Coordinated Disclosure Timeline

• 2022-9-29: Sent out report to Sebastien Godard
• 2022-10-09: Initial acknowledgment
• 2022-10-24: Patch Published
• 2022-11-05: Advisory Added To Repo and CVE Assigned
• 2022-11-07: Patch Refactored

Summary

On 32 bit systems, an arithmetic overflow present in allocate_structures can be triggered when displaying activity data files and may lead to a variety of exploit primitives due to an incorrectly sized buffer.

Product

sysstat

Tested Version

• v12.6.0

Details

Issue: size_t overflow in sa_common.c (GHSL-2022-074)

allocate_structures function located in sa_common.c insufficiently checks bounds before arithmetic multiplication ([1]) allowing for an overflow in the size allocated for the buffer representing system activities.

void allocate_structures(struct activity *act[])
{
	int i, j;

	for (i = 0; i < NR_ACT; i++) {
		if (act[i]->nr_ini > 0) {
			for (j = 0; j < 3; j++) {
				SREALLOC(act[i]->buf[j], void,
						(size_t) act[i]->msize * (size_t) act[i]->nr_ini * (size_t) act[i]->nr2);  // [1]
			}
			act[i]->nr_allocated = act[i]->nr_ini;
		}
	}
}

Impact

This issue may lead to Remote Code Execution (RCE)

CVE

• CVE-2022-39377

Resources

• CodeQL Query: https://github.com/github/codeql/blob/main/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql

Credit

This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-074 in any communication regarding this issue.