diff options
author | Ross Burton <ross.burton@arm.com> | 2023-08-21 14:32:19 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-08-22 15:13:51 +0100 |
commit | eae2a94f5de78b95590ec45e11e930655dbd5caf (patch) | |
tree | bfc242bbc28df3dd8b69e0378ba39ed46d5f89cb | |
parent | 20a8f5d928c0b3022609678d7c21b06912df058f (diff) | |
download | openembedded-core-eae2a94f5de78b95590ec45e11e930655dbd5caf.tar.gz |
procps: backport fix for CVE-2023-4016
(From OE-Core rev: 255515e1b52fea6d72d37fae61667db08eb5b086)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-extended/procps/procps/CVE-2023-4016.patch | 73 | ||||
-rw-r--r-- | meta/recipes-extended/procps/procps_4.0.3.bb | 1 |
2 files changed, 74 insertions, 0 deletions
diff --git a/meta/recipes-extended/procps/procps/CVE-2023-4016.patch b/meta/recipes-extended/procps/procps/CVE-2023-4016.patch new file mode 100644 index 0000000000..202fea91f1 --- /dev/null +++ b/meta/recipes-extended/procps/procps/CVE-2023-4016.patch @@ -0,0 +1,73 @@ +From 2c933ecba3bb1d3041a5a7a53a7b4078a6003413 Mon Sep 17 00:00:00 2001 +From: Craig Small <csmall@dropbear.xyz> +Date: Thu, 10 Aug 2023 21:18:38 +1000 +Subject: [PATCH] ps: Fix possible buffer overflow in -C option + +ps allocates memory using malloc(length of arg * len of struct). +In certain strange circumstances, the arg length could be very large +and the multiplecation will overflow, allocating a small amount of +memory. + +Subsequent strncpy() will then write into unallocated memory. +The fix is to use calloc. It's slower but this is a one-time +allocation. Other malloc(x * y) calls have also been replaced +by calloc(x, y) + +References: + https://www.freelists.org/post/procps/ps-buffer-overflow-CVE-20234016 + https://nvd.nist.gov/vuln/detail/CVE-2023-4016 + https://gitlab.com/procps-ng/procps/-/issues/297 + https://bugs.debian.org/1042887 + +Signed-off-by: Craig Small <csmall@dropbear.xyz> + +CVE: CVE-2023-4016 +Upstream-Status: Backport [https://gitlab.com/procps-ng/procps/-/commit/2c933ecba3bb1d3041a5a7a53a7b4078a6003413] +Signed-off-by: Ross Burton <ross.burton@arm.com> +--- + NEWS | 1 + + src/ps/parser.c | 8 ++++---- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/ps/parser.c b/src/ps/parser.c +index 248aa741..15873dfa 100644 +--- a/src/ps/parser.c ++++ b/src/ps/parser.c +@@ -189,7 +189,6 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s + const char *err; /* error code that could or did happen */ + /*** prepare to operate ***/ + node = xmalloc(sizeof(selection_node)); +- node->u = xmalloc(strlen(arg)*sizeof(sel_union)); /* waste is insignificant */ + node->n = 0; + buf = strdup(arg); + /*** sanity check and count items ***/ +@@ -210,6 +209,7 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s + } while (*++walk); + if(need_item) goto parse_error; + node->n = items; ++ node->u = xcalloc(items, sizeof(sel_union)); + /*** actually parse the list ***/ + walk = buf; + while(items--){ +@@ -1050,15 +1050,15 @@ static const char *parse_trailing_pids(void){ + thisarg = ps_argc - 1; /* we must be at the end now */ + + pidnode = xmalloc(sizeof(selection_node)); +- pidnode->u = xmalloc(i*sizeof(sel_union)); /* waste is insignificant */ ++ pidnode->u = xcalloc(i, sizeof(sel_union)); /* waste is insignificant */ + pidnode->n = 0; + + grpnode = xmalloc(sizeof(selection_node)); +- grpnode->u = xmalloc(i*sizeof(sel_union)); /* waste is insignificant */ ++ grpnode->u = xcalloc(i,sizeof(sel_union)); /* waste is insignificant */ + grpnode->n = 0; + + sidnode = xmalloc(sizeof(selection_node)); +- sidnode->u = xmalloc(i*sizeof(sel_union)); /* waste is insignificant */ ++ sidnode->u = xcalloc(i, sizeof(sel_union)); /* waste is insignificant */ + sidnode->n = 0; + + while(i--){ +-- +GitLab + diff --git a/meta/recipes-extended/procps/procps_4.0.3.bb b/meta/recipes-extended/procps/procps_4.0.3.bb index 71efb80207..9ef679c6bd 100644 --- a/meta/recipes-extended/procps/procps_4.0.3.bb +++ b/meta/recipes-extended/procps/procps_4.0.3.bb @@ -16,6 +16,7 @@ SRC_URI = "git://gitlab.com/procps-ng/procps.git;protocol=https;branch=master \ file://sysctl.conf \ file://0001-src-w.c-use-utmp.h-only.patch \ file://0001-po-fr.po-address-failures-with-gettext-0.22.patch \ + file://CVE-2023-4016.patch \ " SRCREV = "806eb270f217ff7e1e745c7bda2b002b5be74be4" |