diff --git a/audit.spec b/audit.spec index 8a382385a7ac429ee93bb8821f8cb403a78a116b..0a25cf4bd306230c48b6bfb52564d1d0a2c44764 100644 --- a/audit.spec +++ b/audit.spec @@ -46,11 +46,20 @@ Patch34: backport-Try-to-interpret-OPENAT2-fields-correctly.patch Patch35: backport-Add-a-buffer-limit-just-in-case.patch Patch36: backport-Teardown-SIGCONT-watcher-on-exit.patch Patch37: backport-Correct-path-of-config-file.patch -Patch38: backport-Fix-the-error-found-by-clang-tidy-313.patch -Patch39: backport-Fix-segfault-in-python-bindings-around-the-feed-API.patch -Patch40: backport-Rewrite-legacy-service-functions-in-terms-of-systemc.patch -Patch41: backport-Error-out-if-required-zos-parameters-missing.patch -Patch42: backport-Fix-deprecated-python-function.patch +Patch38: backport-Fix-the-error-found-by-clang-tidy-313.patch +Patch39: backport-Fix-segfault-in-python-bindings-around-the-feed-API.patch +Patch40: backport-Rewrite-legacy-service-functions-in-terms-of-systemc.patch +Patch41: backport-Error-out-if-required-zos-parameters-missing.patch +Patch42: backport-Fix-deprecated-python-function.patch +Patch43: backport-lib-close-audit-socket-in-load_feature_bitmap-334.patch +Patch44: backport-lib-enclose-macro-to-avoid-precedence-issues.patch +Patch45: backport-memory-allocation-updates-341.patch +Patch46: backport-lib-cast-to-unsigned-char-for-character-test-functio.patch +Patch47: backport-Make-session-id-consistently-typed-327.patch +Patch48: backport-Avoid-file-descriptor-leaks-in-multi-threaded-applic.patch +Patch49: backport-fix-the-use-of-isdigit-everywhere.patch +Patch50: backport-Fix-new-warnings-for-unused-results.patch +Patch51: backport-Change-the-first-iteration-test-so-static-analysis-b.patch BuildRequires: gcc swig libtool systemd kernel-headers >= 2.6.29 BuildRequires: openldap-devel krb5-devel libcap-ng-devel @@ -386,6 +395,9 @@ fi %attr(644,root,root) %{_mandir}/man8/*.8.gz %changelog +* Thu Feb 1 2024 xuraoqing - 1:3.0.1-14 +- backport patches from upstream + * Wed Dec 20 2023 jinlun - 1:3.0.1-13 - backport patches from upstream diff --git a/backport-Avoid-file-descriptor-leaks-in-multi-threaded-applic.patch b/backport-Avoid-file-descriptor-leaks-in-multi-threaded-applic.patch new file mode 100644 index 0000000000000000000000000000000000000000..aa429471793750b5048e4c24c82778b662369151 --- /dev/null +++ b/backport-Avoid-file-descriptor-leaks-in-multi-threaded-applic.patch @@ -0,0 +1,119 @@ +From 2663987c5088924bce510fcf8e7891d6aae976ba Mon Sep 17 00:00:00 2001 +From: cgzones +Date: Sat, 4 Nov 2023 03:48:39 +0100 +Subject: [PATCH] Avoid file descriptor leaks in multi-threaded applications + (#339) + +* lib: set close-on-exec flag + +libaudit may be called from a multi-threaded application. +Avoid leaking local file descriptors on a concurrent execve. + +* lib: simplify SOCK_CLOEXEC + +SOCK_CLOEXEC is supported since Linux 2.6.27. + +Reference:https://github.com/linux-audit/audit-userspace/commit/2663987c5088924bce510fcf8e7891d6aae976ba +Conflict:lib/audit_logging.c,lib/libaudit.c,lib/netlink.c + +--- + lib/audit_logging.c | 2 +- + lib/libaudit.c | 10 +++++----- + lib/netlink.c | 12 +----------- + 3 files changed, 7 insertions(+), 17 deletions(-) + +diff --git a/lib/audit_logging.c b/lib/audit_logging.c +index a9f3257..1e521fe 100644 +--- a/lib/audit_logging.c ++++ b/lib/audit_logging.c +@@ -177,7 +177,7 @@ static char *_get_commname(const char *comm, char *commname, unsigned int size) + + if (comm == NULL) { + int len; +- int fd = open("/proc/self/comm", O_RDONLY); ++ int fd = open("/proc/self/comm", O_RDONLY|O_CLOEXEC); + if (fd < 0) { + strcpy(commname, "\"?