fix allocation errors with malformed sa files

- reorder patches to prevent errors during their application Resolves: RHEL-35684
2024-05-07 17:09:47 +02:00 · 2024-05-07 17:09:47 +02:00 · 0d73b18538
commit 0d73b18538
parent 9ccd0aa7ee
3 changed files with 277 additions and 20 deletions
--- a/sysstat-12.5.4-CVE-2023-33204.patch
+++ b/sysstat-12.5.4-CVE-2023-33204.patch
@ -1,23 +1,36 @@
-From 954ff2e2673cef48f0ed44668c466eab041db387 Mon Sep 17 00:00:00 2001
-From: Pavel Kopylov <pkopylov@cloudlinux.com>
-Date: Wed, 17 May 2023 11:33:45 +0200
-Subject: [PATCH] Fix an overflow which is still possible for some values.
+From commit 6f8dc568e6ab072bb8205b732f04e685bf9237c0
+From: Sebastien GODARD <sysstat@users.noreply.github.com>
+Date: Wed, May 17 21:10:31 2023 +0200
+Subject: Merge branch 'pkopylov-master'
+
+Signed-off-by: Sebastien GODARD <sysstat@users.noreply.github.com>
+
 diff --git a/common.c b/common.c
-index 583a0ca..6d73b1b 100644
+index 48493b5f..0efe7ee3 100644
 --- a/common.c
 +++ b/common.c
-@@ -1639,9 +1639,11 @@ int parse_values(char *strargv, unsigned char bitmap[], int max_val, const char
-  */
- void check_overflow(size_t val1, size_t val2, size_t val3)
+@@ -431,15 +431,17 @@ int check_dir(char *dirname)
+ void check_overflow(unsigned int val1, unsigned int val2,
+ 		    unsigned int val3)
 {
-	if ((unsigned long long) val1 *
-	    (unsigned long long) val2 *
+-	if ((unsigned long long) val1 * (unsigned long long) val2 *
 -	    (unsigned long long) val3 > UINT_MAX) {
-+if ((val1 != 0) && (val2 != 0) && (val3 != 0) &&
-+		(((unsigned long long)UINT_MAX / (unsigned long long)val1 <
-+		(unsigned long long)val2) ||
-+		((unsigned long long)UINT_MAX / ((unsigned long long)val1 *
-+		(unsigned long long)val2) < (unsigned long long)val3))) {
+	if ((val1 != 0) && (val2 != 0) && (val3 != 0) &&
+	    (((unsigned long long) UINT_MAX / (unsigned long long) val1 <
+	      (unsigned long long) val2) ||
+	     ((unsigned long long) UINT_MAX / ((unsigned long long) val1 * (unsigned long long) val2) <
+	      (unsigned long long) val3))) {
 #ifdef DEBUG
- 		fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n",
- 			__FUNCTION__,
+-		fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n",
+-			__FUNCTION__, (unsigned long long) val1 * (unsigned long long) val2 *
+-			(unsigned long long) val3);
+		fprintf(stderr, "%s: Overflow detected (%u,%u,%u). Aborting...\n",
+			__FUNCTION__, val1, val2, val3);
+ #endif
+-	exit(4);
+-		}
+		exit(4);
+	}
+ }
+ 
+ #ifndef SOURCE_SADC
--- a/sysstat-12.5.4-RHEL-35684.patch
+++ b/sysstat-12.5.4-RHEL-35684.patch
@ -0,0 +1,235 @@
+From c9a11d35df4aecfcf22aef827bac6cd57def9d4e Mon Sep 17 00:00:00 2001
+From: Sebastien GODARD <sysstat@users.noreply.github.com>
+Date: Sun, 23 Oct 2022 16:22:28 +0200
+Subject: [PATCH] Add more overflow checks
+
+Signed-off-by: Sebastien GODARD <sysstat@users.noreply.github.com>
+---
+ common.c    | 45 +++++++++++++++++++++------------------------
+ common.h    |  4 ++--
+ sa_common.c |  9 +++++++--
+ sadc.c      |  6 ++++++
+ 4 files changed, 36 insertions(+), 28 deletions(-)
+
+diff --git a/common.c b/common.c
+index 1a84b052..27249772 100644
+--- a/common.c
+++ b/common.c
+@@ -415,6 +415,27 @@ int check_dir(char *dirname)
+ 	return 0;
+ }
+ 
+/*
+ * **************************************************************************
+ * Check if the multiplication of the 3 values may be greater than UINT_MAX.
