The branch stable/13 has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=8a44a2c644fc6d4ec1740fcc0b3ff01eac989ddf

commit 8a44a2c644fc6d4ec1740fcc0b3ff01eac989ddf
Author:     Konstantin Belousov <[email protected]>
AuthorDate: 2022-06-03 08:21:23 +0000
Commit:     Mark Johnston <[email protected]>
CommitDate: 2022-08-09 19:47:32 +0000

    elf_note_prpsinfo: handle more failures from proc_getargv()
    
    Resulting sbuf_len() from proc_getargv() might return 0 if user mangled
    ps_strings enough. Also, sbuf_len() API contract is to return -1 if the
    buffer overflowed. The later should not occur because get_ps_strings()
    checks for catenated length, but check for this subtle detail explicitly
    as well to be more resilent.
    
    The end result is that p_comm is used in this situations.
    
    Approved by:    so
    Security:       FreeBSD-SA-22:09.elf
    Reported by:    Josef 'Jeff' Sipek <[email protected]>
    Reviewed by:    delphij, markj
    admbugs:        988
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D35391
    
    (cherry picked from commit 00d17cf342cd9f4f8fd1dcd79c8caec359145532)
---
 sys/compat/linux/linux_elf.c |  9 ++++++---
 sys/kern/imgact_elf.c        | 11 +++++++----
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/sys/compat/linux/linux_elf.c b/sys/compat/linux/linux_elf.c
index bcbd4d1cad51..b02b6e2cc777 100644
--- a/sys/compat/linux/linux_elf.c
+++ b/sys/compat/linux/linux_elf.c
@@ -155,13 +155,16 @@ __linuxN(note_prpsinfo)(void *arg, struct sbuf *sb, 
size_t *sizep)
                            sizeof(psinfo->pr_psargs), SBUF_FIXEDLEN);
                        error = proc_getargv(curthread, p, &sbarg);
                        PRELE(p);
-                       if (sbuf_finish(&sbarg) == 0)
+                       if (sbuf_finish(&sbarg) == 0) {
                                len = sbuf_len(&sbarg) - 1;
-                       else
+                               if (len > 0)
+                                       len--;
+                       } else {
                                len = sizeof(psinfo->pr_psargs) - 1;
+                       }
                        sbuf_delete(&sbarg);
                }
-               if (error || len == 0)
+               if (error != 0 || len == 0 || (ssize_t)len == -1)
                        strlcpy(psinfo->pr_psargs, p->p_comm,
                            sizeof(psinfo->pr_psargs));
                else {
diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c
index bee3524537d9..11ab46767fce 100644
--- a/sys/kern/imgact_elf.c
+++ b/sys/kern/imgact_elf.c
@@ -2189,13 +2189,16 @@ __elfN(note_prpsinfo)(void *arg, struct sbuf *sb, 
size_t *sizep)
                            sizeof(psinfo->pr_psargs), SBUF_FIXEDLEN);
                        error = proc_getargv(curthread, p, &sbarg);
                        PRELE(p);
-                       if (sbuf_finish(&sbarg) == 0)
-                               len = sbuf_len(&sbarg) - 1;
-                       else
+                       if (sbuf_finish(&sbarg) == 0) {
+                               len = sbuf_len(&sbarg);
+                               if (len > 0)
+                                       len--;
+                       } else {
                                len = sizeof(psinfo->pr_psargs) - 1;
+                       }
                        sbuf_delete(&sbarg);
                }
-               if (error || len == 0)
+               if (error != 0 || len == 0 || (ssize_t)len == -1)
                        strlcpy(psinfo->pr_psargs, p->p_comm,
                            sizeof(psinfo->pr_psargs));
                else {

Reply via email to