forked from pool/openscap
Accepting request 859046 from security
- 0001-Fix-memory-allocation.patch: fixed a crash during oscap oval eval (forwarded request 859045 from msmeissn) OBS-URL: https://build.opensuse.org/request/show/859046 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openscap?expand=0&rev=69
This commit is contained in:
Dominique Leuenberger
Git OBS Bridge
commit
0f73d900ee
84
0001-Fix-memory-allocation.patch
Normal file
84
0001-Fix-memory-allocation.patch
Normal file
@ -0,0 +1,84 @@
|
||||
From 5eea79eaf426ac3e51a09d3f3fe72c2b385abc89 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Tue, 10 Nov 2020 11:16:00 +0100
|
||||
Subject: [PATCH] Fix memory allocation
|
||||
|
||||
We can't assume that size of a structure is a sum of sizes of its
|
||||
members because padding and alignment can be involved. In fact,
|
||||
we need to allocate more bytes for the structure than the
|
||||
sum of sizes of its members.
|
||||
|
||||
The wrong assumption caused invalid writes and invalid reads
|
||||
which can be discovered by valgrind. Moreover, when run with
|
||||
MALLOC_CHECK_ environment variable set to non-zero value, the
|
||||
program aborted.
|
||||
|
||||
The memory issue happened only when NDEBUG is defined, eg. when cmake
|
||||
-DCMAKE_BUILD_TYPE=RelWithDebInfo or Release, it doesn't happen if cmake
|
||||
-DCMAKE_BUILD_TYPE=Debug which we usually use in Jenkins CI. This is
|
||||
most likely because in debug mode the struct SEXP contains 2 additional
|
||||
members which are the magic canaries and therefore is bigger.
|
||||
|
||||
This commit wants to fix the problem by 2 step allocation in which
|
||||
first the size of the struct SEXP_val_lblk is used and then the
|
||||
array of SEXPs is allocated separately.
|
||||
|
||||
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1891770
|
||||
---
|
||||
src/OVAL/probes/SEAP/_sexp-value.h | 2 +-
|
||||
src/OVAL/probes/SEAP/sexp-value.c | 12 ++++++------
|
||||
2 files changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/OVAL/probes/SEAP/_sexp-value.h b/src/OVAL/probes/SEAP/_sexp-value.h
|
||||
index 426cd2c3d..e66777ef9 100644
|
||||
--- a/src/OVAL/probes/SEAP/_sexp-value.h
|
||||
+++ b/src/OVAL/probes/SEAP/_sexp-value.h
|
||||
@@ -94,7 +94,7 @@ struct SEXP_val_lblk {
|
||||
uintptr_t nxsz;
|
||||
uint16_t real;
|
||||
uint16_t refs;
|
||||
- SEXP_t memb[];
|
||||
+ SEXP_t *memb;
|
||||
};
|
||||
|
||||
size_t SEXP_rawval_list_length (struct SEXP_val_list *list);
|
||||
diff --git a/src/OVAL/probes/SEAP/sexp-value.c b/src/OVAL/probes/SEAP/sexp-value.c
|
||||
index a11cbc70c..b8b3ed609 100644
|
||||
--- a/src/OVAL/probes/SEAP/sexp-value.c
|
||||
+++ b/src/OVAL/probes/SEAP/sexp-value.c
|
||||
@@ -106,10 +106,8 @@ uintptr_t SEXP_rawval_lblk_new (uint8_t sz)
|
||||
{
|
||||
_A(sz < 16);
|
||||
|
||||
- struct SEXP_val_lblk *lblk = oscap_aligned_malloc(
|
||||
- sizeof(uintptr_t) + (2 * sizeof(uint16_t)) + (sizeof(SEXP_t) * (1 << sz)),
|
||||
- SEXP_LBLK_ALIGN
|
||||
- );
|
||||
+ struct SEXP_val_lblk *lblk = malloc(sizeof(struct SEXP_val_lblk));
|
||||
+ lblk->memb = malloc(sizeof(SEXP_t) * (1 << sz));
|
||||
|
||||
lblk->nxsz = ((uintptr_t)(NULL) & SEXP_LBLKP_MASK) | ((uintptr_t)sz & SEXP_LBLKS_MASK);
|
||||
lblk->refs = 1;
|
||||
@@ -519,7 +517,8 @@ void SEXP_rawval_lblk_free (uintptr_t lblkp, void (*func) (SEXP_t *))
|
||||
func (lblk->memb + lblk->real);
|
||||
}
|
||||
|
||||
- oscap_aligned_free(lblk);
|
||||
+ free(lblk->memb);
|
||||
+ free(lblk);
|
||||
|
||||
if (next != NULL)
|
||||
SEXP_rawval_lblk_free ((uintptr_t)next, func);
|
||||
@@ -540,7 +539,8 @@ void SEXP_rawval_lblk_free1 (uintptr_t lblkp, void (*func) (SEXP_t *))
|
||||
func (lblk->memb + lblk->real);
|
||||
}
|
||||
|
||||
- oscap_aligned_free(lblk);
|
||||
+ free(lblk->memb);
|
||||
+ free(lblk);
|
||||
}
|
||||
|
||||
return;
|
||||
--
|
||||
2.26.2
|
||||
|
||||
@ -1,3 +1,8 @@
|
||||
-------------------------------------------------------------------
|
||||
Sat Nov 14 08:55:03 UTC 2020 - Marcus Meissner <meissner@suse.com>
|
||||
|
||||
- 0001-Fix-memory-allocation.patch: fixed a crash during oscap oval eval
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Nov 9 13:10:09 UTC 2020 - Marcus Meissner <meissner@suse.com>
|
||||
|
||||
|
||||
@ -40,6 +40,7 @@ Source5: oscap-scan.service
|
||||
Source6: oscap-scan.sh
|
||||
Patch0: openscap-new-suse.patch
|
||||
Patch1: openscap-leap-cpe-15.12.patch
|
||||
Patch2: 0001-Fix-memory-allocation.patch
|
||||
URL: https://www.open-scap.org/
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
BuildRequires: asciidoc
|
||||
@ -175,6 +176,7 @@ This package contains the Script Checking Engine Library (SCE) for OpenSCAP.
|
||||
%setup -q
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
|
||||
%build
|
||||
%if 0%{?with_bindings}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user