[lxc-devel] [PATCH 1/6] fix integer overflow in setproctitle
Tycho Andersen
tycho.andersen at canonical.com
Mon Apr 13 18:07:00 UTC 2015
1. prctl() only accepts longs, so we can just scan the stat file as longs.
2. check overflow before addition
Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
---
src/lxc/utils.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 1df6e8f..cc12ecd 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -1599,7 +1599,7 @@ int setproctitle(char *title)
char buf[2048], *tmp;
FILE *f;
int i, len, ret = 0;
- unsigned long arg_start, arg_end, env_start, env_end;
+ long arg_start, arg_end, env_start, env_end;
f = fopen_cloexec("/proc/self/stat", "r");
if (!f) {
@@ -1624,7 +1624,7 @@ int setproctitle(char *title)
if (!tmp)
return -1;
- i = sscanf(tmp, "%lu %lu %lu %lu", &arg_start, &arg_end, &env_start, &env_end);
+ i = sscanf(tmp, "%ld %ld %ld %ld", &arg_start, &arg_end, &env_start, &env_end);
if (i != 4) {
return -1;
}
@@ -1644,15 +1644,21 @@ int setproctitle(char *title)
if (len >= arg_end - arg_start) {
env_start = env_end;
}
+
+ /* check overflow */
+ if (arg_start + len < 0) {
+ return -1;
+ }
+
arg_end = arg_start + len;
}
strcpy((char*)arg_start, title);
- ret |= prctl(PR_SET_MM, PR_SET_MM_ARG_START, (long)arg_start, 0, 0);
- ret |= prctl(PR_SET_MM, PR_SET_MM_ARG_END, (long)arg_end, 0, 0);
- ret |= prctl(PR_SET_MM, PR_SET_MM_ENV_START, (long)env_start, 0, 0);
- ret |= prctl(PR_SET_MM, PR_SET_MM_ENV_END, (long)env_end, 0, 0);
+ ret |= prctl(PR_SET_MM, PR_SET_MM_ARG_START, arg_start, 0, 0);
+ ret |= prctl(PR_SET_MM, PR_SET_MM_ARG_END, arg_end, 0, 0);
+ ret |= prctl(PR_SET_MM, PR_SET_MM_ENV_START, env_start, 0, 0);
+ ret |= prctl(PR_SET_MM, PR_SET_MM_ENV_END, env_end, 0, 0);
return ret;
}
--
2.1.4
More information about the lxc-devel
mailing list