[DTrace-devel] [PATCH 19/23] libproc: fix buffer overread if no auxvs are read

[Nick Alcock]

It is possible (though unlikely) for /proc/$pid/auxv to be empty when we
read it (perhaps the process died at just the wrong instant).  We should
bound our searches by the number of auxvs (which we know), and not just rely
on the last one being AT_NULL (though we should check that too because some
arches truncate auxv lists by introducing AT_NULLs).

Signed-off-by: Nick Alcock <nick.alcock at oracle.com>
Reviewed-by: Kris Van Hees <kris.van.hees at oracle.com>
---
 libproc/elfish.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libproc/elfish.c b/libproc/elfish.c
index aeffecb7..a2be814f 100644
--- a/libproc/elfish.c
+++ b/libproc/elfish.c
@@ -4,7 +4,7 @@
 
 /*
  * Oracle Linux DTrace.
- * Copyright (c) 2013, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2024, Oracle and/or its affiliates. All rights reserved.
  * Licensed under the Universal Permissive License v 1.0 as shown at
  * http://oss.oracle.com/licenses/upl.
  */
@@ -144,6 +144,7 @@ uint64_t
 Pgetauxval(struct ps_prochandle *P, int type)
 {
 	auxv_t *auxv;
+	ssize_t nauxv;
 
 	if (Pstate(P) == PS_DEAD)
 		return -1;
@@ -154,7 +155,9 @@ Pgetauxval(struct ps_prochandle *P, int type)
 	if (P->auxv == NULL)
 		return -1;
 
-	for (auxv = P->auxv; auxv->a_type != AT_NULL; auxv++) {
+	for (auxv = P->auxv, nauxv = P->nauxv;
+	     nauxv > 0 && auxv->a_type != AT_NULL;
+	     auxv++, nauxv--) {
 		if (auxv->a_type == type)
 			return auxv->a_un.a_val;
 	}
-- 
2.42.0