| Summary: | Stack smash due to writing out of bounds in cg_get_procname_from_proc_cmdline | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Paulo Andrade <pandrade> | ||||||
| Component: | libcgroup | Assignee: | Nikola Forró <nforro> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Chao Ye <cye> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 6.7 | CC: | cye, jcollin, jotodd, jsafrane, ovasik, varekova | ||||||
| Target Milestone: | rc | Keywords: | Patch | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | libcgroup-0.40.rc1-23.el6 | Doc Type: | If docs needed, set a value | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2017-03-21 09:11:48 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Attachments: |
|
||||||||
Created attachment 1212848 [details]
Simple python reproducer
Created attachment 1212849 [details]
api.c: fix potential buffer overflow
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0583.html |
The code declares variables as: char path[FILENAME_MAX]; char buf_pname[FILENAME_MAX]; char buf_cwd[FILENAME_MAX]; and on a coredump provided by an user, buf_cwd has a sane value (it has a smaller value, thus not overwritten), but buf_pname is pointing to a very large shell script, having written more than 16k bytes before the crash. The code looks like: while (c != EOF) { c = fgetc(f); if ((c != EOF) && (c != '\0')) { buf_pname[len] = c; len++; continue; } buf_pname[len] = '\0'; from gdb I also see: (gdb) p pname_status $28 = 0x102b3e0 "sh" so, I believe the crash was caused by some variant of a logic like: $ /bin/sh -c "$(cat /some/really/large/script)" where contents of /some/really/large/script will be in /proc/$PID/cmdline. The pseudo patch to prevent the crash would be: - if ((c != EOF) && (c != '\0')) { + if ((c != EOF) && (c != '\0') && len < 4095) { another possible cause would be a corrupted /proc/$PID/cmdline, but the above description looks a lot more likely the crash condition.