diff options
Diffstat (limited to 'meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch')
-rw-r--r-- | meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch | 92 |
1 files changed, 92 insertions, 0 deletions
diff --git a/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch b/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch new file mode 100644 index 0000000000..972cc8938b --- /dev/null +++ b/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch | |||
@@ -0,0 +1,92 @@ | |||
1 | From 9c4eaf150662ad40607923389d4519bc83b93540 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sebastien <seb@fedora-2.home> | ||
3 | Date: Sat, 15 Oct 2022 14:24:22 +0200 | ||
4 | Subject: [PATCH] Fix size_t overflow in sa_common.c (GHSL-2022-074) | ||
5 | |||
6 | allocate_structures function located in sa_common.c insufficiently | ||
7 | checks bounds before arithmetic multiplication allowing for an | ||
8 | overflow in the size allocated for the buffer representing system | ||
9 | activities. | ||
10 | |||
11 | This patch checks that the post-multiplied value is not greater than | ||
12 | UINT_MAX. | ||
13 | |||
14 | Signed-off-by: Sebastien <seb@fedora-2.home> | ||
15 | |||
16 | Upstream-Status: Backport [https://github.com/sysstat/sysstat/commit/9c4eaf150662ad40607923389d4519bc83b93540] | ||
17 | CVE : CVE-2022-39377 | ||
18 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
19 | --- | ||
20 | common.c | 25 +++++++++++++++++++++++++ | ||
21 | common.h | 2 ++ | ||
22 | sa_common.c | 6 ++++++ | ||
23 | 3 files changed, 33 insertions(+) | ||
24 | |||
25 | diff --git a/common.c b/common.c | ||
26 | index ddfe75d..28d475e 100644 | ||
27 | --- a/common.c | ||
28 | +++ b/common.c | ||
29 | @@ -1528,4 +1528,29 @@ int parse_values(char *strargv, unsigned char bitmap[], int max_val, const char | ||
30 | |||
31 | return 0; | ||
32 | } | ||
33 | + | ||
34 | +/* | ||
35 | + *************************************************************************** | ||
36 | + * Check if the multiplication of the 3 values may be greater than UINT_MAX. | ||
37 | + * | ||
38 | + * IN: | ||
39 | + * @val1 First value. | ||
40 | + * @val2 Second value. | ||
41 | + * @val3 Third value. | ||
42 | + *************************************************************************** | ||
43 | + */ | ||
44 | +void check_overflow(size_t val1, size_t val2, size_t val3) | ||
45 | +{ | ||
46 | + if ((unsigned long long) val1 * | ||
47 | + (unsigned long long) val2 * | ||
48 | + (unsigned long long) val3 > UINT_MAX) { | ||
49 | +#ifdef DEBUG | ||
50 | + fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n", | ||
51 | + __FUNCTION__, | ||
52 | + (unsigned long long) val1 * (unsigned long long) val2 * (unsigned long long) val3); | ||
53 | +#endif | ||
54 | + exit(4); | ||
55 | + } | ||
56 | +} | ||
57 | + | ||
58 | #endif /* SOURCE_SADC undefined */ | ||
59 | diff --git a/common.h b/common.h | ||
60 | index 86905ba..75f837a 100644 | ||
61 | --- a/common.h | ||
62 | +++ b/common.h | ||
63 | @@ -249,6 +249,8 @@ int get_wwnid_from_pretty | ||
64 | (char *, unsigned long long *, unsigned int *); | ||
65 | |||
66 | #ifndef SOURCE_SADC | ||
67 | +void check_overflow | ||
68 | + (size_t, size_t, size_t); | ||
69 | int count_bits | ||
70 | (void *, int); | ||
71 | int count_csvalues | ||
72 | diff --git a/sa_common.c b/sa_common.c | ||
73 | index 8a03099..ff90c1f 100644 | ||
74 | --- a/sa_common.c | ||
75 | +++ b/sa_common.c | ||
76 | @@ -452,7 +452,13 @@ void allocate_structures(struct activity *act[]) | ||
77 | int i, j; | ||
78 | |||
79 | for (i = 0; i < NR_ACT; i++) { | ||
80 | + | ||
81 | if (act[i]->nr_ini > 0) { | ||
82 | + | ||
83 | + /* Look for a possible overflow */ | ||
84 | + check_overflow((size_t) act[i]->msize, (size_t) act[i]->nr_ini, | ||
85 | + (size_t) act[i]->nr2); | ||
86 | + | ||
87 | for (j = 0; j < 3; j++) { | ||
88 | SREALLOC(act[i]->buf[j], void, | ||
89 | (size_t) act[i]->msize * (size_t) act[i]->nr_ini * (size_t) act[i]->nr2); | ||
90 | -- | ||
91 | 2.25.1 | ||
92 | |||