[lxc-devel] [PATCH 1/6] fix integer overflow in setproctitle

Tycho Andersen tycho.andersen at canonical.com
Mon Apr 13 19:21:24 UTC 2015 

On Mon, Apr 13, 2015 at 07:05:24PM +0000, Serge Hallyn wrote:
> Quoting Tycho Andersen (tycho.andersen at canonical.com):
> > 1. prctl() only accepts longs, so we can just scan the stat file as longs.
> 
> ?  That's not what the  manpage tells me.

Hmm, yeah, I must be crazy. I'm not sure why the casts were in there
before then. I'll send a different patch.

Tycho

> > 2. check overflow before addition
> > 
> > Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
> > ---
> >  src/lxc/utils.c | 18 ++++++++++++------
> >  1 file changed, 12 insertions(+), 6 deletions(-)
> > 
> > diff --git a/src/lxc/utils.c b/src/lxc/utils.c
> > index 1df6e8f..cc12ecd 100644
> > --- a/src/lxc/utils.c
> > +++ b/src/lxc/utils.c
> > @@ -1599,7 +1599,7 @@ int setproctitle(char *title)
> >  	char buf[2048], *tmp;
> >  	FILE *f;
> >  	int i, len, ret = 0;
> > -	unsigned long arg_start, arg_end, env_start, env_end;
> > +	long arg_start, arg_end, env_start, env_end;
> >  
> >  	f = fopen_cloexec("/proc/self/stat", "r");
> >  	if (!f) {
> > @@ -1624,7 +1624,7 @@ int setproctitle(char *title)
> >  	if (!tmp)
> >  		return -1;
> >  
> > -	i = sscanf(tmp, "%lu %lu %lu %lu", &arg_start, &arg_end, &env_start, &env_end);
> > +	i = sscanf(tmp, "%ld %ld %ld %ld", &arg_start, &arg_end, &env_start, &env_end);
> >  	if (i != 4) {
> >  		return -1;
> >  	}
> > @@ -1644,15 +1644,21 @@ int setproctitle(char *title)
> >  		if (len >= arg_end - arg_start) {
> >  			env_start = env_end;
> >  		}
> > +
> > +		/* check overflow */
> > +		if (arg_start + len < 0) {
> > +			return -1;
> > +		}
> > +
> >  		arg_end = arg_start + len;
> >  	}
> >  
> >  	strcpy((char*)arg_start, title);
> >  
> > -	ret |= prctl(PR_SET_MM, PR_SET_MM_ARG_START,   (long)arg_start, 0, 0);
> > -	ret |= prctl(PR_SET_MM, PR_SET_MM_ARG_END,     (long)arg_end, 0, 0);
> > -	ret |= prctl(PR_SET_MM, PR_SET_MM_ENV_START,   (long)env_start, 0, 0);
> > -	ret |= prctl(PR_SET_MM, PR_SET_MM_ENV_END,     (long)env_end, 0, 0);
> > +	ret |= prctl(PR_SET_MM, PR_SET_MM_ARG_START,   arg_start, 0, 0);
> > +	ret |= prctl(PR_SET_MM, PR_SET_MM_ARG_END,     arg_end, 0, 0);
> > +	ret |= prctl(PR_SET_MM, PR_SET_MM_ENV_START,   env_start, 0, 0);
> > +	ret |= prctl(PR_SET_MM, PR_SET_MM_ENV_END,     env_end, 0, 0);
> >  
> >  	return ret;
> >  }
> > -- 
> > 2.1.4
> > 
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

More information about the lxc-devel mailing list