From 84e6cdd8c3a08016088b8742e6857eb7b6318fe1 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 9 May 2023 05:20:01 +0000 Subject: [PATCH] import sysstat-12.5.4-5.el9 --- SOURCES/sysstat-12.5.4-CVE-2022-39377.patch | 85 +++++++++++++++ SOURCES/sysstat-12.5.4-bz2080650.patch | 112 ++++++++++++++++++++ SPECS/sysstat.spec | 15 ++- 3 files changed, 210 insertions(+), 2 deletions(-) create mode 100644 SOURCES/sysstat-12.5.4-CVE-2022-39377.patch create mode 100644 SOURCES/sysstat-12.5.4-bz2080650.patch diff --git a/SOURCES/sysstat-12.5.4-CVE-2022-39377.patch b/SOURCES/sysstat-12.5.4-CVE-2022-39377.patch new file mode 100644 index 0000000..7dc96f4 --- /dev/null +++ b/SOURCES/sysstat-12.5.4-CVE-2022-39377.patch @@ -0,0 +1,85 @@ +From 9c4eaf150662ad40607923389d4519bc83b93540 Mon Sep 17 00:00:00 2001 +From: Sebastien +Date: Sat, 15 Oct 2022 14:24:22 +0200 +Subject: [PATCH] Fix size_t overflow in sa_common.c (GHSL-2022-074) + +allocate_structures function located in sa_common.c insufficiently +checks bounds before arithmetic multiplication allowing for an +overflow in the size allocated for the buffer representing system +activities. + +This patch checks that the post-multiplied value is not greater than +UINT_MAX. + +Signed-off-by: Sebastien +--- + common.c | 25 +++++++++++++++++++++++++ + common.h | 2 ++ + sa_common.c | 6 ++++++ + 3 files changed, 33 insertions(+) + +diff --git a/common.c b/common.c +index 81c77624..1a84b052 100644 +--- a/common.c ++++ b/common.c +@@ -1655,4 +1655,29 @@ int parse_values(char *strargv, unsigned char bitmap[], int max_val, const char + + return 0; + } ++ ++/* ++ *************************************************************************** ++ * Check if the multiplication of the 3 values may be greater than UINT_MAX. ++ * ++ * IN: ++ * @val1 First value. ++ * @val2 Second value. ++ * @val3 Third value. ++ *************************************************************************** ++ */ ++void check_overflow(size_t val1, size_t val2, size_t val3) ++{ ++ if ((unsigned long long) val1 * ++ (unsigned long long) val2 * ++ (unsigned long long) val3 > UINT_MAX) { ++#ifdef DEBUG ++ fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n", ++ __FUNCTION__, ++ (unsigned long long) val1 * (unsigned long long) val2 * (unsigned long long) val3); ++#endif ++ exit(4); ++ } ++} ++ + #endif /* SOURCE_SADC undefined */ +diff --git a/common.h b/common.h +index 55b6657d..e8ab98ab 100644 +--- a/common.h ++++ b/common.h +@@ -260,6 +260,8 @@ int check_dir + (char *); + + #ifndef SOURCE_SADC ++void check_overflow ++ (size_t, size_t, size_t); + int count_bits + (void *, int); + int count_csvalues +diff --git a/sa_common.c b/sa_common.c +index 3699a840..b2cec4ad 100644 +--- a/sa_common.c ++++ b/sa_common.c +@@ -459,7 +459,13 @@ void allocate_structures(struct activity *act[]) + int i, j; + + for (i = 0; i < NR_ACT; i++) { ++ + if (act[i]->nr_ini > 0) { ++ ++ /* Look for a possible overflow */ ++ check_overflow((size_t) act[i]->msize, (size_t) act[i]->nr_ini, ++ (size_t) act[i]->nr2); ++ + for (j = 0; j < 3; j++) { + SREALLOC(act[i]->buf[j], void, + (size_t) act[i]->msize * (size_t) act[i]->nr_ini * (size_t) act[i]->nr2); diff --git a/SOURCES/sysstat-12.5.4-bz2080650.patch b/SOURCES/sysstat-12.5.4-bz2080650.patch new file mode 100644 index 0000000..40eb8de --- /dev/null +++ b/SOURCES/sysstat-12.5.4-bz2080650.patch @@ -0,0 +1,112 @@ +From 398585bfe7b1340d41143f50dfc868ef8ab9a5e4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Zaoral?