diff options
| author | Konstantin Belousov <kib@FreeBSD.org> | 2022-06-03 08:21:23 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2022-08-09 19:59:14 +0000 |
| commit | 056ffc74a7693808c843e15d85deee20abf5c4e2 (patch) | |
| tree | 309af545b83556c654448e0f8f4cef5aab10d66f | |
| parent | 5430423b6d63b76548ed23efff5d33b7ebeefd05 (diff) | |
elf_note_prpsinfo: handle more failures from proc_getargv()
Resulting sbuf_len() from proc_getargv() might return 0 if user mangled
ps_strings enough. Also, sbuf_len() API contract is to return -1 if the
buffer overflowed. The later should not occur because get_ps_strings()
checks for catenated length, but check for this subtle detail explicitly
as well to be more resilent.
The end result is that p_comm is used in this situations.
Approved by: so
Security: FreeBSD-SA-22:09.elf
Reported by: Josef 'Jeff' Sipek <jeffpc@josefsipek.net>
Reviewed by: delphij, markj
admbugs: 988
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35391
(cherry picked from commit 00d17cf342cd9f4f8fd1dcd79c8caec359145532)
(cherry picked from commit 8a44a2c644fc6d4ec1740fcc0b3ff01eac989ddf)
| -rw-r--r-- | sys/kern/imgact_elf.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c index dae11ab92a6c..626a8a59c594 100644 --- a/sys/kern/imgact_elf.c +++ b/sys/kern/imgact_elf.c @@ -2216,13 +2216,16 @@ __elfN(note_prpsinfo)(void *arg, struct sbuf *sb, size_t *sizep) sizeof(psinfo->pr_psargs), SBUF_FIXEDLEN); error = proc_getargv(curthread, p, &sbarg); PRELE(p); - if (sbuf_finish(&sbarg) == 0) - len = sbuf_len(&sbarg) - 1; - else + if (sbuf_finish(&sbarg) == 0) { + len = sbuf_len(&sbarg); + if (len > 0) + len--; + } else { len = sizeof(psinfo->pr_psargs) - 1; + } sbuf_delete(&sbarg); } - if (error || len == 0) + if (error != 0 || len == 0 || (ssize_t)len == -1) strlcpy(psinfo->pr_psargs, p->p_comm, sizeof(psinfo->pr_psargs)); else { |