Bug 1170177 - AUDIT-FIND: enlightenment: enlightenment_system: _cb_stdio_in_read(): potentially large memory allocation based on untrusted user data
AUDIT-FIND: enlightenment: enlightenment_system: _cb_stdio_in_read(): potenti...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Simon Lees
E-mail List
:
Depends on:
Blocks: 1169238
  Show dependency treegraph
 
Reported: 2020-04-22 10:00 UTC by Matthias Gerstner
Modified: 2020-05-22 08:36 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2020-04-22 10:00:25 UTC
+++ This bug was initially created as a clone of Bug #1169238

h) `_cb_stdio_in_read()`: potentially large memory allocation based on untrusted user data

The line `buf = malloc(head.size)` takes the untrusted size specification
provided by the unprivileged user to allocate a potentially large chunk of
data. On Linux this is mostly uncritical, because the kernel overcommits
memory. On other OSs this could be used to hog memory in a root process.

I suggest to implement a reasonable maximum message size and reject everything
else.
Comment 1 Simon Lees 2020-04-22 11:08:59 UTC
Upstream: https://phab.enlightenment.org/T8677
Comment 3 Matthias Gerstner 2020-04-30 13:41:52 UTC
This one was also simple. It's fixed.
Comment 4 Matthias Gerstner 2020-05-22 08:36:47 UTC
The limitation to a maximum of 1 MB is now implemented in the 0.24 release.
Closing as fixed.