[DTrace-devel] [PATCH v3 20/21] libproc: fix buffer overread if no auxvs are read
Nick Alcock
nick.alcock at oracle.com
Tue Jan 16 21:13:16 UTC 2024
It is possible (though unlikely) for /proc/$pid/auxv to be empty when we
read it (perhaps the process died at just the wrong instant). We should
bound our searches by the number of auxvs (which we know), and not just rely
on the last one being AT_NULL (though we should check that too because some
arches truncate auxv lists by introducing AT_NULLs).
Signed-off-by: Nick Alcock <nick.alcock at oracle.com>
---
libproc/elfish.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libproc/elfish.c b/libproc/elfish.c
index aeffecb7d075..b8f3f3f97f96 100644
--- a/libproc/elfish.c
+++ b/libproc/elfish.c
@@ -144,6 +144,7 @@ uint64_t
Pgetauxval(struct ps_prochandle *P, int type)
{
auxv_t *auxv;
+ ssize_t nauxv;
if (Pstate(P) == PS_DEAD)
return -1;
@@ -154,7 +155,9 @@ Pgetauxval(struct ps_prochandle *P, int type)
if (P->auxv == NULL)
return -1;
- for (auxv = P->auxv; auxv->a_type != AT_NULL; auxv++) {
+ for (auxv = P->auxv, nauxv = P->nauxv;
+ nauxv > 0 && auxv->a_type != AT_NULL;
+ auxv++, nauxv--) {
if (auxv->a_type == type)
return auxv->a_un.a_val;
}
--
2.43.0.272.gce700b77fd
More information about the DTrace-devel
mailing list