7.8 CVE-2022-39377

Exploit Buffer Overflow

sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.


CWE-120 : Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
A buffer overflow condition exists when a product attempts to put more data in a buffer than it can hold, or when it attempts to put data in a memory area outside of the boundaries of a buffer. The simplest type of error, and the most common cause of buffer overflows, is the "classic" case in which the product copies the buffer without restricting how much is copied. Other variants exist, but the existence of a classic overflow strongly suggests that the programmer is not considering even the most basic of security protections.

CWE-131 : Incorrect Calculation of Buffer Size
The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow. This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large. When allocating a buffer for the purpose of transforming, converting, or encoding an input, allocate enough memory to handle the largest possible encoding. For example, in a routine that converts "&" characters to "&" for HTML entity encoding, the output buffer needs to be at least 5 times as large as the input buffer. Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range. For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. When processing structured incoming data containing a size field followed by raw data, identify and resolve any inconsistencies between the size field and the actual size of the data (CWE-130). When allocating memory that uses sentinels to mark the end of a data structure - such as NUL bytes in strings - make sure you also include the sentinel in your calculation of the total amount of memory that must be allocated. Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available. Use sizeof() on the appropriate data type to avoid CWE-467. Use the appropriate type for the desired action. For example, in C/C++, only use unsigned types for values that could never be negative, such as height, width, or other numbers related to quantity. This will simplify validation and will reduce surprises related to unexpected casting. Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system. Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. Chain: integer truncation (CWE-197) causes small buffer allocation (CWE-131) leading to out-of-bounds write (CWE-787) in kernel pool, as exploited in the wild per CISA KEV. substitution overflow: buffer overflow using environment variables that are expanded after the length check is performed substitution overflow: buffer overflow using expansion of environment variables substitution overflow: buffer overflow using a large number of substitution strings transformation overflow: product adds extra escape characters to incoming data, but does not account for them in the buffer length transformation overflow: buffer overflow when expanding ">" to ">", etc. expansion overflow: buffer overflow using wildcards expansion overflow: long pathname + glob = overflow expansion overflow: long pathname + glob = overflow special characters in argument are not properly expanded small length value leads to heap overflow multiple variants needs closer investigation, but probably expansion-based needs closer investigation, but probably expansion-based Chain: Language interpreter calculates wrong buffer size (CWE-131) by using "size = ptr ? X : Y" instead of "size = (ptr ? X : Y)" expression.




Mailing List Third Party Advisory
Mailing List Third Party Advisory
Mailing List Third Party Advisory


Third Party Advisory




cpe start end
Configuration 1
cpe:2.3:a:sysstat_project:sysstat:*:*:*:*:*:*:*:* >= 9.1.6 < 12.6.1
Configuration 2
Configuration 3




id description date
No known exploits

Other (github, ...)



Common Attack Pattern Enumerations and Classifications

id description severity
10 Buffer Overflow via Environment Variables
100 Overflow Buffers
Very High
14 Client-side Injection-induced Buffer Overflow
24 Filter Failure through Buffer Overflow
42 MIME Conversion
44 Overflow Binary Resource File
Very High
45 Buffer Overflow via Symbolic Links
46 Overflow Variables and Tags
47 Buffer Overflow via Parameter Expansion
67 String Format Overflow in syslog()
Very High
8 Buffer Overflow in an API Call
9 Buffer Overflow in Local Command-Line Utilities
92 Forced Integer Overflow
100 Overflow Buffers
Very High
47 Buffer Overflow via Parameter Expansion