Bug 1575474 (CVE-2018-1123)
Summary: | CVE-2018-1123 procps-ng, procps: denial of service in ps via mmap buffer overflow | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Doran Moppert <dmoppert> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED WONTFIX | QA Contact: | |||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | unspecified | CC: | albert, dmoppert, jaromir.capik, jrybar, kdudka, security-response-team | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | procps-ng 3.3.15 | Doc Type: | If docs needed, set a value | ||||
Doc Text: |
Due to incorrect accounting when decoding and escaping Unicode data in procfs, ps is vulnerable to overflowing an mmap()ed region when formatting the process list for display. Since ps maps a guard page at the end of the buffer, impact is limited to a crash.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2019-06-10 10:21:24 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1577029, 1577030, 1579634 | ||||||
Bug Blocks: | 1575455 | ||||||
Attachments: |
|
Description
Doran Moppert
2018-05-07 04:16:24 UTC
Created attachment 1433615 [details]
Proposed patch
Fixing this is best done by: 1. adjusting the calculation of OUTBUF_SIZE as needed for Unicode 2. limiting the amount of data that is read from /proc/*/* files The proposed OUTBUF_SIZE_AT may solve the crash, but it adds slowness and does nothing to solve the denial-of-service that can hit when ps (or top) is required to hold all of that data in memory. For example, consider a large number of processes with long command lines. This can be created on a relatively small system via the use of the clone() system call. Due to memory sharing there could be terabytes, or even petabytes, of command line data in /proc despite the system having a relatively modest amount of RAM. When ps is asked to show the command line and sort the output, all of this must be collected. Acknowledgments: Name: Qualys Research Labs Public via: http://seclists.org/oss-sec/2018/q2/122 External References: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt |