Headline
CVE-2022-39377: sysstat overflow on 32-bit systems
sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.
Summary
On 32 bit systems, an arithmetic overflow present in allocate_structures can be triggered when displaying activity data files and may lead to a variety of exploit primitives due to an incorrectly sized buffer.
Details
Issue: size_t overflow in sa_common.c (GHSL-2022-074)
allocate_structures function located in sa_common.c insufficiently checks bounds before arithmetic multiplication ([1]) allowing for an overflow in the size allocated for the buffer representing system activities.
void allocate_structures(struct activity *act[])
{
int i, j;
for (i = 0; i < NR_ACT; i++) {
if (act[i]->nr_ini > 0) {
for (j = 0; j < 3; j++) {
SREALLOC(act[i]->buf[j], void,
(size_t) act[i]->msize * (size_t) act[i]->nr_ini * (size_t) act[i]->nr2); // [1]
}
act[i]->nr_allocated = act[i]->nr_ini;
}
}
}
Impact
This issue may lead to Remote Code Execution (RCE)
For more information
If you have any questions or comments about this advisory:
- Email me at sysstat [at] orange [dot] fr
Related news
Ubuntu Security Notice 6145-1 - It was discovered that Sysstat incorrectly handled certain arithmetic multiplications. An attacker could use this issue to cause Sysstat to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue was only fixed for Ubuntu 16.04 LTS. It was discovered that Sysstat incorrectly handled certain arithmetic multiplications in 64-bit systems, as a result of an incomplete fix for CVE-2022-39377. An attacker could use this issue to cause Sysstat to crash, resulting in a denial of service, or possibly execute arbitrary code.
An update for sysstat is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-39377: An arithmetic overflow issue was discovered in Sysstat on 32-bit systems. The allocate_structures() function in sa_common.c insufficiently checks bounds before arithmetic multiplication, allowing an overflow in the size allocated for the buffer representing system activities. The vulnerability can be triggered when displaying activity data files ...
Red Hat Security Advisory 2023-2234-01 - The sysstat packages provide the sar and iostat commands. These commands enable system monitoring of disk, network, and other I/O activity.
An update for sysstat is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-39377: An arithmetic overflow issue was discovered in Sysstat on 32-bit systems. The allocate_structures() function in sa_common.c insufficiently checks bounds before arithmetic multiplication, allowing an overflow in the size allocated for the buffer representing system activities. The vulnerability can be triggered when displaying activity data files ...
Ubuntu Security Notice 5748-1 - It was discovered that Sysstat incorrectly handled certain arithmetic multiplications. An attacker could use this issue to cause Sysstat to crash, resulting in a denial of service, or possibly execute arbitrary code.
Ubuntu Security Notice 5735-1 - It was discovered that Sysstat did not properly check bounds when performing certain arithmetic operations on 32 bit systems. An attacker could possibly use this issue to cause a crash or arbitrary code execution.
Gentoo Linux Security Advisory 202211-7 - An integer overflow vulnerability has been found in sysstat which could result in arbitrary code execution. Versions less than 12.7.1 are affected.