procps-ng provides wrappers for standard C allocators that took `unsigned int` instead of `size_t` parameters. On platforms where these differ (such as x86_64), this could cause integer truncation, leading to undersized regions being returned to callers that could then be overflowed. This flaw is related to CVE-2018-1124. As stated in the patch provided by Qualys: > this .. is one of the reasons the integer overflows in file2strvec() are exploitable at all.
This really needs a size limit in the kernel. It is not possible to pass more than 2 MiB of arguments to a process. (see "getconf ARG_MAX") If that limit were enforced by the /proc filesystem, then an "unsigned int" would be fine here. Supporting more than INT_MAX is incorrect, since that introduces a denial of service. The procps tools are commonly run on systems that are low on memory, and this is an important use case. The size of cmdline needs to be limited. The denial of service is somewhat mitigated by the fact that the default output for procps tools does not include command line arguments, and thus the files are not parsed by default.
> This really needs a size limit in the kernel. I agree, ultimately kernel is the best place to address it. ARG_MAX is derived from RLIMIT_STACK, thus can be increased, but actual arguments passed to exec*() face a hard limit in MAX_ARG_STRLEN, which is only 128KiB on x86_64. Having the kernel apply the same limits to data coming out of /proc makes sense. But that is going to take time. Meanwhile I think addressing this in procps by aligning the allocator arguments with their underlying libc calls seems like a good mitigation.
Acknowledgments: Name: Qualys Research Labs
Public via: http://seclists.org/oss-sec/2018/q2/122
External References: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt
Created procps-ng tracking bugs for this issue: Affects: fedora-all [bug 1579638]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:1700 https://access.redhat.com/errata/RHSA-2018:1700
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:1777 https://access.redhat.com/errata/RHSA-2018:1777
This issue has been addressed in the following products: Red Hat Virtualization 4 for RHEL-7 Via RHSA-2018:1820 https://access.redhat.com/errata/RHSA-2018:1820
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.7 Extended Update Support Via RHSA-2018:2267 https://access.redhat.com/errata/RHSA-2018:2267
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.6 Advanced Update Support Red Hat Enterprise Linux 6.6 Telco Extended Update Support Via RHSA-2018:2268 https://access.redhat.com/errata/RHSA-2018:2268
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Extended Update Support Via RHSA-2019:1944 https://access.redhat.com/errata/RHSA-2019:1944