CVE-2023-0687: 
NixOS vulnerability analysis and mitigation

A vulnerability was identified in GNU C Library (glibc) 2.38, specifically affecting the __monstartup function in the gmon.c file of the Call Graph Monitor component. The issue was discovered on February 6, 2023, and was assigned CVE-2023-0687. The vulnerability relates to incorrect buffer size calculation that could potentially lead to buffer overflow (Red Hat CVE).

The vulnerability stems from incorrect buffer size calculations in the __monstartup() function. Specifically, the hash table size calculation p->fromssize = p->textsize / HASHFRACTION was implemented incorrectly, as it should have been p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms)). Additionally, there was a related typo in the calculation of kcountsize. These issues could result in writing beyond the allocated buffer when an arc corresponds to a call near the end of the monitored address range (Patchwork Sourceware).

The vulnerability could lead to buffer overflow conditions in specific scenarios where gmon is activated. However, the impact is limited as the inputs that could trigger this vulnerability are essentially trusted, coming from addresses of a profiled application that is built with gmon enabled (Rapid7 DB).

The issue has been fixed in the GNU C Library through a patch that corrects the buffer size calculations. The fix involves proper implementation of ROUNDUP for the fromssize calculation and correction of the kcountsize calculation (Sourceware Bugzilla).