Skip to content

Fix Incorrect conversion between integer types #9661

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix Incorrect conversion between integer types #9661

wants to merge 1 commit into from
+4 −0

Conversation

opsysdebug
Copy link

@opsysdebug opsysdebug commented Aug 31, 2025
edited
Loading

To address the incorrect conversion, we should ensure that only valid, positive, in-range user and group IDs are allowed to flow to the place they are cast to uint32. The best fix is to add explicit range checks where the conversion from int (parsed from string) to the UID/GID storage location happens—specifically in the return statements of getentGetID, FindUID, and FindGID in internal/pkg/agent/install/user_linux.go. These must only return an id if it is within [0, math.MaxUint32], otherwise return an error. This prevents any "out of range" id from ever being used to populate the ownership struct or to reach the cast in the credential setup.

To implement this:

  • In internal/pkg/agent/install/user_linux.go:
    • At the end of getentGetID, after parsing the id, check that 0 <= val <= math.MaxUint32. If not, return error.
    • Update imports to include "math" for math.MaxUint32.

This patch does not change the user-facing functionality; it only ensures that the code safely handles ids from the OS and will fail fast if there are anomalies.

References

Integer overflow
Go language specification Integer overflow
strconv.Atoi
strconv.ParseInt
strconv.ParseUint

Checklist

  • I have read and understood the pull request guidelines of this project.
  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in ./changelog/fragments using the changelog tool
  • I have added an integration test or an E2E test

@opsysdebug opsysdebug requested a review from a team as a code owner August 31, 2025 03:47
@mergify Mergify
Copy link
Contributor

mergify bot commented Aug 31, 2025

This pull request does not have a backport label. Could you fix it @opsysdebug? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-./d./d is the label that automatically backports to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

@pierrehilbert pierrehilbert added the Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team label Sep 2, 2025
@elasticmachine
Copy link
Collaborator

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ycombinator ycombinator Awaiting requested review from ycombinator ycombinator is a code owner automatically assigned from elastic/elastic-agent-control-plane

@pchila pchila Awaiting requested review from pchila pchila is a code owner automatically assigned from elastic/elastic-agent-control-plane

At least 1 approving review is required to merge this pull request.

Assignees

@opsysdebug opsysdebug

Labels
Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@opsysdebug @elasticmachine @pierrehilbert