Impact
In userspace/libscap/scap_fds.c, some readlink calls were made with SCAP_MAX_PATH_SIZE. The issue is that then these buffer are manually null terminated doing link_name[r] = '\0';, potentially leading to an overflow by one. Given the explanation below, this issue does not look like it is exploitable in Falco ("exploitability: None")
Example:
|
r = readlink(fname, link_name, SCAP_MAX_PATH_SIZE); |
Compiled with -O0, the compiler lets the locals in the order there are declared on the stack, thus we have on the stack (in the order of the stack growth), the return address, a canary, the frame pointer and the end of the link_name. So the line link_name[r] = '\0'; will effectively write a zero out of bound on the frame pointer, which might start with zeros.
So in this precise situation, there are no consequences. But in a different setup, where locals could be located before the buffer, the stack overflow could theoretically lead to issues.
Patches
Upgrade to libs 0.10.3
Workarounds
No
References
Falco Security Audit report, 23-01-1097-LIV by Victor Houal, Laurent Laubin and Mahé Tardy
Impact
In
userspace/libscap/scap_fds.c, some readlink calls were made withSCAP_MAX_PATH_SIZE. The issue is that then these buffer are manually null terminated doinglink_name[r] = '\0';, potentially leading to an overflow by one. Given the explanation below, this issue does not look like it is exploitable in Falco ("exploitability: None")Example:
libs/userspace/libscap/linux/scap_fds.c
Line 78 in 5c25fca
Compiled with
-O0, the compiler lets the locals in the order there are declared on the stack, thus we have on the stack (in the order of the stack growth), the return address, a canary, the frame pointer and the end of the link_name. So the linelink_name[r] = '\0';will effectively write a zero out of bound on the frame pointer, which might start with zeros.So in this precise situation, there are no consequences. But in a different setup, where locals could be located before the buffer, the stack overflow could theoretically lead to issues.
Patches
Upgrade to libs 0.10.3
Workarounds
No
References
Falco Security Audit report, 23-01-1097-LIV by Victor Houal, Laurent Laubin and Mahé Tardy