From d258d10fad158f5df62f825afe00ff7e724c1ba4244b48a748c47a9b4e32767e Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.com>
Date: Mon, 28 Dec 2020 15:26:44 +0000
Subject: [PATCH] Accepting request 859045 from home:msmeissn:branches:security

- 0001-Fix-memory-allocation.patch: fixed a crash during oscap oval eval

OBS-URL: https://build.opensuse.org/request/show/859045
OBS-URL: https://build.opensuse.org/package/show/security/openscap?expand=0&rev=257
---
 0001-Fix-memory-allocation.patch | 84 ++++++++++++++++++++++++++++++++
 openscap.changes                 |  5 ++
 openscap.spec                    |  2 +
 3 files changed, 91 insertions(+)
 create mode 100644 0001-Fix-memory-allocation.patch

diff --git a/0001-Fix-memory-allocation.patch b/0001-Fix-memory-allocation.patch
new file mode 100644
index 0000000..99eb604
--- /dev/null
+++ b/0001-Fix-memory-allocation.patch
@@ -0,0 +1,84 @@
+From 5eea79eaf426ac3e51a09d3f3fe72c2b385abc89 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Tue, 10 Nov 2020 11:16:00 +0100
+Subject: [PATCH] Fix memory allocation
+
+We can't assume that size of a structure is a sum of sizes of its
+members because padding and alignment can be involved. In fact,
+we need to allocate more bytes for the structure than the
+sum of sizes of its members.
+
+The wrong assumption caused invalid writes and invalid reads
+which can be discovered by valgrind. Moreover, when run with
+MALLOC_CHECK_ environment variable set to non-zero value, the
+program aborted.
+
+The memory issue happened only when NDEBUG is defined, eg. when cmake
+-DCMAKE_BUILD_TYPE=RelWithDebInfo or Release, it doesn't happen if cmake
+-DCMAKE_BUILD_TYPE=Debug which we usually use in Jenkins CI. This is
+most likely because in debug mode the struct SEXP contains 2 additional
+members which are the magic canaries and therefore is bigger.
+
+This commit wants to fix the problem by 2 step allocation in which
+first the size of the struct SEXP_val_lblk is used and then the
+array of SEXPs is allocated separately.
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1891770
+---
+ src/OVAL/probes/SEAP/_sexp-value.h |  2 +-
+ src/OVAL/probes/SEAP/sexp-value.c  | 12 ++++++------
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/OVAL/probes/SEAP/_sexp-value.h b/src/OVAL/probes/SEAP/_sexp-value.h
+index 426cd2c3d..e66777ef9 100644
+--- a/src/OVAL/probes/SEAP/_sexp-value.h
++++ b/src/OVAL/probes/SEAP/_sexp-value.h
+@@ -94,7 +94,7 @@ struct SEXP_val_lblk {
+         uintptr_t nxsz;
+         uint16_t  real;
+         uint16_t  refs;
+-        SEXP_t    memb[];
++	SEXP_t *memb;
+ };
+ 
+ size_t    SEXP_rawval_list_length (struct SEXP_val_list *list);
+diff --git a/src/OVAL/probes/SEAP/sexp-value.c b/src/OVAL/probes/SEAP/sexp-value.c
+index a11cbc70c..b8b3ed609 100644
+--- a/src/OVAL/probes/SEAP/sexp-value.c
++++ b/src/OVAL/probes/SEAP/sexp-value.c
+@@ -106,10 +106,8 @@ uintptr_t SEXP_rawval_lblk_new (uint8_t sz)
+ {
+         _A(sz < 16);
+ 
+-	struct SEXP_val_lblk *lblk = oscap_aligned_malloc(
+-		sizeof(uintptr_t) + (2 * sizeof(uint16_t)) + (sizeof(SEXP_t) * (1 << sz)),
+-		SEXP_LBLK_ALIGN
+-	);
++	struct SEXP_val_lblk *lblk = malloc(sizeof(struct SEXP_val_lblk));
++	lblk->memb = malloc(sizeof(SEXP_t) * (1 << sz));
+ 
+         lblk->nxsz = ((uintptr_t)(NULL) & SEXP_LBLKP_MASK) | ((uintptr_t)sz & SEXP_LBLKS_MASK);
+         lblk->refs = 1;
+@@ -519,7 +517,8 @@ void SEXP_rawval_lblk_free (uintptr_t lblkp, void (*func) (SEXP_t *))
+                         func (lblk->memb + lblk->real);
+                 }
+ 
+-		oscap_aligned_free(lblk);
++		free(lblk->memb);
++		free(lblk);
+ 
+                 if (next != NULL)
+                         SEXP_rawval_lblk_free ((uintptr_t)next, func);
+@@ -540,7 +539,8 @@ void SEXP_rawval_lblk_free1 (uintptr_t lblkp, void (*func) (SEXP_t *))
+                         func (lblk->memb + lblk->real);
+                 }
+ 
+-		oscap_aligned_free(lblk);
++		free(lblk->memb);
++		free(lblk);
+         }
+ 
+         return;
+-- 
+2.26.2
+
diff --git a/openscap.changes b/openscap.changes
index 4a91902..922899e 100644
--- a/openscap.changes
+++ b/openscap.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Sat Nov 14 08:55:03 UTC 2020 - Marcus Meissner <meissner@suse.com>
+
+- 0001-Fix-memory-allocation.patch: fixed a crash during oscap oval eval
+
 -------------------------------------------------------------------
 Mon Nov  9 13:10:09 UTC 2020 - Marcus Meissner <meissner@suse.com>
 
diff --git a/openscap.spec b/openscap.spec
index 1018e1d..649ab5a 100644
--- a/openscap.spec
+++ b/openscap.spec
@@ -40,6 +40,7 @@ Source5:        oscap-scan.service
 Source6:        oscap-scan.sh
 Patch0:         openscap-new-suse.patch
 Patch1:         openscap-leap-cpe-15.12.patch
+Patch2:         0001-Fix-memory-allocation.patch
 URL:            https://www.open-scap.org/
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  asciidoc
@@ -175,6 +176,7 @@ This package contains the Script Checking Engine Library (SCE) for OpenSCAP.
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 %build
 %if 0%{?with_bindings}