[DTrace-devel] [PATCH v2 22/23] libproc: fix buffer overread if no auxvs are read

[Nick Alcock]

It is possible (though unlikely) for /proc/$pid/auxv to be empty when we
read it (perhaps the process died at just the wrong instant).  We should
bound our searches by the number of auxvs (which we know), and not just rely
on the last one being AT_NULL (though we should check that too because some
arches truncate auxv lists by introducing AT_NULLs).

Signed-off-by: Nick Alcock <nick.alcock at oracle.com>
---
 libproc/elfish.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libproc/elfish.c b/libproc/elfish.c
index aeffecb7d075..b8f3f3f97f96 100644
--- a/libproc/elfish.c
+++ b/libproc/elfish.c
@@ -144,6 +144,7 @@ uint64_t
 Pgetauxval(struct ps_prochandle *P, int type)
 {
 	auxv_t *auxv;
+	ssize_t nauxv;
 
 	if (Pstate(P) == PS_DEAD)
 		return -1;
@@ -154,7 +155,9 @@ Pgetauxval(struct ps_prochandle *P, int type)
 	if (P->auxv == NULL)
 		return -1;
 
-	for (auxv = P->auxv; auxv->a_type != AT_NULL; auxv++) {
+	for (auxv = P->auxv, nauxv = P->nauxv;
+	     nauxv > 0 && auxv->a_type != AT_NULL;
+	     auxv++, nauxv--) {
 		if (auxv->a_type == type)
 			return auxv->a_un.a_val;
 	}
-- 
2.42.0.271.g85384428f1