in units of bytes ... beware that 'data' is in
|
|
- * units of __pmPDU
|
|
+ * units of __pmPDU (four bytes)
|
|
*/
|
|
int vsize; /* size of vlist_t's in PDU buffer */
|
|
int nvsize; /* size of pmValue's after decode */
|
|
@@ -368,11 +497,10 @@ __pmDecodeValueSet(__pmPDU *pdubuf, int
|
|
return PM_ERR_IPC;
|
|
}
|
|
vindex = ntohl(pduvp->value.lval);
|
|
- if (vindex < 0 || vindex > pdulen) {
|
|
+ if (vindex < 0 || (char *)&pdubuf[vindex] >= pduend) {
|
|
if (pmDebugOptions.pdu && pmDebugOptions.desperate)
|
|
- fprintf(stderr, "%s: Bad: pmid[%d] value[%d] "
|
|
- "vindex=%d\n",
|
|
- "__pmDecodeValueSet", i, j, vindex);
|
|
+ fprintf(stderr, "__pmDecodeValueSet: PM_ERR_IPC: pmid[%d] value[%d] vindex=%d (max=%ld)\n",
|
|
+ i, j, vindex, (long)((pduend-(char *)pdubuf) / sizeof(pdubuf[0])-1));
|
|
return PM_ERR_IPC;
|
|
}
|
|
pduvbp = (pmValueBlock *)&pdubuf[vindex];
|
|
@@ -387,7 +515,7 @@ __pmDecodeValueSet(__pmPDU *pdubuf, int
|
|
"__pmDecodeValueSet", i, j);
|
|
return PM_ERR_IPC;
|
|
}
|
|
- __ntohpmValueBlock(pduvbp);
|
|
+ __ntohpmValueBlock_hdr(pduvbp);
|
|
if (pduvbp->vlen < PM_VAL_HDR_SIZE ||
|
|
pduvbp->vlen > pdulen) {
|
|
if (pmDebugOptions.pdu && pmDebugOptions.desperate)
|
|
@@ -396,13 +524,20 @@ __pmDecodeValueSet(__pmPDU *pdubuf, int
|
|
i, j, pduvbp->vlen);
|
|
return PM_ERR_IPC;
|
|
}
|
|
- if (pduvbp->vlen > (size_t)(pduend - (char *)pduvbp)) {
|
|
+ if (pduvbp->vlen > check) {
|
|
if (pmDebugOptions.pdu && pmDebugOptions.desperate)
|
|
fprintf(stderr, "%s: Bad: pmid[%d] value[%d] "
|
|
"pduvp past end of PDU buffer\n",
|
|
"__pmDecodeValueSet", i, j);
|
|
return PM_ERR_IPC;
|
|
}
|
|
+ if (pduvbp->vtype == PM_TYPE_HIGHRES_EVENT ||
|
|
+ pduvbp->vtype == PM_TYPE_EVENT) {
|
|
+ vindex = (pduvbp->vtype == PM_TYPE_HIGHRES_EVENT);
|
|
+ if (__pmEventArrayCheck(pduvbp, vindex, i, j, check) < 0)
|
|
+ return PM_ERR_IPC;
|
|
+ }
|
|
+ __ntohpmValueBlock_buf(pduvbp);
|
|
vbsize += PM_PDU_SIZE_BYTES(pduvbp->vlen);
|
|
if (pmDebugOptions.pdu && pmDebugOptions.desperate) {
|
|
fprintf(stderr, " len: %d type: %d",
|
|
@@ -635,11 +770,10 @@ __pmDecodeValueSet(__pmPDU *pdubuf, int
|
|
} else {
|
|
/* salvage pmValueBlocks from end of PDU */
|
|
vindex = ntohl(pduvp->value.lval);
|
|
- if (vindex < 0 || vindex > pdulen) {
|
|
+ if (vindex < 0 || (char *)&pdubuf[vindex] >= pduend) {
|
|
if (pmDebugOptions.pdu && pmDebugOptions.desperate)
|
|
- fprintf(stderr, "%s: Bad: pmid[%d] value[%d] "
|
|
- "vindex=%d\n",
|
|
- "__pmDecodeValueSet", i, j, vindex);
|
|
+ fprintf(stderr, "__pmDecodeValueSet: PM_ERR_IPC: pmid[%d] value[%d] vindex=%d (max=%ld)\n",
|
|
+ i, j, vindex, (long)((pduend-(char *)pdubuf) / sizeof(pdubuf[0])-1));
|
|
return PM_ERR_IPC;
|
|
}
|
|
pduvbp = (pmValueBlock *)&pdubuf[vindex];
|
|
@@ -654,7 +788,8 @@ __pmDecodeValueSet(__pmPDU *pdubuf, int
|
|
"__pmDecodeValueSet", i, j);
|
|
return PM_ERR_IPC;
|
|
}
|
|
- __ntohpmValueBlock(pduvbp);
|
|
+
|
|
+ __ntohpmValueBlock_hdr(pduvbp);
|
|
if (pduvbp->vlen < PM_VAL_HDR_SIZE ||
|
|
pduvbp->vlen > pdulen) {
|
|
if (pmDebugOptions.pdu && pmDebugOptions.desperate)
|
|
@@ -663,13 +798,20 @@ __pmDecodeValueSet(__pmPDU *pdubuf, int
|
|
i, j, pduvbp->vlen);
|
|
return PM_ERR_IPC;
|
|
}
|
|
- if (pduvbp->vlen > (size_t)(pduend - (char *)pduvbp)) {
|
|
+ if (pduvbp->vlen > check) {
|
|
if (pmDebugOptions.pdu && pmDebugOptions.desperate)
|
|
fprintf(stderr, "%s: Bad: pmid[%d] value[%d] "
|
|
"pduvp past end of PDU buffer\n",
|
|
"__pmDecodeValueSet", i, j);
|
|
return PM_ERR_IPC;
|
|
}
|
|
+ if (pduvbp->vtype == PM_TYPE_HIGHRES_EVENT ||
|
|
+ pduvbp->vtype == PM_TYPE_EVENT) {
|
|
+ vindex = (pduvbp->vtype == PM_TYPE_HIGHRES_EVENT);
|
|
+ if (__pmEventArrayCheck(pduvbp, vindex, i, j, check) < 0)
|
|
+ return PM_ERR_IPC;
|
|
+ }
|
|
+ __ntohpmValueBlock_buf(pduvbp);
|
|
pduvp->value.pval = pduvbp;
|
|
}
|
|
}
|