sudo/sme9/sudo-1.8.6p7-CVE-2017-1000368.patch

diff --git a/src/ttyname.c b/src/ttyname.c
index 32f093c..d8858f7 100644
--- a/src/ttyname.c
+++ b/src/ttyname.c
@@ -414,53 +414,80 @@ get_process_ttyname(void)
 }
 #elif defined(__linux__)
 /*
- * Return a string from ttyname() containing the tty to which the process is
- * attached or NULL if there is no tty associated with the process (or its
- * parent).  First tries field 7 in /proc/pid/stat, then /proc/ppid/stat.
- * Falls back on ttyname of std{in,out,err} if that fails.
+ * Store the name of the tty to which the process is attached in name.
+ * Returns name on success and NULL on failure, setting errno.
  */
 char *
 get_process_ttyname(void)
 {
-    char *line = NULL, *tty = NULL;
-    size_t linesize = 0;
-    ssize_t len;
-    int i;
+    const char path[] = "/proc/self/stat";
+    char *cp, buf[1024];
+    char *ret = NULL;
+    int serrno = errno;
+    ssize_t nread;
+    int fd;
     debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL)
 
-    /* Try to determine the tty from tty_nr in /proc/pid/stat. */
-    for (i = 0; tty == NULL && i < 2; i++) {
-       FILE *fp;
-       char path[PATH_MAX];
-       (void)snprintf(path, sizeof(path), "/proc/%u/stat",
-           i ? (unsigned int)getppid() : (unsigned int)getpid());
-       if ((fp = fopen(path, "r")) == NULL)
-           continue;
-       len = getline(&line, &linesize, fp);
-       fclose(fp);
-       if (len != -1) {
+    /*
+     * Try to determine the tty from tty_nr in /proc/self/stat.
+     * Ignore /proc/self/stat if it contains embedded NUL bytes.
+     */
+    if ((fd = open(path, O_RDONLY | O_NOFOLLOW)) != -1) {
+       cp = buf;
+       while ((nread = read(fd, cp, buf + sizeof(buf) - cp)) != 0) {
+           if (nread == -1) {
+               if (errno == EAGAIN || errno == EINTR)
+                   continue;
+               break;
+           }
+           cp += nread;
+           if (cp >= buf + sizeof(buf))
+               break;
+       }
+       if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) {
            /*
             * Field 7 is the tty dev (0 if no tty).
-            * Since the process name at field 2 "(comm)" may include spaces,
-            * start at the last ')' found.
+            * Since the process name at field 2 "(comm)" may include
+            * whitespace (including newlines), start at the last ')' found.
             */
-           char *cp = strrchr(line, ')');
-           int field = 2;
-           while (*cp != '\0') {
-               if (*cp++ == ' ') {
-                   if (++field == 7) {
-                       dev_t tdev = (dev_t)atoi(cp);
-                       if (tdev > 0)
-                           tty = sudo_ttyname_dev(tdev);
-                       break;
+           *cp = '\0';
+           cp = strrchr(buf, ')');
+           if (cp != NULL) {
+               char *ep = cp;
+               int field = 1;
+
+               while (*++ep != '\0') {
+                   if (*ep == ' ') {
+                       *ep = '\0';
+                       if (++field == 7) {
+                           dev_t tdev = (dev_t)strtol(cp, NULL, 10);
+                           if (tdev == 0 || errno == ERANGE || errno == EINVAL) {
+                               sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+                                   "%s: tty device %s: %s", path, cp, strerror(errno));
+                           }
+                           if (tdev > 0) {
+                               errno = serrno;
+                               ret = sudo_ttyname_dev(tdev);
+                               goto done;
+                           }
+                           break;
+                       }
+                       cp = ep + 1;
                    }
                }
            }
        }
     }
-    efree(line);
+    errno = ENOENT;
 
