File U_12-Protect-against-overflow-of-size_valp.patch of Package slurm.32313
From: Tim Wickberg <tim@schedmd.com>
Date: Tue Nov 28 23:20:13 2023 -0700
Subject: [PATCH 12/28]Protect against overflow of size_valp.
Patch-mainline: Upstream
Git-repo: https://github.com/SchedMD/slurm
Git-commit: 12e202a7ce19953236e872f2a0e9c1672f876671
References: bsc#1218046, bsc#1218050, bsc#1218051, bsc#1218053
Signed-off-by: Egbert Eich <eich@suse.de>
Since we want to NULL-terminate the array, we need to ensure *size_valp is
not 0xffffffff as the + 1 would wrap to 0. The allocation would succeed,
and then we'd NULL-dereference immediately in the for loop and crash.
MAX_PACK_MEM_LEN is somewhat arbitrary, but sufficient for this check.
CVE-2023-49936.
# Conflicts:
# NEWS
# src/common/pack.c
---
NEWS | 1 +
src/common/pack.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/NEWS b/NEWS
index ad93b88d53..b8902e238b 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,7 @@ documents those changes that are of interest to users and administrators.
* Backported changes
====================
+ -- Prevent NULL pointer dereference on size_valp overflow. CVE-2023-49936.
-- Prevent double-xfree() on error in _unpack_node_reg_resp(). CVE-2023-49937.
-- Fix filesystem handling race conditions that could lead to an attacker
taking control of an arbitrary file, or removing entire directories'
diff --git a/src/common/pack.c b/src/common/pack.c
index 53662442b5..a5c9ac1d91 100644
--- a/src/common/pack.c
+++ b/src/common/pack.c
@@ -1087,7 +1087,7 @@ int unpackstr_array(char ***valp, uint32_t * size_valp, Buf buffer)
if (*size_valp > MAX_ARRAY_LEN_MEDIUM) {
error("%s: Buffer to be unpacked is too large (%u > %u)",
__func__, *size_valp, MAX_ARRAY_LEN_MEDIUM);
- return SLURM_ERROR;
+ goto unpack_error;
}
safe_xcalloc(*valp, *size_valp + 1, sizeof(char *));