diff -pruN 12.5.6-1/debian/changelog 12.5.6-1ubuntu1/debian/changelog --- 12.5.6-1/debian/changelog 2022-03-21 21:40:51.000000000 +0000 +++ 12.5.6-1ubuntu1/debian/changelog 2022-11-25 17:10:49.000000000 +0000 @@ -1,3 +1,17 @@ +sysstat (12.5.6-1ubuntu1) lunar; urgency=medium + + * SECURITY UPDATE: overflow in arithmetic multiplication + - debian/patches/CVE-2022-39377-1.patch: fix size_t overflow in + common.c, common.h, sa_common.c. + - debian/patches/CVE-2022-39377-2.patch: add more overflow checks in + common.c, common.h, sa_common.c, sadc.c. + - debian/patches/CVE-2022-39377-3.patch: make sure values to be + compared are unsigned integers in common.c, common.h, sa_common.c, + sadc.c. + - CVE-2022-39377 + + -- Marc Deslauriers Fri, 25 Nov 2022 12:10:49 -0500 + sysstat (12.5.6-1) unstable; urgency=low * New upstream development version. diff -pruN 12.5.6-1/debian/control 12.5.6-1ubuntu1/debian/control --- 12.5.6-1/debian/control 2022-03-21 21:40:51.000000000 +0000 +++ 12.5.6-1ubuntu1/debian/control 2022-11-25 17:10:49.000000000 +0000 @@ -1,7 +1,8 @@ Source: sysstat Section: admin Priority: optional -Maintainer: Robert Luberda +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Robert Luberda Build-Depends: debhelper-compat (= 13), gettext, libsensors-dev, diff -pruN 12.5.6-1/debian/patches/CVE-2022-39377-1.patch 12.5.6-1ubuntu1/debian/patches/CVE-2022-39377-1.patch --- 12.5.6-1/debian/patches/CVE-2022-39377-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ 12.5.6-1ubuntu1/debian/patches/CVE-2022-39377-1.patch 2022-11-25 17:10:30.000000000 +0000 @@ -0,0 +1,79 @@ +From 9c4eaf150662ad40607923389d4519bc83b93540 Mon Sep 17 00:00:00 2001 +From: Sebastien +Date: Sat, 15 Oct 2022 14:24:22 +0200 +Subject: [PATCH] Fix size_t overflow in sa_common.c (GHSL-2022-074) + +allocate_structures function located in sa_common.c insufficiently +checks bounds before arithmetic multiplication allowing for an +overflow in the size allocated for the buffer representing system +activities. + +This patch checks that the post-multiplied value is not greater than +UINT_MAX. + +Signed-off-by: Sebastien +--- + common.c | 25 +++++++++++++++++++++++++ + common.h | 2 ++ + sa_common.c | 6 ++++++ + 3 files changed, 33 insertions(+) + +--- a/common.c ++++ b/common.c +@@ -1659,4 +1659,29 @@ int parse_values(char *strargv, unsigned + + return 0; + } ++ ++/* ++ *************************************************************************** ++ * Check if the multiplication of the 3 values may be greater than UINT_MAX. ++ * ++ * IN: ++ * @val1 First value. ++ * @val2 Second value. ++ * @val3 Third value. ++ *************************************************************************** ++ */ ++void check_overflow(size_t val1, size_t val2, size_t val3) ++{ ++ if ((unsigned long long) val1 * ++ (unsigned long long) val2 * ++ (unsigned long long) val3 > UINT_MAX) { ++#ifdef DEBUG ++ fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n", ++ __FUNCTION__, ++ (unsigned long long) val1 * (unsigned long long) val2 * (unsigned long long) val3); ++#endif ++ exit(4); ++ } ++} ++ + #endif /* SOURCE_SADC undefined */ +--- a/common.h ++++ b/common.h +@@ -257,6 +257,8 @@ int check_dir + (char *); + + #ifndef SOURCE_SADC ++void check_overflow ++ (size_t, size_t, size_t); + int count_bits + (void *, int); + int count_csvalues +--- a/sa_common.c ++++ b/sa_common.c +@@ -459,7 +459,13 @@ void allocate_structures(struct activity + int i, j; + + for (i = 0; i < NR_ACT; i++) { ++ + if (act[i]->nr_ini > 0) { ++ ++ /* Look for a possible overflow */ ++ check_overflow((size_t) act[i]->msize, (size_t) act[i]->nr_ini, ++ (size_t) act[i]->nr2); ++ + for (j = 0; j < 3; j++) { + SREALLOC(act[i]->buf[j], void, + (size_t) act[i]->msize * (size_t) act[i]->nr_ini * (size_t) act[i]->nr2); diff -pruN 