\""); + return commname; +diff --git a/lib/libaudit.c b/lib/libaudit.c +index 5843ac0..eda51e8 100644 +--- a/lib/libaudit.c ++++ b/lib/libaudit.c +@@ -220,7 +220,7 @@ static int load_libaudit_config(const char *path) + char buf[128]; + + /* open the file */ +- rc = open(path, O_NOFOLLOW|O_RDONLY); ++ rc = open(path, O_NOFOLLOW|O_RDONLY|O_CLOEXEC); + if (rc < 0) { + if (errno != ENOENT) { + audit_msg(LOG_ERR, "Error opening %s (%s)", +@@ -260,7 +260,7 @@ static int load_libaudit_config(const char *path) + } + + /* it's ok, read line by line */ +- f = fdopen(fd, "rm"); ++ f = fdopen(fd, "rme"); + if (f == NULL) { + audit_msg(LOG_ERR, "Error - fdopen failed (%s)", + strerror(errno)); +@@ -894,7 +894,7 @@ uid_t audit_getloginuid(void) + char buf[16]; + + errno = 0; +- in = open("/proc/self/loginuid", O_NOFOLLOW|O_RDONLY); ++ in = open("/proc/self/loginuid", O_NOFOLLOW|O_RDONLY|O_CLOEXEC); + if (in < 0) + return -1; + do { +@@ -922,7 +922,7 @@ int audit_setloginuid(uid_t uid) + + errno = 0; + count = snprintf(loginuid, sizeof(loginuid), "%u", uid); +- o = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC); ++ o = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC|O_CLOEXEC); + if (o >= 0) { + int block, offset = 0; + +@@ -958,7 +958,7 @@ uint32_t audit_get_session(void) + char buf[16]; + + errno = 0; +- in = open("/proc/self/sessionid", O_NOFOLLOW|O_RDONLY); ++ in = open("/proc/self/sessionid", O_NOFOLLOW|O_RDONLY|O_CLOEXEC); + if (in < 0) + return -2; + do { +diff --git a/lib/netlink.c b/lib/netlink.c +index 4d0670a..6168eb3 100644 +--- a/lib/netlink.c ++++ b/lib/netlink.c +@@ -51,7 +51,7 @@ static int check_ack(int fd); + int audit_open(void) + { + int saved_errno; +- int fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_AUDIT); ++ int fd = socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_AUDIT); + + if (fd < 0) { + saved_errno = errno; +@@ -64,16 +64,6 @@ int audit_open(void) + "Error opening audit netlink socket (%s)", + strerror(errno)); + errno = saved_errno; +- return fd; +- } +- if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) { +- saved_errno = errno; +- audit_msg(LOG_ERR, +- "Error setting audit netlink socket CLOEXEC flag (%s)", +- strerror(errno)); +- close(fd); +- errno = saved_errno; +- return -1; + } + return fd; + } +-- +2.33.0 + diff --git a/backport-Change-the-first-iteration-test-so-static-analysis-b.patch b/backport-Change-the-first-iteration-test-so-static-analysis-b.patch new file mode 100644 index 0000000000000000000000000000000000000000..bf5a1931ca8d8578e0898714eff53172ff6c0499 --- /dev/null +++ b/backport-Change-the-first-iteration-test-so-static-analysis-b.patch @@ -0,0 +1,39 @@ +From b84b007cd0ef504e8c86b8cc73646f3119ed343c Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Wed, 29 Nov 2023 15:49:21 -0500 +Subject: [PATCH] Change the first iteration test so static analysis better + understands the code + +Reference:https://github.com/linux-audit/audit-userspace/commit/b84b007cd0ef504e8c86b8cc73646f3119ed343c +Conflict:NA + +--- + tools/aulast/aulast-llist.