From: Qualys Security Advisory <qsa@qualys.com>
Date: Thu, 1 Jan 1970 00:00:00 +0000 (+0000)
Subject: skill: Prevent multiple overflows in ENLIST().
X-Git-Tag: v3.3.15~115
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=858df7cc89174e54a862b02ea660b594b689039a;p=procps-ng

skill: Prevent multiple overflows in ENLIST().

First problem: saved_argc was used to calculate the size of the array,
but saved_argc was never initialized. This triggers an immediate heap-
based buffer overflow:

$ skill -c0 -c0 -c0 -c0
Segmentation fault (core dumped)

Second problem: saved_argc was not the upper bound anyway, because one
argument can ENLIST() several times (for example, in parse_namespaces())
and overflow the array as well.

Third problem: integer overflow of the size of the array.
---

diff --git a/skill.c b/skill.c
index 012f5a11..effd7788 100644
--- a/skill.c
+++ b/skill.c
@@ -68,13 +68,13 @@ static int ns_pid;
 static proc_t ns_task;
 
 #define ENLIST(thing,addme) do{ \
-if(!thing##s) thing##s = xmalloc(sizeof(*thing##s)*saved_argc); \
+if(thing##_count < 0 || (size_t)thing##_count >= INT_MAX / sizeof(*thing##s)) \
+	xerrx(EXIT_FAILURE, _("integer overflow")); \
+thing##s = xrealloc(thing##s, sizeof(*thing##s)*(thing##_count+1)); \
 thing##s[thing##_count++] = addme; \
 }while(0)
 
 static int my_pid;
-static int saved_argc;
-
 static int sig_or_pri;
 
 enum {