From: Qualys Security Advisory Date: Thu, 1 Jan 1970 00:00:00 +0000 (+0000) Subject: pgrep: Initialize the cmd*[] stack buffers. X-Git-Tag: v3.3.15~136 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=35f58d8a3e090ea02068effdfed41ec12d1d917e;p=procps-ng pgrep: Initialize the cmd*[] stack buffers. Otherwise (for example), if the (undocumented) opt_echo is set, but not opt_long, and not opt_longlong, and not opt_pattern, there is a call to xstrdup(cmdoutput) but cmdoutput was never initialized: sleep 60 & echo "$!" > pidfile env -i LD_DEBUG=`perl -e 'print "A" x 131000'` pkill -e -c -F pidfile | xxd ... 000001c0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 000001d0: 4141 4141 4141 4141 fcd4 e6bd e47f 206b AAAAAAAA...... k 000001e0: 696c 6c65 6420 2870 6964 2031 3230 3931 illed (pid 12091 000001f0: 290a 310a ).1. [1]+ Terminated sleep 60 (the LD_DEBUG is just a trick to fill the initial stack with non-null bytes, to show that there is uninitialized data from the stack in the output; here, an address "fcd4 e6bd e47f") --- diff --git a/pgrep.c b/pgrep.c index e37678b2..4199ac44 100644 --- a/pgrep.c +++ b/pgrep.c @@ -497,9 +497,9 @@ static struct el * select_procs (int *num) regex_t *preg; pid_t myself = getpid(); struct el *list = NULL; - char cmdline[CMDSTRSIZE]; - char cmdsearch[CMDSTRSIZE]; - char cmdoutput[CMDSTRSIZE]; + char cmdline[CMDSTRSIZE] = ""; + char cmdsearch[CMDSTRSIZE] = ""; + char cmdoutput[CMDSTRSIZE] = ""; proc_t ns_task; ptp = do_openproc();