From 8c4a3b7c651b0d9dccfc3efc8b8f0dbea9dd552a Mon Sep 17 00:00:00 2001
From: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Date: Mon, 30 Sep 2024 10:19:50 +0800
Subject: [PATCH] procps: patch CVE-2023-4016

Previous patch[1] for CVE-2023-4016 is insufficent.
Backport more from upstream master.

There is one change needed to apply this patch:
* change file location from local/xalloc.h to include/xalloc.h

[1] https://git.openembedded.org/openembedded-core/commit/meta/recipes-extended/procps/procps/CVE-2023-4016.patch?h=kirkstone&id=71d0683d625c09d4db5e0473a0b15a266aa787f4

(From OE-Core rev: 94521a1e49e8fd9193211f486995d2e504f99d3f)

Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../procps/procps/CVE-2023-4016-2.patch       | 60 +++++++++++++++++++
 meta/recipes-extended/procps/procps_3.3.17.bb |  3 +-
 2 files changed, 62 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-extended/procps/procps/CVE-2023-4016-2.patch

diff --git a/meta/recipes-extended/procps/procps/CVE-2023-4016-2.patch b/meta/recipes-extended/procps/procps/CVE-2023-4016-2.patch
new file mode 100644
index 00000000000..72690680458
--- /dev/null
+++ b/meta/recipes-extended/procps/procps/CVE-2023-4016-2.patch
@@ -0,0 +1,60 @@
+From 93bb86a37a0cf7b9c71e374f3c9aac7dbfe2953a Mon Sep 17 00:00:00 2001
+From: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
+Date: Fri, 27 Sep 2024 14:22:32 +0800
+Subject: [PATCH] procps: patch CVE-2023-4016
+
+ps/parser: parse_list(): int overflow for large arg, free() of uninit. ptr
+
+* ps/parser.c:parse_list(): Regression (2c933ecb): node->u is uninitialized at
+  free(node->u) when reached before node->u=xcalloc().
+* ps/parser.c:parse_list(): When "arg" is very long, CVE-2023-4016 is triggered.
+  2c933ecb handles the multiplication issue, but there is still the possibility
+  of int overflow when incrementing "items".
+
+CVE: CVE-2023-4016
+
+Upstream-Status: Backport [https://gitlab.com/procps-ng/procps/-/commit/f5f843e257daeceaac2504b8957e84f4bf87a8f2]
+
+Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
+---
+ include/xalloc.h | 2 +-
+ ps/parser.c      | 3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/include/xalloc.h b/include/xalloc.h
+index 8b4d368f..a8046892 100644
+--- a/include/xalloc.h
++++ b/include/xalloc.h
+@@ -42,7 +42,7 @@ void *xcalloc(const size_t nelems, const size_t size)
+ {
+ 	void *ret = calloc(nelems, size);
+ 	if (!ret && size && nelems)
+-		xerrx(XALLOC_EXIT_CODE, "cannot allocate %zu bytes", size);
++		xerrx(XALLOC_EXIT_CODE, "cannot allocate %zu bytes", nelems*size);
+ 	return ret;
+ }
+ 
+diff --git a/ps/parser.c b/ps/parser.c
+index 5c92fce4..a94b49ff 100644
+--- a/ps/parser.c
++++ b/ps/parser.c
+@@ -185,6 +185,7 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s
+   /*** prepare to operate ***/
+   node = malloc(sizeof(selection_node));
+   node->n = 0;
++  node->u = NULL;
+   buf = strdup(arg);
+   /*** sanity check and count items ***/
+   need_item = 1; /* true */
+@@ -198,7 +199,7 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s
+       need_item=1;
+       break;
+     default:
+-      if(need_item) items++;
++      if(need_item && items<INT_MAX) items++;
+       need_item=0;
+     }
+   } while (*++walk);
+-- 
+2.34.1
+
diff --git a/meta/recipes-extended/procps/procps_3.3.17.bb b/meta/recipes-extended/procps/procps_3.3.17.bb
index 897f28f1876..bbec5a543c1 100644
--- a/meta/recipes-extended/procps/procps_3.3.17.bb
+++ b/meta/recipes-extended/procps/procps_3.3.17.bb
@@ -17,6 +17,7 @@ SRC_URI = "git://gitlab.com/procps-ng/procps.git;protocol=https;branch=master \
            file://0001-w.c-correct-musl-builds.patch \
            file://0002-proc-escape.c-add-missing-include.patch \
            file://CVE-2023-4016.patch \
+           file://CVE-2023-4016-2.patch \
            "
 SRCREV = "19a508ea121c0c4ac6d0224575a036de745eaaf8"
 
@@ -101,4 +102,4 @@ ALTERNATIVE_LINK_NAME[ps] = "${base_bindir}/ps"
 
 ALTERNATIVE:${PN}-sysctl = "sysctl"
 ALTERNATIVE_TARGET[sysctl] = "${base_sbindir}/sysctl"
-ALTERNATIVE_LINK_NAME[sysctl] = "${base_sbindir}/sysctl"
\ No newline at end of file
+ALTERNATIVE_LINK_NAME[sysctl] = "${base_sbindir}/sysctl"
-- 
GitLab