proc/readproc.c: Harden status2proc().

1/ Do not read past the terminating null byte when hashing the name.

2/ S[x] is used as an index, but S is "char *S" (signed) and hence may
index the array out-of-bounds. Bit-mask S[x] with 127 (the array has 128
entries).

3/ Use a size_t for j, not an int (strlen() returns a size_t).

Notes:

- These are (mostly) theoretical problems, because the contents of
  /proc/PID/status are (mostly) trusted.

- The "name" member of the status_table_struct has 8 bytes, and
  "RssShmem" occupies exactly 8 bytes, which means that "name" is not
  null-terminated. This is fine right now, because status2proc() uses
  memcmp(), not strcmp(), but it is worth mentioning.
This commit is contained in:
Qualys Security Advisory 1970-01-01 00:00:00 +00:00 committed by Craig Small
parent 27e45cf43b
commit 6fb2bbaa0d

View File

@ -37,6 +37,7 @@
#include <dirent.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <limits.h>
#ifdef WITH_SYSTEMD
#include <systemd/sd-login.h>
#endif
@ -252,8 +253,8 @@ ENTER(0x220);
// examine a field name (hash and compare)
base:
if(unlikely(!*S)) break;
entry = table[(GPERF_TABLE_SIZE -1) & (asso[(int)S[3]] + asso[(int)S[2]] + asso[(int)S[0]])];
if(unlikely(!S[0] || !S[1] || !S[2] || !S[3])) break;
entry = table[(GPERF_TABLE_SIZE -1) & (asso[S[3]&127] + asso[S[2]&127] + asso[S[0]&127])];
colon = strchr(S, ':');
if(unlikely(!colon)) break;
if(unlikely(colon[1]!='\t')) break;
@ -386,9 +387,9 @@ ENTER(0x220);
continue;
case_Groups:
{ char *nl = strchr(S, '\n');
int j = nl ? (nl - S) : strlen(S);
size_t j = nl ? (size_t)(nl - S) : strlen(S);
if (j) {
if (j > 0 && j < INT_MAX) {
P->supgid = xmalloc(j+1); // +1 in case space disappears
memcpy(P->supgid, S, j);
if (unlikely(' ' != P->supgid[--j])) ++j;