New Security Issue
Original reporter: Addison Crump
Area: Platform component (libraries, tools)
Message
In libgtop, there is an attacker-controlled buffer overflow that may allow for arbitrary code execution. On most widely-available systems, this does not pose a change of capability as it occurs after setuid/setreuid/setgid/setregid, but on some systems may allow attackers to access certain privileged information from kernel memory that would be otherwise unavailable.
This is not exploitable on distributions shipped with fortification, but is exploitable even if stack canaries are present as an attacker may corrupt certain stack pointers in the current frame, allowing for heap corruption. On distributions shipped with fortification, the program terminates with a buffer overflow detection before exploitation may occur.
Buffer overflow occurs here: https://gitlab.gnome.org/GNOME/libgtop/-/blob/master/src/daemon/slave.c?ref_type=heads#L63 Size check here appears to erroneously skip the check for cmnd->size: https://gitlab.gnome.org/GNOME/libgtop/-/blob/master/src/daemon/slave.c?ref_type=heads#L63 (note also typo: check is for dist_size, but log emits warning about size)
Suggested remediation: check the size parameter in addition to the data_size parameter.
My email is associated with an account on the GNOME GitLab instance and I am happy to offer patches as merge requests or provide further information via GitLab.