12.5.6-1/debian/patches/CVE-2022-39377-2.patch 12.5.6-1ubuntu1/debian/patches/CVE-2022-39377-2.patch --- 12.5.6-1/debian/patches/CVE-2022-39377-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ 12.5.6-1ubuntu1/debian/patches/CVE-2022-39377-2.patch 2022-11-25 17:10:40.000000000 +0000 @@ -0,0 +1,127 @@ +From c9a11d35df4aecfcf22aef827bac6cd57def9d4e Mon Sep 17 00:00:00 2001 +From: Sebastien GODARD +Date: Sun, 23 Oct 2022 16:22:28 +0200 +Subject: [PATCH] Add more overflow checks + +Signed-off-by: Sebastien GODARD +--- + common.c | 45 +++++++++++++++++++++------------------------ + common.h | 4 ++-- + sa_common.c | 9 +++++++-- + sadc.c | 6 ++++++ + 4 files changed, 36 insertions(+), 28 deletions(-) + +--- a/common.c ++++ b/common.c +@@ -434,6 +434,27 @@ int check_dir(char *dirname) + return 0; + } + ++/* ++ * ************************************************************************** ++ * Check if the multiplication of the 3 values may be greater than UINT_MAX. ++ * ++ * IN: ++ * @val1 First value. ++ * @val2 Second value. ++ * @val3 Third value. ++ *************************************************************************** ++ */ ++void check_overflow(unsigned long long val1, unsigned long long val2, ++ unsigned long long val3) ++{ ++ if (val1 * val2 * val3 > UINT_MAX) { ++#ifdef DEBUG ++ fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n", ++ __FUNCTION__, val1 * val2 * val3); ++#endif ++ exit(4); ++ } ++} + + #ifndef SOURCE_SADC + /* +@@ -1660,28 +1681,4 @@ int parse_values(char *strargv, unsigned + return 0; + } + +-/* +- *************************************************************************** +- * Check if the multiplication of the 3 values may be greater than UINT_MAX. +- * +- * IN: +- * @val1 First value. +- * @val2 Second value. +- * @val3 Third value. +- *************************************************************************** +- */ +-void check_overflow(size_t val1, size_t val2, size_t val3) +-{ +- if ((unsigned long long) val1 * +- (unsigned long long) val2 * +- (unsigned long long) val3 > UINT_MAX) { +-#ifdef DEBUG +- fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n", +- __FUNCTION__, +- (unsigned long long) val1 * (unsigned long long) val2 * (unsigned long long) val3); +-#endif +- exit(4); +- } +-} +- + #endif /* SOURCE_SADC undefined */ +--- a/common.h ++++ b/common.h +@@ -255,10 +255,10 @@ int get_wwnid_from_pretty + (char *, unsigned long long *, unsigned int *); + int check_dir + (char *); ++void check_overflow ++ (unsigned long long, unsigned long long, unsigned long long); + + #ifndef SOURCE_SADC +-void check_overflow +- (size_t, size_t, size_t); + int count_bits + (void *, int); + int count_csvalues +--- a/sa_common.c ++++ b/sa_common.c +@@ -463,8 +463,9 @@ void allocate_structures(struct activity + if (act[i]->nr_ini > 0) { + + /* Look for a possible overflow */ +- check_overflow((size_t) act[i]->msize, (size_t) act[i]->nr_ini, +- (size_t) act[i]->nr2); ++ check_overflow((unsigned long long) act[i]->msize, ++ (unsigned long long) act[i]->nr_ini, ++ (unsigned long long) act[i]->nr2); + + for (j = 0; j < 3; j++) { + SREALLOC(act[i]->buf[j], void, +@@ -529,6 +530,10 @@ void reallocate_all_buffers(struct activ + while (nr_realloc < nr_min); + } + ++ /* Look for a possible overflow */ ++ check_overflow((unsigned long long) a->msize, nr_realloc, ++ (unsigned long long) a->nr2); ++ + for (j = 0; j < 3; j++) { + SREALLOC(a->buf[j], void, + (size_t) a->msize * nr_realloc * (size_t) a->nr2); +--- a/sadc.c ++++ b/sadc.c +@@ -360,6 +360,12 @@ void sa_sys_init(void) + } + + if (IS_COLLECTED(act[i]->options) && (act[i]->nr_ini > 0)) { ++ ++ /* Look for a possible overflow */ ++ check_overflow((unsigned long long) act[i]->msize, ++ (unsigned long long) act[i]->nr_ini, ++ (unsigned long long) act[i]->nr2); ++ + /* Allocate structures