= +Date: Tue, 21 Feb 2023 12:43:42 +0100 +Subject: [PATCH] Tools that take --dec=X option should only accept digits +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Right now the argument of --dec is passed to atoi(3) which returns 0 +on conversion error. Therefore, --dec=A was not rejected and was +equivalent to --dec=0 by mistake. + +Signed-off-by: Lukáš Zaoral +--- + cifsiostat.c | 5 +++++ + iostat.c | 5 +++++ + mpstat.c | 5 +++++ + pidstat.c | 5 +++++ + sar.c | 6 ++++++ + 5 files changed, 26 insertions(+) + +diff --git a/cifsiostat.c b/cifsiostat.c +index 375b1ff..849583b 100644 +--- a/cifsiostat.c ++++ b/cifsiostat.c +@@ -522,6 +522,11 @@ int main(int argc, char **argv) + } + + else if (!strncmp(argv[opt], "--dec=", 6) && (strlen(argv[opt]) == 7)) { ++ /* Check that the argument is a digit */ ++ if (!isdigit(argv[opt][6])) { ++ usage(argv[0]); ++ } ++ + /* Get number of decimal places */ + dplaces_nr = atoi(argv[opt] + 6); + if ((dplaces_nr < 0) || (dplaces_nr > 2)) { +diff --git a/iostat.c b/iostat.c +index 1d7ea3c..7ac56ef 100644 +--- a/iostat.c ++++ b/iostat.c +@@ -2142,6 +2142,11 @@ int main(int argc, char **argv) + #endif + + else if (!strncmp(argv[opt], "--dec=", 6) && (strlen(argv[opt]) == 7)) { ++ /* Check that the argument is a digit */ ++ if (!isdigit(argv[opt][6])) { ++ usage(argv[0]); ++ } ++ + /* Get number of decimal places */ + dplaces_nr = atoi(argv[opt] + 6); + if ((dplaces_nr < 0) || (dplaces_nr > 2)) { +diff --git a/mpstat.c b/mpstat.c +index 90d6226..5045e45 100644 +--- a/mpstat.c ++++ b/mpstat.c +@@ -2221,6 +2221,11 @@ int main(int argc, char **argv) + while (++opt < argc) { + + if (!strncmp(argv[opt], "--dec=", 6) && (strlen(argv[opt]) == 7)) { ++ /* Check that the argument is a digit */ ++ if (!isdigit(argv[opt][6])) { ++ usage(argv[0]); ++ } ++ + /* Get number of decimal places */ + dplaces_nr = atoi(argv[opt] + 6); + if ((dplaces_nr < 0) || (dplaces_nr > 2)) { +diff --git a/pidstat.c b/pidstat.c +index 21fed6c..d550605 100644 +--- a/pidstat.c ++++ b/pidstat.c +@@ -2633,6 +2633,11 @@ int main(int argc, char **argv) + } + + else if (!strncmp(argv[opt], "--dec=", 6) && (strlen(argv[opt]) == 7)) { ++ /* Check that the argument is a digit */ ++ if (!isdigit(argv[opt][6])) { ++ usage(argv[0]); ++ } ++ + /* Get number of decimal places */ + dplaces_nr = atoi(argv[opt] + 6); + if ((dplaces_nr < 0) || (dplaces_nr > 2)) { +diff --git a/sar.c b/sar.c +index 4f06172..7691793 100644 +--- a/sar.c ++++ b/sar.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + + #include "version.h" + #include "sa.h" +@@ -1372,6 +1373,11 @@ int main(int argc, char **argv) + } + + else if (!strncmp(argv[opt], "--dec=", 6) && (strlen(argv[opt]) == 7)) { ++ /* Check that the argument is a digit */ ++ if (!isdigit(argv[opt][6])) { ++ usage(argv[0]); ++ } ++ + /* Get number of decimal places */ + dplaces_nr = atoi(argv[opt] + 6); + if ((dplaces_nr < 0) || (dplaces_nr > 2)) { +-- +2.39.2 + diff --git a/SPECS/sysstat.spec b/SPECS/sysstat.spec index d1c681e..da6b112 100644 --- a/SPECS/sysstat.spec +++ b/SPECS/sysstat.spec @@ -1,7 +1,7 @@ Summary: Collection of performance monitoring tools for Linux Name: sysstat Version: 12.5.4 -Release: 3%{?dist} +Release: 5%{?dist} License: GPLv2+ URL: http://sebastien.godard.pagesperso-orange.fr/ Source: https://github.com/sysstat/sysstat/archive/v%{version}.tar.gz @@ -10,6 +10,11 @@ Source: https://github.com/sysstat/sysstat/archive/v%{version}.tar.gz Source1: colorsysstat.csh Source2: colorsysstat.sh +# arithmetic overflow in allocate_structures() on 32 bit systems (CVE-2022-39377) +Patch1: sysstat-12.5.4-CVE-2022-39377.patch +# {cifsio,io,mp,pid}stat --dec and sar --dec report values from single alphabet other than defined (bz2080650) +Patch2: sysstat-12.5.4-bz2080650.patch + BuildRequires: make BuildRequires: gcc, gettext, lm_sensors-devel, pcp-libs-devel, systemd, git @@ -86,7 +91,13 @@ fi %{_localstatedir}/log/sa %changelog -* Mon Feb 21 2021 Michal Sekletar 12.5.4-3 +* Tue Feb 21 2023 Lukáš Zaoral - 12.5.4-5 +- Fix --dec argument validation (rhbz#2080650) + +* Thu Nov 10 2022 Lukáš Zaoral - 12.5.4-4 +- arithmetic overflow in allocate_structures() on 32 bit systems (CVE-2022-39377) + +* Mon Feb 21 2022 Michal Sekletar 12.5.4-3 - sysstat's buildsystem doesn't really use LDFLAGS, we have to merge CFLAGS and LDFLAGS to get binaries with full RELRO (#2044893) * Tue Aug 10 2021 Mohan Boddu - 12.5.4-2