Bugzilla – Bug 1117001
VUL-1: CVE-2018-19416: sysstat: the remap_struct function in sa_common.c has an out-of-bounds read during a memmove call
Last modified: 2019-10-28 07:52:15 UTC
CVE-2018-19416 An issue was discovered in sysstat 12.1.1. The remap_struct function in sa_common.c has an out-of-bounds read during a memmove call, as demonstrated by sadf. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19416 http://www.cvedetails.com/cve/CVE-2018-19416/ https://github.com/sysstat/sysstat/issues/196
Hi Pedro, my investigation suggests that the problematic function is present since version 11.7.1. Which would mean that these codesttreams are affected: - SUSE:SLE-15:Update/sysstat - SUSE:SLE-12:Update/sysstat As there is currently no patch it is hard to be a 100% correct.
Created attachment 790570 [details] QA Reproducer $ sadf stack_oob Segmentation fault (core dumped) $ md5sum stack_oob d79f6e724a12aef1fb372e789c5f8b7b stack_oob
Thanks, Robert. This is one of those cases that doesn't crash in gdb, a heisenbug. It looks like a memory mismatch between source and destination in memmove. Here is the output from Valgrind: ==27103== Invalid read of size 8 ==27103== at 0x4037050: memmove (vg_replace_strmem.c:1258) ==27103== by 0x1411E6: UnknownInlinedFun (string_fortified.h:40) ==27103== by 0x1411E6: remap_struct (sa_common.c:1297) ==27103== by 0x141375: read_record_hdr (sa_common.c:1415) ==27103== by 0x10D3B5: read_next_sample (sadf.c:234) ==27103== by 0x10EC8D: logic2_display_loop (sadf.c:1163) ==27103== by 0x10F5CC: read_stats_from_file (sadf.c:1422) ==27103== by 0x10C670: main (sadf.c:1789) ==27103== Address 0x20feffeef0 is not stack'd, malloc'd or (recently) free'd Segmentation fault (core dumped)
Seems to be fixed in: https://github.com/sysstat/sysstat/commit/fbc691eaaa10d0bcea6741d5a223dc3906106548
Created attachment 790988 [details] Backported patch for version 12.0.2 Same patch for SLE-15 and SLE-12. The rest of the codestreams are not affected.
Tested in polio: Before: Segmentation fault (core dumped) After: End of system activity file unexpected
SUSE-SU-2019:0806-1: An update that fixes two vulnerabilities is now available. Category: security (low) Bug References: 1117001,1117260 CVE References: CVE-2018-19416,CVE-2018-19517 Sources used: SUSE Linux Enterprise Module for Server Applications 15 (src): sysstat-12.0.2-3.6.12 SUSE Linux Enterprise Module for Basesystem 15 (src): sysstat-12.0.2-3.6.12 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1176-1: An update that fixes two vulnerabilities is now available. Category: security (low) Bug References: 1117001,1117260 CVE References: CVE-2018-19416,CVE-2018-19517 Sources used: openSUSE Leap 15.0 (src): sysstat-12.0.2-lp150.7.1 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1326-1: An update that fixes two vulnerabilities is now available. Category: security (low) Bug References: 1117001,1117260 CVE References: CVE-2018-19416,CVE-2018-19517 Sources used: SUSE Linux Enterprise Server 12-SP4 (src): sysstat-12.0.2-10.18.1 SUSE Linux Enterprise Server 12-SP3 (src): sysstat-12.0.2-10.18.1 SUSE Linux Enterprise Desktop 12-SP4 (src): sysstat-12.0.2-10.18.1 SUSE Linux Enterprise Desktop 12-SP3 (src): sysstat-12.0.2-10.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
released