skip to content
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
January 20, 2023

GHSL-2022-074: Arithmetic overflow in sysstat - CVE-2022-39377

Kevin Stubbings

Coordinated Disclosure Timeline

Summary

On 32 bit systems, an arithmetic overflow present in allocate_structures can be triggered when displaying activity data files and may lead to a variety of exploit primitives due to an incorrectly sized buffer.

Product

sysstat

Tested Version

Details

Issue: size_t overflow in sa_common.c (GHSL-2022-074)

allocate_structures function located in sa_common.c insufficiently checks bounds before arithmetic multiplication ([1]) allowing for an overflow in the size allocated for the buffer representing system activities.

void allocate_structures(struct activity *act[])
{
	int i, j;

	for (i = 0; i < NR_ACT; i++) {
		if (act[i]->nr_ini > 0) {
			for (j = 0; j < 3; j++) {
				SREALLOC(act[i]->buf[j], void,
						(size_t) act[i]->msize * (size_t) act[i]->nr_ini * (size_t) act[i]->nr2);  // [1]
			}
			act[i]->nr_allocated = act[i]->nr_ini;
		}
	}
}

Impact

This issue may lead to Remote Code Execution (RCE)

CVE

Resources

Credit

This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-074 in any communication regarding this issue.