elf_note_prpsinfo: handle more failures from proc_getargv()

Resulting sbuf_len() from proc_getargv() might return 0 if user mangled ps_strings enough. Also, sbuf_len() API contract is to return -1 if the buffer overflowed. The later should not occur because get_ps_strings() checks for catenated length, but check for this subtle detail explicitly as well to be more resilent. The end result is that p_comm is used in this situations. Approved by: so Security: FreeBSD-SA-22:09.elf Reported by: Josef 'Jeff' Sipek <jeffpc@josefsipek.net> Reviewed by: delphij, markj admbugs: 988 Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D35391 (cherry picked from commit 00d17cf342) (cherry picked from commit 8a44a2c644)
2022-06-03 11:21:23 +03:00 · 2022-06-03 11:21:23 +03:00 · 69a456c0b6
commit 69a456c0b6
parent 26db194f3d
1 changed files with 7 additions and 4 deletions
--- a/sys/kern/imgact_elf.c
+++ b/sys/kern/imgact_elf.c
@ -2303,13 +2303,16 @@ __elfN(note_prpsinfo)(void *arg, struct sbuf *sb, size_t *sizep)
 			    sizeof(psinfo->pr_psargs), SBUF_FIXEDLEN);
 			error = proc_getargv(curthread, p, &sbarg);
 			PRELE(p);
-			if (sbuf_finish(&sbarg) == 0)
-				len = sbuf_len(&sbarg) - 1;
-			else
+			if (sbuf_finish(&sbarg) == 0) {
+				len = sbuf_len(&sbarg);
+				if (len > 0)
+					len--;
+			} else {
 				len = sizeof(psinfo->pr_psargs) - 1;
+			}
 			sbuf_delete(&sbarg);
 		}
-		if (error || len == 0)
+		if (error != 0 || len == 0 || (ssize_t)len == -1)
 			strlcpy(psinfo->pr_psargs, p->p_comm,
 			    sizeof(psinfo->pr_psargs));
 		else {