From 9c4eaf150662ad40607923389d4519bc83b93540 Mon Sep 17 00:00:00 2001
From: Sebastien <seb@fedora-2.home>
Date: Sat, 15 Oct 2022 14:24:22 +0200
Subject: [PATCH] Fix size_t overflow in sa_common.c (GHSL-2022-074)

allocate_structures function located in sa_common.c insufficiently
checks bounds before arithmetic multiplication allowing for an
overflow in the size allocated for the buffer representing system
activities.

This patch checks that the post-multiplied value is not greater than
UINT_MAX.

Signed-off-by: Sebastien <seb@fedora-2.home>

Upstream-Status: Backport [https://github.com/sysstat/sysstat/commit/9c4eaf150662ad40607923389d4519bc83b93540]
CVE : CVE-2022-39377
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 common.c    | 25 +++++++++++++++++++++++++
 common.h    |  2 ++
 sa_common.c |  6 ++++++
 3 files changed, 33 insertions(+)

diff --git a/common.c b/common.c
index ddfe75d..28d475e 100644
--- a/common.c
+++ b/common.c
@@ -1528,4 +1528,29 @@ int parse_values(char *strargv, unsigned char bitmap[], int max_val, const char
 
 	return 0;
 }
+
+/*
+ ***************************************************************************
+ * Check if the multiplication of the 3 values may be greater than UINT_MAX.
+ *
+ * IN:
+ * @val1	First value.
+ * @val2	Second value.
+ * @val3	Third value.
+ ***************************************************************************
+ */
+void check_overflow(size_t val1, size_t val2, size_t val3)
+{
+	if ((unsigned long long) val1 *
+	    (unsigned long long) val2 *
+	    (unsigned long long) val3 > UINT_MAX) {
+#ifdef DEBUG
+		fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n",
+			__FUNCTION__,
+			(unsigned long long) val1 * (unsigned long long) val2 *	(unsigned long long) val3);
+#endif
+	exit(4);
+	}
+}
+
 #endif /* SOURCE_SADC undefined */
diff --git a/common.h b/common.h
index 86905ba..75f837a 100644
--- a/common.h
+++ b/common.h
@@ -249,6 +249,8 @@ int get_wwnid_from_pretty
 	(char *, unsigned long long *, unsigned int *);
 
 #ifndef SOURCE_SADC
+void check_overflow
+	(size_t, size_t, size_t);
 int count_bits
 	(void *, int);
 int count_csvalues
diff --git a/sa_common.c b/sa_common.c
index 8a03099..ff90c1f 100644
--- a/sa_common.c
+++ b/sa_common.c
@@ -452,7 +452,13 @@ void allocate_structures(struct activity *act[])
 	int i, j;
 
 	for (i = 0; i < NR_ACT; i++) {
+
 		if (act[i]->nr_ini > 0) {
+
+			/* Look for a possible overflow */
+			check_overflow((size_t) act[i]->msize, (size_t) act[i]->nr_ini,
+				       (size_t) act[i]->nr2);
+
 			for (j = 0; j < 3; j++) {
 				SREALLOC(act[i]->buf[j], void,
 						(size_t) act[i]->msize * (size_t) act[i]->nr_ini * (size_t) act[i]->nr2);
-- 
2.25.1