From 54d7969117878180279bf907baec5d4ec562c212 Mon Sep 17 00:00:00 2001 From: zhouwenpei Date: Thu, 10 Nov 2022 07:43:13 +0000 Subject: [PATCH] fix CVE-2022-39377 --- backport-CVE-2022-39377.patch | 87 +++++++++++++++++++++++++++++++++++ sysstat.spec | 7 ++- 2 files changed, 93 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-39377.patch diff --git a/backport-CVE-2022-39377.patch b/backport-CVE-2022-39377.patch new file mode 100644 index 0000000..ee6d64c --- /dev/null +++ b/backport-CVE-2022-39377.patch @@ -0,0 +1,87 @@ +From 9c4eaf150662ad40607923389d4519bc83b93540 Mon Sep 17 00:00:00 2001 +From: Sebastien +Date: Sat, 15 Oct 2022 14:24:22 +0200 +Subject: [PATCH] Fix size_t overflow in sa_common.c (GHSL-2022-074) + +allocate_structures function located in sa_common.c insufficiently +checks bounds before arithmetic multiplication allowing for an +overflow in the size allocated for the buffer representing system +activities. + +This patch checks that the post-multiplied value is not greater than +UINT_MAX. + +Signed-off-by: Sebastien +--- + common.c | 25 +++++++++++++++++++++++++ + common.h | 2 ++ + sa_common.c | 6 ++++++ + 3 files changed, 33 insertions(+) + +diff --git a/common.c b/common.c +index 81c77624..1a84b052 100644 +--- a/common.c ++++ b/common.c +@@ -1655,4 +1655,29 @@ int parse_values(char *strargv, unsigned char bitmap[], int max_val, const char + + return 0; + } ++ ++/* ++ *************************************************************************** ++ * Check if the multiplication of the 3 values may be greater than UINT_MAX. ++ * ++ * IN: ++ * @val1 First value. ++ * @val2 Second value. ++ * @val3 Third value. ++ *************************************************************************** ++ */ ++void check_overflow(size_t val1, size_t val2, size_t val3) ++{ ++ if ((unsigned long long) val1 * ++ (unsigned long long) val2 * ++ (unsigned long long) val3 > UINT_MAX) { ++#ifdef DEBUG ++ fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n", ++ __FUNCTION__, ++ (unsigned long long) val1 * (unsigned long long) val2 * (unsigned long long) val3); ++#endif ++ exit(4); ++ } ++} ++ + #endif /* SOURCE_SADC undefined */ +diff --git a/common.h b/common.h +index 55b6657d..e8ab98ab 100644 +--- a/common.h ++++ b/common.h +@@ -260,6 +260,8 @@ int check_dir + (char *); + + #ifndef SOURCE_SADC ++void check_overflow ++ (size_t, size_t, size_t); + int count_bits + (void *, int); + int count_csvalues +diff --git a/sa_common.c b/sa_common.c +index 3699a840..b2cec4ad 100644 +--- a/sa_common.c ++++ b/sa_common.c +@@ -459,7 +459,13 @@ void allocate_structures(struct activity *act[]) + int i, j; + + for (i = 0; i < NR_ACT; i++) { ++ + if (act[i]->nr_ini > 0) { ++ ++ /* Look for a possible overflow */ ++ check_overflow((size_t) act[i]->msize, (size_t) act[i]->nr_ini, ++ (size_t) act[i]->nr2); ++ + for (j = 0; j < 3; j++) { + SREALLOC(act[i]->buf[j], void, + (size_t) act[i]->msize * (size_t) act[i]->nr_ini * (size_t) act[i]->nr2); + + diff --git a/sysstat.spec b/sysstat.spec index a5f67fa..851ee42 100644 --- a/sysstat.spec +++ b/sysstat.spec @@ -1,11 +1,13 @@ Name: sysstat Version: 12.5.4 -Release: 3 +Release: 4 Summary: System performance tools for the Linux operating system License: GPLv2+ URL: http://sebastien.godard.pagesperso-orange.fr/ Source0: http://sebastien.godard.pagesperso-orange.fr/%{name}-%{version}.tar.gz +Patch0000: backport-CVE-2022-39377.patch + BuildRequires: gcc, gettext, lm_sensors-devel, systemd Requires: findutils, xz @@ -83,6 +85,9 @@ export compressafter="31" %{_mandir}/man*/* %changelog +* Thu Nov 10 2022 zhouwenpei - 12.5.4-4 +- fix CVE-2022-39377 + * Mon Jun 13 2022 wuchaochao - 12.5.4-3 - add check -- Gitee