+ *
+ * IN:
+ * @val1	First value.
+ * @val2	Second value.
+ * @val3	Third value.
+ ***************************************************************************
+ */
+void check_overflow(unsigned long long val1, unsigned long long val2,
+		    unsigned long long val3)
+{
+	if (val1 * val2 * val3 > UINT_MAX) {
+#ifdef DEBUG
+		fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n",
+			__FUNCTION__, val1 * val2 * val3);
+#endif
+	exit(4);
+		}
+}
+ 
+ #ifndef SOURCE_SADC
+ /*
+@@ -1656,28 +1677,4 @@ int parse_values(char *strargv, unsigned char bitmap[], int max_val, const char
+ 	return 0;
+ }
+ 
+-/*
+- ***************************************************************************
+- * Check if the multiplication of the 3 values may be greater than UINT_MAX.
+- *
+- * IN:
+- * @val1	First value.
+- * @val2	Second value.
+- * @val3	Third value.
+- ***************************************************************************
+- */
+-void check_overflow(size_t val1, size_t val2, size_t val3)
+-{
+-	if ((unsigned long long) val1 *
+-	    (unsigned long long) val2 *
+-	    (unsigned long long) val3 > UINT_MAX) {
+-#ifdef DEBUG
+-		fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n",
+-			__FUNCTION__,
+-			(unsigned long long) val1 * (unsigned long long) val2 *	(unsigned long long) val3);
+-#endif
+-	exit(4);
+-	}
+-}
+-
+ #endif /* SOURCE_SADC undefined */
+diff --git a/common.h b/common.h
+index e8ab98ab..715b2da2 100644
+--- a/common.h
+++ b/common.h
+@@ -258,10 +258,10 @@ int get_wwnid_from_pretty
+ 	(char *, unsigned long long *, unsigned int *);
+ int check_dir
+ 	(char *);
+void check_overflow
+	(unsigned long long, unsigned long long, unsigned long long);
+ 
+ #ifndef SOURCE_SADC
+-void check_overflow
+-	(size_t, size_t, size_t);
+ int count_bits
+ 	(void *, int);
+ int count_csvalues
+diff --git a/sa_common.c b/sa_common.c
+index b2cec4ad..3460257a 100644
+--- a/sa_common.c
+++ b/sa_common.c
+@@ -463,8 +463,9 @@ void allocate_structures(struct activity *act[])
+ 		if (act[i]->nr_ini > 0) {
+ 
+ 			/* Look for a possible overflow */
+-			check_overflow((size_t) act[i]->msize, (size_t) act[i]->nr_ini,
+-				       (size_t) act[i]->nr2);
+			check_overflow((unsigned long long) act[i]->msize,
+				       (unsigned long long) act[i]->nr_ini,
+				       (unsigned long long) act[i]->nr2);
+ 
+ 			for (j = 0; j < 3; j++) {
+ 				SREALLOC(act[i]->buf[j], void,
+@@ -529,6 +530,10 @@ void reallocate_all_buffers(struct activity *a, __nr_t nr_min)
+ 		while (nr_realloc < nr_min);
+ 	}
+ 
+	/* Look for a possible overflow */
+	check_overflow((unsigned long long) a->msize, nr_realloc,
+		       (unsigned long long) a->nr2);
+
+ 	for (j = 0; j < 3; j++) {
+ 		SREALLOC(a->buf[j], void,
+ 			(size_t) a->msize * nr_realloc * (size_t) a->nr2);
+diff --git a/sadc.c b/sadc.c
+index 3458d089..123bf8e0 100644
+--- a/sadc.c
+++ b/sadc.c
