False positive for CVE-2018-3646 with pcp

Question

False positive for CVE-2018-3646 with pcp

C-Newman opened this issue 4 years ago · 1 comments

RHEL 8.2
The package pcp-5.0.2-5 (System-level performance monitoring and performance management) starts the service pmcd.service that runs the executable /var/lib/pcp/pmdas/kvm/pmdakvm

The "kvm" in that binary's name triggers the script to believe it is running on a virtual machine from this "for" loop:

do
   for _pid in $(pgrep $_binary)
   do
      # resolve the exe symlink, if it doesn't resolve with -m,
      # which doesn't even need the dest to exist, it means the symlink
      # is null, which is the case for kernel threads: ignore those to
      # avoid false positives (such as [kvm-irqfd-clean] under at least RHEL 7.6/7.7)
      if ! [ "$(readlink -m "/proc/$_pid/exe")" = "/proc/$_pid/exe" ]; then
         _debug "has_vmm: found PID $_pid"
         has_vmm=1
      fi
   done
done

Answer 1 · 2021-05-25T10:31:21.000Z

Good catch, thanks. Fixed!