Skip to content

Commit 353df39

Browse files
millertmillert
committed
journal_seek: Sanity journaled message field before using
This should not be an issue since sudo_logsrvd wrote the files itself but in case of corruption we should error out. Found by the ZeroPath AI Security Engineer <https://zeropath.com>
1 parent a257a7d commit 353df39

File tree

1 file changed

+50
-1
lines changed

1 file changed

+50
-1
lines changed

logsrvd/logsrvd_journal.c

Lines changed: 50 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -340,42 +340,90 @@ journal_seek(const struct timespec *target, struct connection_closure *closure)
340340
"seeking past AlertMessage (%d)", msg->type_case);
341341
break;
342342
case CLIENT_MESSAGE__TYPE_TTYIN_BUF:
343-
delay = msg->u.ttyin_buf->delay;
343+
if (msg->u.ttyin_buf == NULL ||
344+
!valid_timespec(msg->u.ttyin_buf->delay)) {
345+
sudo_warnx(U_("%s: %s"), closure->journal_path,
346+
U_("invalid IoBuffer"));
347+
closure->errstr = _("invalid IoBuffer");
348+
goto done;
349+
}
344350
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
345351
"read IoBuffer (%d), delay [%lld, %ld]", msg->type_case,
346352
(long long)delay->tv_sec, (long)delay->tv_nsec);
347353
break;
348354
case CLIENT_MESSAGE__TYPE_TTYOUT_BUF:
355+
if (msg->u.ttyout_buf == NULL ||
356+
!valid_timespec(msg->u.ttyout_buf->delay)) {
357+
sudo_warnx(U_("%s: %s"), closure->journal_path,
358+
U_("invalid IoBuffer"));
359+
closure->errstr = _("invalid IoBuffer");
360+
goto done;
361+
}
349362
delay = msg->u.ttyout_buf->delay;
350363
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
351364
"read IoBuffer (%d), delay [%lld, %ld]", msg->type_case,
352365
(long long)delay->tv_sec, (long)delay->tv_nsec);
353366
break;
354367
case CLIENT_MESSAGE__TYPE_STDIN_BUF:
368+
if (msg->u.stdin_buf == NULL ||
369+
!valid_timespec(msg->u.stdin_buf->delay)) {
370+
sudo_warnx(U_("%s: %s"), closure->journal_path,
371+
U_("invalid IoBuffer"));
372+
closure->errstr = _("invalid IoBuffer");
373+
goto done;
374+
}
355375
delay = msg->u.stdin_buf->delay;
356376
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
357377
"read IoBuffer (%d), delay [%lld, %ld]", msg->type_case,
358378
(long long)delay->tv_sec, (long)delay->tv_nsec);
359379
break;
360380
case CLIENT_MESSAGE__TYPE_STDOUT_BUF:
381+
if (msg->u.stdout_buf == NULL ||
382+
!valid_timespec(msg->u.stdout_buf->delay)) {
383+
sudo_warnx(U_("%s: %s"), closure->journal_path,
384+
U_("invalid IoBuffer"));
385+
closure->errstr = _("invalid IoBuffer");
386+
goto done;
387+
}
361388
delay = msg->u.stdout_buf->delay;
362389
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
363390
"read stdout_buf (%d), delay [%lld, %ld]", msg->type_case,
364391
(long long)delay->tv_sec, (long)delay->tv_nsec);
365392
break;
366393
case CLIENT_MESSAGE__TYPE_STDERR_BUF:
394+
if (msg->u.stderr_buf == NULL ||
395+
!valid_timespec(msg->u.stderr_buf->delay)) {
396+
sudo_warnx(U_("%s: %s"), closure->journal_path,
397+
U_("invalid IoBuffer"));
398+
closure->errstr = _("invalid IoBuffer");
399+
goto done;
400+
}
367401
delay = msg->u.stderr_buf->delay;
368402
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
369403
"read stderr_buf (%d), delay [%lld, %ld]", msg->type_case,
370404
(long long)delay->tv_sec, (long)delay->tv_nsec);
371405
break;
372406
case CLIENT_MESSAGE__TYPE_WINSIZE_EVENT:
407+
if (msg->u.winsize_event == NULL ||
408+
!valid_timespec(msg->u.winsize_event->delay)) {
409+
sudo_warnx(U_("%s: %s"), closure->journal_path,
410+
U_("invalid ChangeWindowSize"));
411+
closure->errstr = _("invalid ChangeWindowSize");
412+
goto done;
413+
}
373414
delay = msg->u.winsize_event->delay;
374415
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
375416
"read ChangeWindowSize (%d), delay [%lld, %ld]", msg->type_case,
376417
(long long)delay->tv_sec, (long)delay->tv_nsec);
377418
break;
378419
case CLIENT_MESSAGE__TYPE_SUSPEND_EVENT:
420+
if (msg->u.suspend_event == NULL ||
421+
!valid_timespec(msg->u.suspend_event->delay)) {
422+
sudo_warnx(U_("%s: %s"), closure->journal_path,
423+
U_("invalid invalid CommandSuspend"));
424+
closure->errstr = _("invalid CommandSuspend");
425+
goto done;
426+
}
379427
delay = msg->u.suspend_event->delay;
380428
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
381429
"read CommandSuspend (%d), delay [%lld, %ld]", msg->type_case,
@@ -404,6 +452,7 @@ journal_seek(const struct timespec *target, struct connection_closure *closure)
404452
}
405453
}
406454

455+
done:
407456
client_message__free_unpacked(msg, NULL);
408457
free(buf);
409458

0 commit comments

Comments
 (0)