diff options
| author | Konstantin Belousov <kib@FreeBSD.org> | 2022-06-03 08:21:23 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2022-08-09 20:00:43 +0000 |
| commit | 69a456c0b60bb6d1122391e1c78243aec345f36c (patch) | |
| tree | a602521e956dbc37ac3721207982e47dd9c6e484 | |
| parent | 26db194f3db1238b9339bde23a82def8cfee10b1 (diff) | |
elf_note_prpsinfo: handle more failures from proc_getargv()
Resulting sbuf_len() from proc_getargv() might return 0 if user mangled
ps_strings enough. Also, sbuf_len() API contract is to return -1 if the
buffer overflowed. The later should not occur because get_ps_strings()
checks for catenated length, but check for this subtle detail explicitly
as well to be more resilent.
The end result is that p_comm is used in this situations.
Approved by: so
Security: FreeBSD-SA-22:09.elf
Reported by: Josef 'Jeff' Sipek <jeffpc@josefsipek.net>
Reviewed by: delphij, markj
admbugs: 988
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35391
(cherry picked from commit 00d17cf342cd9f4f8fd1dcd79c8caec359145532)
(cherry picked from commit 8a44a2c644fc6d4ec1740fcc0b3ff01eac989ddf)
| -rw-r--r-- | sys/kern/imgact_elf.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c index a8f3c6959b3b..5c4a9889a713 100644 --- a/sys/kern/imgact_elf.c +++ b/sys/kern/imgact_elf.c @@ -2303,13 +2303,16 @@ __elfN(note_prpsinfo)(void *arg, struct sbuf *sb, size_t *sizep) sizeof(psinfo->pr_psargs), SBUF_FIXEDLEN); error = proc_getargv(curthread, p, &sbarg); PRELE(p); - if (sbuf_finish(&sbarg) == 0) - len = sbuf_len(&sbarg) - 1; - else + if (sbuf_finish(&sbarg) == 0) { + len = sbuf_len(&sbarg); + if (len > 0) + len--; + } else { len = sizeof(psinfo->pr_psargs) - 1; + } sbuf_delete(&sbarg); } - if (error || len == 0) + if (error != 0 || len == 0 || (ssize_t)len == -1) strlcpy(psinfo->pr_psargs, p->p_comm, sizeof(psinfo->pr_psargs)); else { |