The branch releng/13.1 has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=69a456c0b60bb6d1122391e1c78243aec345f36c

commit 69a456c0b60bb6d1122391e1c78243aec345f36c
Author:     Konstantin Belousov <[email protected]>
AuthorDate: 2022-06-03 08:21:23 +0000
Commit:     Mark Johnston <[email protected]>
CommitDate: 2022-08-09 20:00:43 +0000

    elf_note_prpsinfo: handle more failures from proc_getargv()
    
    Resulting sbuf_len() from proc_getargv() might return 0 if user mangled
    ps_strings enough. Also, sbuf_len() API contract is to return -1 if the
    buffer overflowed. The later should not occur because get_ps_strings()
    checks for catenated length, but check for this subtle detail explicitly
    as well to be more resilent.
    
    The end result is that p_comm is used in this situations.
    
    Approved by:    so
    Security:       FreeBSD-SA-22:09.elf
    Reported by:    Josef 'Jeff' Sipek <[email protected]>
    Reviewed by:    delphij, markj
    admbugs:        988
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D35391
    
    (cherry picked from commit 00d17cf342cd9f4f8fd1dcd79c8caec359145532)
    (cherry picked from commit 8a44a2c644fc6d4ec1740fcc0b3ff01eac989ddf)
---
 sys/kern/imgact_elf.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c
index a8f3c6959b3b..5c4a9889a713 100644
--- a/sys/kern/imgact_elf.c
+++ b/sys/kern/imgact_elf.c
@@ -2303,13 +2303,16 @@ __elfN(note_prpsinfo)(void *arg, struct sbuf *sb, 
size_t *sizep)
                            sizeof(psinfo->pr_psargs), SBUF_FIXEDLEN);
                        error = proc_getargv(curthread, p, &sbarg);
                        PRELE(p);
-                       if (sbuf_finish(&sbarg) == 0)
-                               len = sbuf_len(&sbarg) - 1;
-                       else
+                       if (sbuf_finish(&sbarg) == 0) {
+                               len = sbuf_len(&sbarg);
+                               if (len > 0)
+                                       len--;
+                       } else {
                                len = sizeof(psinfo->pr_psargs) - 1;
+                       }
                        sbuf_delete(&sbarg);
                }
-               if (error || len == 0)
+               if (error != 0 || len == 0 || (ssize_t)len == -1)
                        strlcpy(psinfo->pr_psargs, p->p_comm,
                            sizeof(psinfo->pr_psargs));
                else {

Reply via email to