Bug 1575852 (CVE-2018-1125)
Summary: | CVE-2018-1125 procps-ng, procps: stack buffer overflow in pgrep | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Doran Moppert <dmoppert> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | albert, dmoppert, jaromir.capik, jrybar, kdudka, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | procps-ng 3.3.15 | Doc Type: | If docs needed, set a value |
Doc Text: |
If a process inspected by pgrep has an argument longer than INT_MAX bytes, "int bytes" could wrap around back to a large positive int (rather than approaching zero), leading to a stack buffer overflow via strncat().
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:21:32 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1577027, 1577028, 1579635, 1579636 | ||
Bug Blocks: | 1575455 |
Description
Doran Moppert
2018-05-08 05:57:17 UTC
The bug description appears to be incorrect. This is not about an argument being given to pgrep. This is about an argument given to a process that is under examination by pgrep. Due to the use of an int in the allocator, the string length can never be large enough to case the integer to wrap back to being positive. Supporting strings in excess of a couple megabytes is undesirable because this would put pgrep at risk of running out of memory, possibly via the OOM killer. > This is not about an argument being given to pgrep. This is about an argument given to a process that is under examination by pgrep. Thanks, this is correct. Again, this should probably ultimately be addressed in the kernel, but hardening procps in the meantime might be desirable. On the other hand, it seems that FORTIFY effectively mitigates and per commentary in the patch: > Fortunately, every distribution that we checked compiles its procps utilities with FORTIFY, and the fortified strncat() detects and aborts the buffer overflow before it occurs. Acknowledgments: Name: Qualys Research Labs Public via: http://seclists.org/oss-sec/2018/q2/122 External References: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt Created procps-ng tracking bugs for this issue: Affects: fedora-all [bug 1579635] Mitigation: The procps suite on Red Hat Enterprise Linux is built with FORTIFY, which limits the impact of this stack overflow (and others like it) to a crash. |