Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

sles 15.1
buffer weakness #143

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Easily used incorrectly.

File Name:

ucx-1.4.0/src/ucm/util/log.c

Context:

The highlighted line of code below is the trigger point of this particular Sles 15.1 buffer weakness.

     va_start(ap, fmt);
    ucm_log_vsnprintf(buf, max, fmt, ap);
    va_end(ap);
}

void __ucm_log(const char *file, unsigned line, const char *function,
               ucs_log_level_t level, const char *message, ...)
{
    char buf[UCM_LOG_BUG_SIZE];
    size_t length;
    va_list ap;
    struct timeval tv;
    ssize_t nwrite;

    gettimeofday(&tv, NULL);
    ucm_log_snprintf(buf, UCM_LOG_BUG_SIZE - 1, "[%lu.%06lu] [%s:%d] %18s:%-4d UCX  %s ",
                     tv.tv_sec, tv.tv_usec, ucm_log_hostname, getpid(),
                     basename(file), line, ucm_log_level_names[level]);
    buf[UCM_LOG_BUG_SIZE - 1] = '\0';

    length = strlen(buf);
    va_start(ap, message);
    ucm_log_vsnprintf(buf + length, UCM_LOG_BUG_SIZE - length, message, ap);
    va_end(ap);
    strncat(buf, "\n", UCM_LOG_BUG_SIZE - 1);

    /* Use writev to avoid potential calls to malloc() in buffered IO functions */
    nwrite = write(ucm_log_fileno, buf, strlen(buf));
    (void)nwrite;

    if (level <= UCS_LOG_LEVEL_FATAL) {
        abort();
    }
}

UCS_STATIC_INIT {
    gethostname(ucm_log_hostname, sizeof(ucm_log_hostname));
} 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.