|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2023-4016: procps: ps buffer overflow | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Alexander Bergmann <abergmann> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Minor | ||
| Priority: | P3 - Medium | CC: | meissner, rfrohl, security-team, werner |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/373963/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2023-4016:2.5:(AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
Fixed version for Factroy SLE-15 and SLE-12 ... but on SLE-12 there seems to happen a kernel version upgrade as the smap format seems to have changed at leat on the internal build service for SLE-12 SR#1104044 SR#305534 SR#305535 For SLE-12 [ 45s] make[1]: Leaving directory '/home/abuild/rpmbuild/BUILD/procps-ng-3.3.9' [ 45s] + ./pmap 1531 [ 45s] New entry in smap: ProtectionKey [ 45s] failed to parse /proc/1531/smaps [ 45s] 1531: sh [ 45s] + uname -a [ 45s] Linux goat25 4.4.180-94.191-default #1 SMP Mon Jul 3 14:37:32 UTC 2023 (f45c392) x86_64 x86_64 x86_64 GNU/Linux [ 45s] + echo /proc/1531/maps [ 45s] /proc/1531/maps [ 45s] + cat /proc/1531/maps I'd like to know why I had not been informed about this kernel upgrade SR#305536 for SLE-12 with ProtectionKey support in pmap This is an autogenerated message for OBS integration: This bug (1214290) was mentioned in https://build.opensuse.org/request/show/1104044 Factory / procps This is an autogenerated message for OBS integration: This bug (1214290) was mentioned in https://build.opensuse.org/request/show/1104338 Factory / procps4 SUSE-SU-2023:3472-1: An update that solves one vulnerability can now be installed. Category: security (low) Bug References: 1214290 CVE References: CVE-2023-4016 Sources used: SUSE Linux Enterprise Micro 5.1 (src): procps-3.3.15-150000.7.34.1 SUSE Linux Enterprise Micro 5.2 (src): procps-3.3.15-150000.7.34.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): procps-3.3.15-150000.7.34.1 openSUSE Leap Micro 5.3 (src): procps-3.3.15-150000.7.34.1 openSUSE Leap Micro 5.4 (src): procps-3.3.15-150000.7.34.1 openSUSE Leap 15.4 (src): procps-3.3.15-150000.7.34.1 openSUSE Leap 15.5 (src): procps-3.3.15-150000.7.34.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): procps-3.3.15-150000.7.34.1 SUSE Linux Enterprise Micro 5.3 (src): procps-3.3.15-150000.7.34.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): procps-3.3.15-150000.7.34.1 SUSE Linux Enterprise Micro 5.4 (src): procps-3.3.15-150000.7.34.1 Basesystem Module 15-SP4 (src): procps-3.3.15-150000.7.34.1 Basesystem Module 15-SP5 (src): procps-3.3.15-150000.7.34.1 SUSE Manager Proxy 4.2 (src): procps-3.3.15-150000.7.34.1 SUSE Manager Retail Branch Server 4.2 (src): procps-3.3.15-150000.7.34.1 SUSE Manager Server 4.2 (src): procps-3.3.15-150000.7.34.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:3471-1: An update that solves one vulnerability can now be installed. Category: security (low) Bug References: 1214290 CVE References: CVE-2023-4016 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): procps-3.3.9-11.27.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): procps-3.3.9-11.27.1 SUSE Linux Enterprise Server 12 SP5 (src): procps-3.3.9-11.27.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): procps-3.3.9-11.27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. Fixed done, closing |
CVE-2023-4016 In short, if I have read the paper correctly is that multiplying the size of the -C option by the size of sel_union can result in an overflow and allocating the wrong amount of memory. I believe the fix would be either (or both): Changing the xmalloc(strlen(arg)*sizeof(sel_union)) to xcalloc(strlen(arg), sizeof(sel_union)) because calloc specifically calls out and will error on this sort of issue. Moving the allocation for node->u to when we know the number of items, e.g. line 213 Combining this we get: diff --git a/src/ps/parser.c b/src/ps/parser.c index 248aa74..15873df 100644 --- a/src/ps/parser.c +++ b/src/ps/parser.c @@ -189,7 +189,6 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s const char *err; /* error code that could or did happen */ /*** prepare to operate ***/ node = xmalloc(sizeof(selection_node)); - node->u = xmalloc(strlen(arg)*sizeof(sel_union)); /* waste is insignificant */ node->n = 0; buf = strdup(arg); /*** sanity check and count items ***/ @@ -210,6 +209,7 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s } while (*++walk); if(need_item) goto parse_error; node->n = items; + node->u = xcalloc(items, sizeof(sel_union)); /*** actually parse the list ***/ walk = buf; while(items--){ I'll probably look at some of the other malloc(x * y) calls too, these are called once so we don't need the speed of malloc. - Craig References: https://www.freelists.org/post/procps/ps-buffer-overflow-CVE-20234016 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4016 https://bugzilla.redhat.com/show_bug.cgi?id=2228494 https://www.cve.org/CVERecord?id=CVE-2023-4016 https://gitlab.com/procps-ng/procps