Re: [lxc-devel] [PATCH 1/6] fix integer overflow in setproctitle

Tycho Andersen Mon, 13 Apr 2015 12:21:43 -0700

On Mon, Apr 13, 2015 at 07:05:24PM +0000, Serge Hallyn wrote:
> Quoting Tycho Andersen (tycho.ander...@canonical.com):
> > 1. prctl() only accepts longs, so we can just scan the stat file as longs.
> 
> ?  That's not what the  manpage tells me.


Hmm, yeah, I must be crazy. I'm not sure why the casts were in there
before then. I'll send a different patch.

Tycho

> > 2. check overflow before addition
> > 
> > Signed-off-by: Tycho Andersen <tycho.ander...@canonical.com>
> > ---
> >  src/lxc/utils.c | 18 ++++++++++++------
> >  1 file changed, 12 insertions(+), 6 deletions(-)
> > 
> > diff --git a/src/lxc/utils.c b/src/lxc/utils.c
> > index 1df6e8f..cc12ecd 100644
> > --- a/src/lxc/utils.c
> > +++ b/src/lxc/utils.c
> > @@ -1599,7 +1599,7 @@ int setproctitle(char *title)
> >     char buf[2048], *tmp;
> >     FILE *f;
> >     int i, len, ret = 0;
> > -   unsigned long arg_start, arg_end, env_start, env_end;
> > +   long arg_start, arg_end, env_start, env_end;
> >  
> >     f = fopen_cloexec("/proc/self/stat", "r");
> >     if (!f) {
> > @@ -1624,7 +1624,7 @@ int setproctitle(char *title)
> >     if (!tmp)
> >             return -1;
> >  
> > -   i = sscanf(tmp, "%lu %lu %lu %lu", &arg_start, &arg_end, &env_start, 
> > &env_end);
> > +   i = sscanf(tmp, "%ld %ld %ld %ld", &arg_start, &arg_end, &env_start, 
> > &env_end);
> >     if (i != 4) {
> >             return -1;
> >     }
> > @@ -1644,15 +1644,21 @@ int setproctitle(char *title)
> >             if (len >= arg_end - arg_start) {
> >                     env_start = env_end;
> >             }
> > +
> > +           /* check overflow */
> > +           if (arg_start + len < 0) {
> > +                   return -1;
> > +           }
> > +
> >             arg_end = arg_start + len;
> >     }
> >  
> >     strcpy((char*)arg_start, title);
> >  
> > -   ret |= prctl(PR_SET_MM, PR_SET_MM_ARG_START,   (long)arg_start, 0, 0);
> > -   ret |= prctl(PR_SET_MM, PR_SET_MM_ARG_END,     (long)arg_end, 0, 0);
> > -   ret |= prctl(PR_SET_MM, PR_SET_MM_ENV_START,   (long)env_start, 0, 0);
> > -   ret |= prctl(PR_SET_MM, PR_SET_MM_ENV_END,     (long)env_end, 0, 0);
> > +   ret |= prctl(PR_SET_MM, PR_SET_MM_ARG_START,   arg_start, 0, 0);
> > +   ret |= prctl(PR_SET_MM, PR_SET_MM_ARG_END,     arg_end, 0, 0);
> > +   ret |= prctl(PR_SET_MM, PR_SET_MM_ENV_START,   env_start, 0, 0);
> > +   ret |= prctl(PR_SET_MM, PR_SET_MM_ENV_END,     env_end, 0, 0);
> >  
> >     return ret;
> >  }
> > -- 
> > 2.1.4
> > 
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel@lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> _______________________________________________
> lxc-devel mailing list
> lxc-devel@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Re: [lxc-devel] [PATCH 1/6] fix integer overflow in setproctitle

Reply via email to