1From 9c4eaf150662ad40607923389d4519bc83b93540 Mon Sep 17 00:00:00 2001 2From: Sebastien <seb@fedora-2.home> 3Date: Sat, 15 Oct 2022 14:24:22 +0200 4Subject: [PATCH] Fix size_t overflow in sa_common.c (GHSL-2022-074) 5 6allocate_structures function located in sa_common.c insufficiently 7checks bounds before arithmetic multiplication allowing for an 8overflow in the size allocated for the buffer representing system 9activities. 10 11This patch checks that the post-multiplied value is not greater than 12UINT_MAX. 13 14Signed-off-by: Sebastien <seb@fedora-2.home> 15 16Upstream-Status: Backport from 17[https://github.com/sysstat/sysstat/commit/a953ee3307d51255cc96e1f211882e97f795eed9] 18 19Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> 20--- 21 common.c | 25 +++++++++++++++++++++++++ 22 common.h | 2 ++ 23 sa_common.c | 6 ++++++ 24 3 files changed, 33 insertions(+) 25 26diff --git a/common.c b/common.c 27index 81c7762..1a84b05 100644 28--- a/common.c 29+++ b/common.c 30@@ -1655,4 +1655,29 @@ int parse_values(char *strargv, unsigned char bitmap[], int max_val, const char 31 32 return 0; 33 } 34+ 35+/* 36+ *************************************************************************** 37+ * Check if the multiplication of the 3 values may be greater than UINT_MAX. 38+ * 39+ * IN: 40+ * @val1 First value. 41+ * @val2 Second value. 42+ * @val3 Third value. 43+ *************************************************************************** 44+ */ 45+void check_overflow(size_t val1, size_t val2, size_t val3) 46+{ 47+ if ((unsigned long long) val1 * 48+ (unsigned long long) val2 * 49+ (unsigned long long) val3 > UINT_MAX) { 50+#ifdef DEBUG 51+ fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n", 52+ __FUNCTION__, 53+ (unsigned long long) val1 * (unsigned long long) val2 * (unsigned long long) val3); 54+#endif 55+ exit(4); 56+ } 57+} 58+ 59 #endif /* SOURCE_SADC undefined */ 60diff --git a/common.h b/common.h 61index 55b6657..e8ab98a 100644 62--- a/common.h 63+++ b/common.h 64@@ -260,6 +260,8 @@ int check_dir 65 (char *); 66 67 #ifndef SOURCE_SADC 68+void check_overflow 69+ (size_t, size_t, size_t); 70 int count_bits 71 (void *, int); 72 int count_csvalues 73diff --git a/sa_common.c b/sa_common.c 74index 3699a84..b2cec4a 100644 75--- a/sa_common.c 76+++ b/sa_common.c 77@@ -459,7 +459,13 @@ void allocate_structures(struct activity *act[]) 78 int i, j; 79 80 for (i = 0; i < NR_ACT; i++) { 81+ 82 if (act[i]->nr_ini > 0) { 83+ 84+ /* Look for a possible overflow */ 85+ check_overflow((size_t) act[i]->msize, (size_t) act[i]->nr_ini, 86+ (size_t) act[i]->nr2); 87+ 88 for (j = 0; j < 3; j++) { 89 SREALLOC(act[i]->buf[j], void, 90 (size_t) act[i]->msize * (size_t) act[i]->nr_ini * (size_t) act[i]->nr2); 91-- 922.34.1 93 94