for current activity (using nr_ini and nr2 results) */ + SREALLOC(act[i]->_buf0, void, + (size_t) act[i]->msize * (size_t) act[i]->nr_ini * (size_t) act[i]->nr2); diff -pruN 12.5.6-1/debian/patches/CVE-2022-39377-3.patch 12.5.6-1ubuntu1/debian/patches/CVE-2022-39377-3.patch --- 12.5.6-1/debian/patches/CVE-2022-39377-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ 12.5.6-1ubuntu1/debian/patches/CVE-2022-39377-3.patch 2022-11-25 17:10:46.000000000 +0000 @@ -0,0 +1,90 @@ +From 44f1dc159242c1e434a3b836cda49f084c5a96cc Mon Sep 17 00:00:00 2001 +From: Sebastien GODARD +Date: Sun, 6 Nov 2022 15:48:16 +0100 +Subject: [PATCH] Make sure values to be compared are unsigned integers + +It seems safer to make sure that input values are unsigned int before +casting them to unsigned long long and making the comparison. + +Signed-off-by: Sebastien GODARD +--- + common.c | 10 ++++++---- + common.h | 2 +- + sa_common.c | 10 +++++----- + sadc.c | 6 +++--- + 4 files changed, 15 insertions(+), 13 deletions(-) + +--- a/common.c ++++ b/common.c +@@ -444,13 +444,15 @@ int check_dir(char *dirname) + * @val3 Third value. + *************************************************************************** + */ +-void check_overflow(unsigned long long val1, unsigned long long val2, +- unsigned long long val3) ++void check_overflow(unsigned int val1, unsigned int val2, ++ unsigned int val3) + { +- if (val1 * val2 * val3 > UINT_MAX) { ++ if ((unsigned long long) val1 * (unsigned long long) val2 * ++ (unsigned long long) val3 > UINT_MAX) { + #ifdef DEBUG + fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n", +- __FUNCTION__, val1 * val2 * val3); ++ __FUNCTION__, (unsigned long long) val1 * (unsigned long long) val2 * ++ (unsigned long long) val3); + #endif + exit(4); + } +--- a/common.h ++++ b/common.h +@@ -256,7 +256,7 @@ int get_wwnid_from_pretty + int check_dir + (char *); + void check_overflow +- (unsigned long long, unsigned long long, unsigned long long); ++ (unsigned int, unsigned int, unsigned int); + + #ifndef SOURCE_SADC + int count_bits +--- a/sa_common.c ++++ b/sa_common.c +@@ -463,9 +463,9 @@ void allocate_structures(struct activity + if (act[i]->nr_ini > 0) { + + /* Look for a possible overflow */ +- check_overflow((unsigned long long) act[i]->msize, +- (unsigned long long) act[i]->nr_ini, +- (unsigned long long) act[i]->nr2); ++ check_overflow((unsigned int) act[i]->msize, ++ (unsigned int) act[i]->nr_ini, ++ (unsigned int) act[i]->nr2); + + for (j = 0; j < 3; j++) { + SREALLOC(act[i]->buf[j], void, +@@ -531,8 +531,8 @@ void reallocate_all_buffers(struct activ + } + + /* Look for a possible overflow */ +- check_overflow((unsigned long long) a->msize, nr_realloc, +- (unsigned long long) a->nr2); ++ check_overflow((unsigned int) a->msize, (unsigned int) nr_realloc, ++ (unsigned int) a->nr2); + + for (j = 0; j < 3; j++) { + SREALLOC(a->buf[j], void, +--- a/sadc.c ++++ b/sadc.c +@@ -362,9 +362,9 @@ void sa_sys_init(void) + if (IS_COLLECTED(act[i]->options) && (act[i]->nr_ini > 0)) { + + /* Look for a possible overflow */ +- check_overflow((unsigned long long) act[i]->msize, +- (unsigned long long) act[i]->nr_ini, +- (unsigned long long) act[i]->nr2); ++ check_overflow((unsigned int) act[i]->msize, ++ (unsigned int) act[i]->nr_ini, ++ (unsigned int) act[i]->nr2); + + /* Allocate structures for current activity (using nr_ini and nr2 results) */ + SREALLOC(act[i]->_buf0, void, diff -pruN 12.5.6-1/debian/patches/series 12.5.6-1ubuntu1/debian/patches/series --- 12.5.6-1/debian/patches/series 2022-03-21 21:40:51.000000000 +0000 +++ 12.5.6-1ubuntu1/debian/patches/series 2022-11-25 17:10:42.000000000 +0000 @@ -10,3 +10,6 @@ 13-irqstat-interpreter.patch 14-simtest-run-all.patch 15-sa2-bash.patch +CVE-2022-39377-1.patch +CVE-2022-39377-2.patch +CVE-2022-39377-3.patch