+@@ -360,6 +360,12 @@ void sa_sys_init(void)
+ 		}
+ 
+ 		if (IS_COLLECTED(act[i]->options) && (act[i]->nr_ini > 0)) {
+
+			/* Look for a possible overflow */
+			check_overflow((unsigned long long) act[i]->msize,
+				       (unsigned long long) act[i]->nr_ini,
+				       (unsigned long long) act[i]->nr2);
+
+ 			/* Allocate structures for current activity (using nr_ini and nr2 results) */
+ 			SREALLOC(act[i]->_buf0, void,
+ 				 (size_t) act[i]->msize * (size_t) act[i]->nr_ini * (size_t) act[i]->nr2);
+
+From 44f1dc159242c1e434a3b836cda49f084c5a96cc Mon Sep 17 00:00:00 2001
+From: Sebastien GODARD <sysstat@users.noreply.github.com>
+Date: Sun, 6 Nov 2022 15:48:16 +0100
+Subject: [PATCH] Make sure values to be compared are unsigned integers
+
+It seems safer to make sure that input values are unsigned int before
+casting them to unsigned long long and making the comparison.
+
+Signed-off-by: Sebastien GODARD <sysstat@users.noreply.github.com>
+---
+ common.c    | 10 ++++++----
+ common.h    |  2 +-
+ sa_common.c | 10 +++++-----
+ sadc.c      |  6 +++---
+ 4 files changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/common.c b/common.c
+index 27249772..3b7fdcd5 100644
+--- a/common.c
+++ b/common.c
+@@ -425,13 +425,15 @@ int check_dir(char *dirname)
+  * @val3	Third value.
+  ***************************************************************************
+  */
+-void check_overflow(unsigned long long val1, unsigned long long val2,
+-		    unsigned long long val3)
+void check_overflow(unsigned int val1, unsigned int val2,
+		    unsigned int val3)
+ {
+-	if (val1 * val2 * val3 > UINT_MAX) {
+	if ((unsigned long long) val1 * (unsigned long long) val2 *
+	    (unsigned long long) val3 > UINT_MAX) {
+ #ifdef DEBUG
+ 		fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n",
+-			__FUNCTION__, val1 * val2 * val3);
+			__FUNCTION__, (unsigned long long) val1 * (unsigned long long) val2 *
+			(unsigned long long) val3);
+ #endif
+ 	exit(4);
+ 		}
+diff --git a/common.h b/common.h
+index 715b2da2..fc8a1a0d 100644
+--- a/common.h
+++ b/common.h
+@@ -259,7 +259,7 @@ int get_wwnid_from_pretty
+ int check_dir
+ 	(char *);
+ void check_overflow
+-	(unsigned long long, unsigned long long, unsigned long long);
+	(unsigned int, unsigned int, unsigned int);
+ 
+ #ifndef SOURCE_SADC
+ int count_bits
+diff --git a/sa_common.c b/sa_common.c
+index 3460257a..0ca8b039 100644
+--- a/sa_common.c
+++ b/sa_common.c
+@@ -463,9 +463,9 @@ void allocate_structures(struct activity *act[])
+ 		if (act[i]->nr_ini > 0) {
+ 
+ 			/* Look for a possible overflow */
+-			check_overflow((unsigned long long) act[i]->msize,
+-				       (unsigned long long) act[i]->nr_ini,
+-				       (unsigned long long) act[i]->nr2);
+			check_overflow((unsigned int) act[i]->msize,
+				       (unsigned int) act[i]->nr_ini,
+				       (unsigned int) act[i]->nr2);
