diff --git a/0001-Fix-memory-allocation.patch b/0001-Fix-memory-allocation.patch new file mode 100644 index 0000000..99eb604 --- /dev/null +++ b/0001-Fix-memory-allocation.patch @@ -0,0 +1,84 @@ +From 5eea79eaf426ac3e51a09d3f3fe72c2b385abc89 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 10 Nov 2020 11:16:00 +0100 +Subject: [PATCH] Fix memory allocation + +We can't assume that size of a structure is a sum of sizes of its +members because padding and alignment can be involved. In fact, +we need to allocate more bytes for the structure than the +sum of sizes of its members. + +The wrong assumption caused invalid writes and invalid reads +which can be discovered by valgrind. Moreover, when run with +MALLOC_CHECK_ environment variable set to non-zero value, the +program aborted. + +The memory issue happened only when NDEBUG is defined, eg. when cmake +-DCMAKE_BUILD_TYPE=RelWithDebInfo or Release, it doesn't happen if cmake +-DCMAKE_BUILD_TYPE=Debug which we usually use in Jenkins CI. This is +most likely because in debug mode the struct SEXP contains 2 additional +members which are the magic canaries and therefore is bigger. + +This commit wants to fix the problem by 2 step allocation in which +first the size of the struct SEXP_val_lblk is used and then the +array of SEXPs is allocated separately. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1891770 +--- + src/OVAL/probes/SEAP/_sexp-value.h | 2 +- + src/OVAL/probes/SEAP/sexp-value.c | 12 ++++++------ + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/OVAL/probes/SEAP/_sexp-value.h b/src/OVAL/probes/SEAP/_sexp-value.h +index 426cd2c3d..e66777ef9 100644 +--- a/src/OVAL/probes/SEAP/_sexp-value.h ++++ b/src/OVAL/probes/SEAP/_sexp-value.h +@@ -94,7 +94,7 @@ struct SEXP_val_lblk { + uintptr_t nxsz; + uint16_t real; + uint16_t refs; +- SEXP_t memb[]; ++ SEXP_t *memb; + }; + + size_t SEXP_rawval_list_length (struct SEXP_val_list *list); +diff --git a/src/OVAL/probes/SEAP/sexp-value.c b/src/OVAL/probes/SEAP/sexp-value.c +index a11cbc70c..b8b3ed609 100644 +--- a/src/OVAL/probes/SEAP/sexp-value.c ++++ b/src/OVAL/probes/SEAP/sexp-value.c +@@ -106,10 +106,8 @@ uintptr_t SEXP_rawval_lblk_new (uint8_t sz) + { + _A(sz < 16); + +- struct SEXP_val_lblk *lblk = oscap_aligned_malloc( +- sizeof(uintptr_t) + (2 * sizeof(uint16_t)) + (sizeof(SEXP_t) * (1 << sz)), +- SEXP_LBLK_ALIGN +- ); ++ struct SEXP_val_lblk *lblk = malloc(sizeof(struct SEXP_val_lblk)); ++ lblk->memb = malloc(sizeof(SEXP_t) * (1 << sz)); + + lblk->nxsz = ((uintptr_t)(NULL) & SEXP_LBLKP_MASK) | ((uintptr_t)sz & SEXP_LBLKS_MASK); + lblk->refs = 1; +@@ -519,7 +517,8 @@ void SEXP_rawval_lblk_free (uintptr_t lblkp, void (*func) (SEXP_t *)) + func (lblk->memb + lblk->real); + } + +- oscap_aligned_free(lblk); ++ free(lblk->memb); ++ free(lblk); + + if (next != NULL) + SEXP_rawval_lblk_free ((uintptr_t)next, func); +@@ -540,7 +539,8 @@ void SEXP_rawval_lblk_free1 (uintptr_t lblkp, void (*func) (SEXP_t *)) + func (lblk->memb + lblk->real); + } + +- oscap_aligned_free(lblk); ++ free(lblk->memb); ++ free(lblk); + } + + return; +-- +2.26.2 + diff --git a/openscap.changes b/openscap.changes index 4a91902..922899e 100644 --- a/openscap.changes +++ b/openscap.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Sat Nov 14 08:55:03 UTC 2020 - Marcus Meissner + +- 0001-Fix-memory-allocation.patch: fixed a crash during oscap oval eval + ------------------------------------------------------------------- Mon Nov 9 13:10:09 UTC 2020 - Marcus Meissner diff --git a/openscap.spec b/openscap.spec index 1018e1d..649ab5a 100644 --- a/openscap.spec +++ b/openscap.spec @@ -40,6 +40,7 @@ Source5: oscap-scan.service Source6: oscap-scan.sh Patch0: openscap-new-suse.patch Patch1: openscap-leap-cpe-15.12.patch +Patch2: 0001-Fix-memory-allocation.patch URL: https://www.open-scap.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: asciidoc @@ -175,6 +176,7 @@ This package contains the Script Checking Engine Library (SCE) for OpenSCAP. %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 %build %if 0%{?with_bindings}