From: Aurelien DARRAGON <adarragon@haproxy.com>
Date: Mon, 15 May 2023 09:59:08 +0000 (+0200)
Subject: BUG/MINOR: debug: fix pointer check in debug_parse_cli_task()
X-Git-Tag: v2.8-dev12~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b6a24a52a2efc597624521de752256a5c4ee5c5b;p=thirdparty%2Fhaproxy.git

BUG/MINOR: debug: fix pointer check in debug_parse_cli_task()

Task pointer check in debug_parse_cli_task() computes the theoric end
address of provided task pointer to check if it is valid or not thanks to
may_access() helper function.

However, relative ending address is calculated by adding task size to 't'
pointer (which is a struct task pointer), thus it will result to incorrect
address since the compiler automatically translates 't + x' to
't + x * sizeof(*t)' internally (with sizeof(*t) != 1 here).

Solving the issue by using 'ptr' (which is the void * raw address) as
starting address to prevent automatic address scaling.

This was revealed by coverity, see GH #2157.

No backport is needed, unless 9867987 ("DEBUG: cli: add "debug dev task"
to show/wake/expire/kill tasks and tasklets") gets backported.
---

diff --git a/src/debug.c b/src/debug.c
index 67711e14b5..474a6647f0 100644
--- a/src/debug.c
+++ b/src/debug.c
@@ -1004,7 +1004,7 @@ static int debug_parse_cli_task(char **args, char *payload, struct appctx *appct
 	t = ptr;
 	caller = t->caller;
 	msg = NULL;
-	task_ok = may_access(t + sizeof(*t) - 1);
+	task_ok = may_access(ptr + sizeof(*t) - 1);
 
 	chunk_reset(&trash);
 	resolve_sym_name(&trash, NULL, (const void *)t->process);