+ 
+ 			for (j = 0; j < 3; j++) {
+ 				SREALLOC(act[i]->buf[j], void,
+@@ -531,8 +531,8 @@ void reallocate_all_buffers(struct activity *a, __nr_t nr_min)
+ 	}
+ 
+ 	/* Look for a possible overflow */
+-	check_overflow((unsigned long long) a->msize, nr_realloc,
+-		       (unsigned long long) a->nr2);
+	check_overflow((unsigned int) a->msize, (unsigned int) nr_realloc,
+		       (unsigned int) a->nr2);
+ 
+ 	for (j = 0; j < 3; j++) {
+ 		SREALLOC(a->buf[j], void,
+diff --git a/sadc.c b/sadc.c
+index 123bf8e0..40a1e15b 100644
+--- a/sadc.c
+++ b/sadc.c
+@@ -362,9 +362,9 @@ void sa_sys_init(void)
+ 		if (IS_COLLECTED(act[i]->options) && (act[i]->nr_ini > 0)) {
+ 
+ 			/* Look for a possible overflow */
+-			check_overflow((unsigned long long) act[i]->msize,
+-				       (unsigned long long) act[i]->nr_ini,
+-				       (unsigned long long) act[i]->nr2);
+			check_overflow((unsigned int) act[i]->msize,
+				       (unsigned int) act[i]->nr_ini,
+				       (unsigned int) act[i]->nr2);
+ 
+ 			/* Allocate structures for current activity (using nr_ini and nr2 results) */
+ 			SREALLOC(act[i]->_buf0, void,
+
--- a/sysstat.spec
+++ b/sysstat.spec
@ -1,7 +1,7 @@
 Summary: Collection of performance monitoring tools for Linux
 Name: sysstat
 Version: 12.5.4
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: GPLv2+
 URL: http://sebastien.godard.pagesperso-orange.fr/
 Source: https://github.com/sysstat/sysstat/archive/v%{version}.tar.gz
@ -14,10 +14,15 @@ Source2: colorsysstat.sh
 Patch1:  sysstat-12.5.4-CVE-2022-39377.patch
 # {cifsio,io,mp,pid}stat --dec and sar --dec report values from single alphabet other than defined (bz2080650)
 Patch2:  sysstat-12.5.4-bz2080650.patch
+# fix allocation errors with malformed sa files (RHEL-35684)
+# https://github.com/sysstat/sysstat/commit/c9a11d35df4aecfcf22aef827bac6cd57def9d4e
+# https://github.com/sysstat/sysstat/commit/44f1dc159242c1e434a3b836cda49f084c5a96cc
+Patch3:  sysstat-12.5.4-RHEL-35684.patch
 # check_overflow() function can work incorrectly that lead to an overflow (CVE-2023-33204)
-Patch3:  sysstat-12.5.4-CVE-2023-33204.patch
+# https://github.com/sysstat/sysstat/commit/6f8dc568e6ab072bb8205b732f04e685bf9237c0
+Patch4:  sysstat-12.5.4-CVE-2023-33204.patch
 # add description of UMASK to man/systat.in (bz2216805)
-Patch4:  sysstat-12.5.4-bz2216805.patch
+Patch5:  sysstat-12.5.4-bz2216805.patch

 BuildRequires: make
 BuildRequires: gcc, gettext, lm_sensors-devel, pcp-libs-devel, systemd, git
@ -95,6 +100,10 @@ fi
 %{_localstatedir}/log/sa

 %changelog
+* Tue May 07 2024 Lukáš Zaoral <lzaoral@redhat.com> - 12.5.4-8
+- fix allocation errors with malformed sa files (RHEL-35684)
+- reorder patches to prevent errors during their application
+
 * Thu Jul 27 2023 Lukáš Zaoral <lzaoral@redhat.com> - 12.5.4-7
 - add description of UMASK to man/systat.in (rhbz#2216805)