proc/readproc.c: Fix use-after-free in readproctab2().

The memset() in the PROC_LOOSE_TASKS loop leaves a struct proc_t
uninitialized (the one at data+n_used), which leads to a use-after-free.

ps calls readproctab2(), but only if !TF_loose_tasks, and this U-A-F is
triggered only if PROC_LOOSE_TASKS, so there seems to be no vulnerable
call in the procps package itself (other users of the libprocps may be
vulnerable, though).

diff --git a/proc/readproc.c b/proc/readproc.c
index 03014b624736a96aa524eb10080b408d9959321d..8caa39202b6ef111db7bdb4b953add17d04757d1 100644 (file)
--- a/proc/readproc.c
+++ b/proc/readproc.c
@@ -1565,7 +1565,7 @@ proc_data_t *readproctab2(int(*want_proc)(proc_t *buf), int(*want_task)(proc_t *
             data = xrealloc(data,sizeof(proc_t)*n_alloc);
             // have to move tmp too
             tmp = data+(tmp-old);
-            memset(data+n_used+1, 0, sizeof(proc_t)*(n_alloc-(n_used+1)));
+            memset(data+n_used, 0, sizeof(proc_t)*(n_alloc-n_used));
           }
           if(n_task_alloc == n_task){
             //proc_t **old = ttab;