[DTrace-devel] [PATCH v4 19/23] libproc: fix buffer overread if no auxvs are read
Nick Alcock
nick.alcock at oracle.com
Wed Feb 21 20:48:13 UTC 2024
It is possible (though unlikely) for /proc/$pid/auxv to be empty when we
read it (perhaps the process died at just the wrong instant). We should
bound our searches by the number of auxvs (which we know), and not just rely
on the last one being AT_NULL (though we should check that too because some
arches truncate auxv lists by introducing AT_NULLs).
Signed-off-by: Nick Alcock <nick.alcock at oracle.com>
---
libproc/elfish.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/libproc/elfish.c b/libproc/elfish.c
index aeffecb7d0755..a2be814fef65d 100644
--- a/libproc/elfish.c
+++ b/libproc/elfish.c
@@ -4,7 +4,7 @@
/*
* Oracle Linux DTrace.
- * Copyright (c) 2013, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2024, Oracle and/or its affiliates. All rights reserved.
* Licensed under the Universal Permissive License v 1.0 as shown at
* http://oss.oracle.com/licenses/upl.
*/
@@ -144,6 +144,7 @@ uint64_t
Pgetauxval(struct ps_prochandle *P, int type)
{
auxv_t *auxv;
+ ssize_t nauxv;
if (Pstate(P) == PS_DEAD)
return -1;
@@ -154,7 +155,9 @@ Pgetauxval(struct ps_prochandle *P, int type)
if (P->auxv == NULL)
return -1;
- for (auxv = P->auxv; auxv->a_type != AT_NULL; auxv++) {
+ for (auxv = P->auxv, nauxv = P->nauxv;
+ nauxv > 0 && auxv->a_type != AT_NULL;
+ auxv++, nauxv--) {
if (auxv->a_type == type)
return auxv->a_un.a_val;
}
--
2.43.0.272.gce700b77fd
More information about the DTrace-devel
mailing list