-    debug_return_str(tty);
+done:
+    if (fd != -1)
+       close(fd);
+    if (ret == NULL)
+       sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO,
+           "unable to resolve tty via %s", path);
+
+    debug_return_str(ret);
 }
 #else
 /*
1	diff --git a/src/ttyname.c b/src/ttyname.c
2	index 32f093c..d8858f7 100644
3	--- a/src/ttyname.c
4	+++ b/src/ttyname.c
5	@@ -414,53 +414,80 @@ get_process_ttyname(void)
6	}
7	#elif defined(__linux__)
8	/*
9	- * Return a string from ttyname() containing the tty to which the process is
10	- * attached or NULL if there is no tty associated with the process (or its
11	- * parent). First tries field 7 in /proc/pid/stat, then /proc/ppid/stat.
12	- * Falls back on ttyname of std{in,out,err} if that fails.
13	+ * Store the name of the tty to which the process is attached in name.
14	+ * Returns name on success and NULL on failure, setting errno.
15	*/
16	char *
17	get_process_ttyname(void)
18	{
19	- char line = NULL, tty = NULL;
20	- size_t linesize = 0;
21	- ssize_t len;
22	- int i;
23	+ const char path[] = "/proc/self/stat";
24	+ char *cp, buf[1024];
25	+ char *ret = NULL;
26	+ int serrno = errno;
27	+ ssize_t nread;
28	+ int fd;
29	debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL)
30
31	- /* Try to determine the tty from tty_nr in /proc/pid/stat. */
32	- for (i = 0; tty == NULL && i < 2; i++) {
33	- FILE *fp;
34	- char path[PATH_MAX];
35	- (void)snprintf(path, sizeof(path), "/proc/%u/stat",
36	- i ? (unsigned int)getppid() : (unsigned int)getpid());
37	- if ((fp = fopen(path, "r")) == NULL)
38	- continue;
39	- len = getline(&line, &linesize, fp);
40	- fclose(fp);
41	- if (len != -1) {
42	+ /*
43	+ * Try to determine the tty from tty_nr in /proc/self/stat.
44	+ * Ignore /proc/self/stat if it contains embedded NUL bytes.
45	+ */
46	+ if ((fd = open(path, O_RDONLY \| O_NOFOLLOW)) != -1) {
47	+ cp = buf;
48	+ while ((nread = read(fd, cp, buf + sizeof(buf) - cp)) != 0) {
49	+ if (nread == -1) {
50	+ if (errno == EAGAIN \|\| errno == EINTR)
51	+ continue;
52	+ break;
53	+ }
54	+ cp += nread;
55	+ if (cp >= buf + sizeof(buf))
56	+ break;
57	+ }
58	+ if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) {
59	/*
60	* Field 7 is the tty dev (0 if no tty).
61	- * Since the process name at field 2 "(comm)" may include spaces,
62	- * start at the last ')' found.
63	+ * Since the process name at field 2 "(comm)" may include
64	+ * whitespace (including newlines), start at the last ')' found.
65	*/
66	- char *cp = strrchr(line, ')');
67	- int field = 2;
68	- while (*cp != '\0') {
69	- if (*cp++ == ' ') {
70	- if (++field == 7) {
71	- dev_t tdev = (dev_t)atoi(cp);
72	- if (tdev > 0)
73	- tty = sudo_ttyname_dev(tdev);
74	- break;
75	+ *cp = '\0';
76	+ cp = strrchr(buf, ')');
77	+ if (cp != NULL) {
78	+ char *ep = cp;
79	+ int field = 1;
80	+
81	+ while (*++ep != '\0') {
82	+ if (*ep == ' ') {
83	+ *ep = '\0';
84	+ if (++field == 7) {
85	+ dev_t tdev = (dev_t)strtol(cp, NULL, 10);
86	+ if (tdev == 0 \|\| errno == ERANGE \|\| errno == EINVAL) {
87	+ sudo_debug_printf(SUDO_DEBUG_ERROR\|SUDO_DEBUG_LINENO,
88	+ "%s: tty device %s: %s", path, cp, strerror(errno));
89	+ }
90	+ if (tdev > 0) {
91	+ errno = serrno;
92	+ ret = sudo_ttyname_dev(tdev);
93	+ goto done;
94	+ }
95	+ break;
96	+ }
97	+ cp = ep + 1;
98	}
99	}
100	}
101	}
102	}
103	- efree(line);
104	+ errno = ENOENT;
105
106	- debug_return_str(tty);
107	+done:
108	+ if (fd != -1)
109	+ close(fd);
110	+ if (ret == NULL)
111	+ sudo_debug_printf(SUDO_DEBUG_WARN\|SUDO_DEBUG_LINENO\|SUDO_DEBUG_ERRNO,
112	+ "unable to resolve tty via %s", path);
113	+
114	+ debug_return_str(ret);
115	}
116	#else
117	/*