Avoid access beyond memory bounds in pthread_attr_getaffinity_np

Resolves BZ #15618.

pthread_attr_getaffinity_np may write beyond bounds of the input
cpuset buffer if the size of the input buffer is smaller than the
buffer present in the input pthread attributes.  Fix is to copy to the
extent of the minimum of the source and the destination.

1 files changed, 6 insertions, 1 deletions

diff --git a/nptl/sysdeps/unix/sysv/linux/pthread_attr_getaffinity.c b/nptl/sysdeps/unix/sysv/linux/pthread_attr_getaffinity.c
index 00bb29b3f5..2a60f8e19f 100644
--- a/nptl/sysdeps/unix/sysv/linux/pthread_attr_getaffinity.c
+++ b/nptl/sysdeps/unix/sysv/linux/pthread_attr_getaffinity.c
@@ -42,7 +42,12 @@ __pthread_attr_getaffinity_new (const pthread_attr_t *attr, size_t cpusetsize,
 	if (((char *) iattr->cpuset)[cnt] != 0)
 	  return EINVAL;
 
-      void *p = mempcpy (cpuset, iattr->cpuset, iattr->cpusetsize);
+      /* Copy over the cpuset from the thread attribute object.  Limit the copy
+	 to the minimum of the source and destination sizes to prevent a buffer
+	 overrun.  If the destination is larger, fill the remaining space with
+	 zeroes.  */
+      void *p = mempcpy (cpuset, iattr->cpuset,
+			 MIN (iattr->cpusetsize, cpusetsize));
       if (cpusetsize > iattr->cpusetsize)
 	memset (p, '\0', cpusetsize - iattr->cpusetsize);
     }