CVE-2023-4016: ps: possible buffer overflow

Resolves: rhbz#2228503
This commit is contained in:
Jan Rybar 2023-08-15 11:21:58 +02:00
parent 7a1d1e4fa1
commit 17a3c7437e
2 changed files with 66 additions and 1 deletions

View File

@ -0,0 +1,60 @@
diff --git a/ps/parser.c b/ps/parser.c
index 4263a1f..b33f319 100644
--- a/ps/parser.c
+++ b/ps/parser.c
@@ -31,7 +31,7 @@
#include <sys/stat.h>
#include <sys/types.h>
-#include "../proc/alloc.h"
+#include "xalloc.h"
#include "common.h"
#include "c.h"
@@ -184,8 +184,8 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s
const char *err; /* error code that could or did happen */
/*** prepare to operate ***/
node = malloc(sizeof(selection_node));
- node->u = malloc(strlen(arg)*sizeof(sel_union)); /* waste is insignificant */
node->n = 0;
+ node->u = NULL;
buf = strdup(arg);
/*** sanity check and count items ***/
need_item = 1; /* true */
@@ -199,12 +199,13 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s
need_item=1;
break;
default:
- if(need_item) items++;
+ if(need_item && items<INT_MAX) items++;
need_item=0;
}
} while (*++walk);
if(need_item) goto parse_error;
node->n = items;
+ node->u = xcalloc(items, sizeof(sel_union));
/*** actually parse the list ***/
walk = buf;
while(items--){
@@ -1031,15 +1032,15 @@ static const char *parse_trailing_pids(void){
thisarg = ps_argc - 1; /* we must be at the end now */
pidnode = malloc(sizeof(selection_node));
- pidnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */
+ pidnode->u = xcalloc(i, sizeof(sel_union)); /* waste is insignificant */
pidnode->n = 0;
grpnode = malloc(sizeof(selection_node));
- grpnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */
+ grpnode->u = xcalloc(i, sizeof(sel_union)); /* waste is insignificant */
grpnode->n = 0;
sidnode = malloc(sizeof(selection_node));
- sidnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */
+ sidnode->u = xcalloc(i, sizeof(sel_union)); /* waste is insignificant */
sidnode->n = 0;
while(i--){
--
2.40.1

View File

@ -4,7 +4,7 @@
Summary: System and process monitoring utilities
Name: procps-ng
Version: 3.3.15
Release: 13%{?dist}
Release: 14%{?dist}
License: GPL+ and GPLv2 and GPLv2+ and GPLv3+ and LGPLv2+
Group: Applications/System
URL: https://sourceforge.net/projects/procps-ng/
@ -28,6 +28,7 @@ Patch9: procps-ng-3.3.15-pgrep-uid-gid-overflow.patch
Patch10: procps-ng-3.3.15-display-sig-unsafe.patch
Patch11: procps-ng-3.3.15-ps-select.patch
Patch12: procps-ng-3.3.15-ps-out-of-bonds-read.patch
Patch13: procps-ng-3.3.15-cve-2023-4016.patch
BuildRequires: ncurses-devel
BuildRequires: libtool
@ -170,6 +171,10 @@ ln -s %{_bindir}/pidof %{buildroot}%{_sbindir}/pidof
%files i18n -f %{name}.lang
%changelog
* Tue Aug 15 2023 Jan Rybar <jrybar@redhat.com> - 3.3.15-14
- CVE-2023-4016: ps: possible buffer overflow
- Resolves: rhbz#2228503
* Tue Jan 17 2023 Jan Rybar <jrybar@redhat.com> - 3.3.15-13
- version bump requested to create -devel subpkg for CRB inclusion
- Resolves: rhbz#2164781