From 69a456c0b60bb6d1122391e1c78243aec345f36c Mon Sep 17 00:00:00 2001
From: Konstantin Belousov <kib@FreeBSD.org>
Date: Fri, 3 Jun 2022 11:21:23 +0300
Subject: [PATCH] elf_note_prpsinfo: handle more failures from proc_getargv()

Resulting sbuf_len() from proc_getargv() might return 0 if user mangled
ps_strings enough. Also, sbuf_len() API contract is to return -1 if the
buffer overflowed. The later should not occur because get_ps_strings()
checks for catenated length, but check for this subtle detail explicitly
as well to be more resilent.

The end result is that p_comm is used in this situations.

Approved by:	so
Security:	FreeBSD-SA-22:09.elf
Reported by:	Josef 'Jeff' Sipek <jeffpc@josefsipek.net>
Reviewed by:	delphij, markj
admbugs:	988
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D35391

(cherry picked from commit 00d17cf342cd9f4f8fd1dcd79c8caec359145532)
(cherry picked from commit 8a44a2c644fc6d4ec1740fcc0b3ff01eac989ddf)
---
 sys/kern/imgact_elf.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c
index a8f3c6959b3..5c4a9889a71 100644
--- a/sys/kern/imgact_elf.c
+++ b/sys/kern/imgact_elf.c
@@ -2303,13 +2303,16 @@ __elfN(note_prpsinfo)(void *arg, struct sbuf *sb, size_t *sizep)
 			    sizeof(psinfo->pr_psargs), SBUF_FIXEDLEN);
 			error = proc_getargv(curthread, p, &sbarg);
 			PRELE(p);
-			if (sbuf_finish(&sbarg) == 0)
-				len = sbuf_len(&sbarg) - 1;
-			else
+			if (sbuf_finish(&sbarg) == 0) {
+				len = sbuf_len(&sbarg);
+				if (len > 0)
+					len--;
+			} else {
 				len = sizeof(psinfo->pr_psargs) - 1;
+			}
 			sbuf_delete(&sbarg);
 		}
-		if (error || len == 0)
+		if (error != 0 || len == 0 || (ssize_t)len == -1)
 			strlcpy(psinfo->pr_psargs, p->p_comm,
 			    sizeof(psinfo->pr_psargs));
 		else {
-- 
2.45.0