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/tools/aulast/aulast-llist.c b/tools/aulast/aulast-llist.c +index 87638ebc..d7765ba4 100644 +--- a/tools/aulast/aulast-llist.c ++++ b/tools/aulast/aulast-llist.c +@@ -140,11 +140,15 @@ int list_update_logout(llist* l, time_t t, unsigned long serial) + lnode *list_delete_cur(llist *l) + { + register lnode *cur, *prev; +- +- prev = cur = l->head; /* start at the beginning */ ++ ++ if (l == NULL || l->head == NULL) ++ return NULL; ++ ++ prev = cur = l->head; /* start at the beginning */ + while (cur) { + if (cur == l->cur) { +- if (cur == prev && cur == l->head) { ++ // If the first iteration ++ if (prev == l->head && cur == l->head) { + l->head = cur->next; + l->cur = cur->next; + free((void *)cur->name); +-- +2.33.0 + diff --git a/backport-Fix-new-warnings-for-unused-results.patch b/backport-Fix-new-warnings-for-unused-results.patch new file mode 100644 index 0000000000000000000000000000000000000000..c0aa5df631012ed9d2596f6b8861867b92921a10 --- /dev/null +++ b/backport-Fix-new-warnings-for-unused-results.patch @@ -0,0 +1,107 @@ +From a4e8b7e18f249fe5decdd2fe748a5068ffeaee57 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Mon, 20 Nov 2023 16:37:46 -0500 +Subject: [PATCH] Fix new warnings for unused results + +Reference:https://github.com/linux-audit/audit-userspace/commit/a4e8b7e18f249fe5decdd2fe748a5068ffeaee57 +Conflict:audisp/plugins/ids/ids.c + +--- + audisp/plugins/ids/ids.c | 5 +++-- + audisp/plugins/ids/ids.h | 2 +- + audisp/plugins/statsd/audisp-statsd.c | 4 ++-- + lib/libaudit.c | 3 ++- + lib/netlink.c | 3 ++- + src/auditd.c | 3 ++- + 6 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/audisp/plugins/ids/ids.c b/audisp/plugins/ids/ids.c +index f9f312d..8fe3699 100644 +--- a/audisp/plugins/ids/ids.c ++++ b/audisp/plugins/ids/ids.c +@@ -91,9 +91,10 @@ static void destroy_audit(void) + audit_close(audit_fd); + } + +-void log_audit_event(int type, const char *text, int res) ++int log_audit_event(int type, const char *text, int res) + { +- audit_log_user_message(audit_fd, type, text, NULL, NULL, NULL, res); ++ return audit_log_user_message(audit_fd, type, text, ++ NULL, NULL, NULL, res); + } + + +diff --git a/audisp/plugins/ids/ids.h b/audisp/plugins/ids/ids.h +index eb1d83c..2cf13b6 100644 +--- a/audisp/plugins/ids/ids.h ++++ b/audisp/plugins/ids/ids.h +@@ -14,6 +14,6 @@ + extern int debug; + extern void my_printf(const char *fmt, ...) + __attribute__ (( format(printf, 1, 2) )); +-extern void log_audit_event(int type, const char *text, int res); ++extern int log_audit_event(int type, const char *text, int res); + + #endif +diff --git a/audisp/plugins/statsd/audisp-statsd.c b/audisp/plugins/statsd/audisp-statsd.c +index e562afa..934db5c 100644 +--- a/audisp/plugins/statsd/audisp-statsd.c ++++ b/audisp/plugins/statsd/audisp-statsd.c +@@ -216,9 +216,9 @@ static void get_kernel_status(void) + struct audit_reply rep; + + audit_request_status(audit_fd); +- audit_get_reply(audit_fd, &rep, GET_REPLY_BLOCKING, 0); ++ int rc = audit_get_reply(audit_fd, &rep, GET_REPLY_BLOCKING, 0); + +- if (rep.type == AUDIT_GET) { ++ if (rc > 0 && rep.type == AUDIT_GET) { + // add info to global audit event struct + r.lost = rep.status->lost; + r.backlog = rep.status->backlog; +diff --git a/lib/libaudit.c b/lib/libaudit.c +index eda51e8..86c333c 100644 +--- a/lib/libaudit.c ++++ b/lib/libaudit.c +@@ -467,7 +467,8 @@ int audit_set_pid(int fd, uint32_t pid, rep_wait_t wmode) + rc = poll(pfd, 1, 100); /* .1 second */ + } while (rc < 0 && errno == EINTR); + +- (void)audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0); ++ if (audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0)) ++ ; // intentionally empty + return 1; + } + +diff --git a/lib/netlink.c b/lib/netlink.c +index 4d0670a..9b438b8 100644 +--- a/lib/netlink.c ++++ b/lib/netlink.c +@@ -300,7 +300,8 @@ retry: + else if (rc > 0 && rep.type == NLMSG_ERROR) { + int error = rep.error->error; + /* Eat the message */ +- (void)audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0); ++ if (audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0)) ++ ; // intentionally empty + + /* NLMSG_ERROR can indicate success, only report nonzero */ + if (error) { +diff --git a/src/auditd.c b/src/auditd.c +index 8ab2fe1..5cb4394 100644 +--- a/src/auditd.c ++++ b/src/auditd.c +@@ -1152,7 +1152,8 @@ static void clean_exit(void) + audit_msg(LOG_INFO, "The audit daemon is exiting."); + if (fd >= 0) { + if (!opt_aggregate_only) +- audit_set_pid(fd, 0, WAIT_NO); ++ if (audit_set_pid(fd, 0, WAIT_NO)) ++ ; // intentionally empty + audit_close(fd); + } + if (pidfile) +-- +2.33.0 + diff --git a/backport-Make-session-id-consistently-typed-327.patch b/backport-Make-session-id-consistently-typed-327.patch new file mode 100644 index 0000000000000000000000000000000000000000..267b52d48d0dfbbf72efc08a4aec23fed48d166b --- /dev/null +++ b/backport-Make-session-id-consistently-typed-327.patch @@ -0,0 +1,62 @@ +From 8359a7004de5e22c5a9b85c01c56e3b376d84a81 Mon Sep 17 00:00:00 2001 +From: Michael Tautschnig +Date: Thu, 2 Nov 2023 21:53:29 +0100 +Subject: [PATCH] Make session id consistently typed (#327) + +This fixes type-conflicting definitions and declarations. + +Reference:https://github.com/linux-audit/audit-userspace/commit/8359a7004de5e22c5a9b85c01c56e3b376d84a81 +Conflict:src/ausearch-options.c + +--- + src/aureport-options.c | 3 ++- + src/ausearch-options.c | 10 ++++++---- + 2 files changed, 8 insertions(+), 5 deletions(-) + +diff --git a/src/aureport-options.c b/src/aureport-options.c +index 167157a..7a8d92a 100644 +--- a/src/aureport-options.c ++++ b/src/aureport-options.c +@@ -61,7 +61,8 @@ const char *event_uuid = NULL; + const char *event_vmname = NULL; + long long event_exit = 0; + int event_exit_is_set = 0; +-int event_ppid = -1, event_session_id = -2; ++pid_t event_ppid = -1; ++uint32_t event_session_id = -2; + int event_debug = 0, event_machine = -1; + time_t arg_eoe_timeout = (time_t)0; + +diff --git a/src/ausearch-options.c b/src/ausearch-options.c +index 5f6aace..eff0596 100644 +--- a/src/ausearch-options.c ++++ b/src/ausearch-options.c +@@ -888,19 +888,21 @@ int check_params(int count, char *vars[]) + size_t len = strlen(optarg); + if (isdigit(optarg[0])) { + errno = 0; +- event_session_id = strtoul(optarg,NULL,10); +- if (errno) ++ unsigned long optval = strtoul(optarg,NULL,10); ++ if (errno || optval >= (1ul << 32)) + retval = -1; ++ event_session_id = optval; + c++; + } else if (len >= 2 && *(optarg)=='-' && + (isdigit(optarg[1]))) { + errno = 0; +- event_session_id = strtoul(optarg, NULL, 0); +- if (errno) { ++ long optval = strtol(optarg, NULL, 0); ++ if (errno || optval < INT_MIN || optval > INT_MAX) { + retval = -1; + fprintf(stderr, "Error converting %s\n", + optarg); + } ++ event_session_id = optval; + c++; + } else { + fprintf(stderr, +-- +2.33.0 + diff --git a/backport-fix-the-use-of-isdigit-everywhere.patch b/backport-fix-the-use-of-isdigit-everywhere.patch new file mode 100644 index 0000000000000000000000000000000000000000..be2820ff8d5e5d6b7754ba094e99e7ffe6b896aa --- /dev/null +++ b/backport-fix-the-use-of-isdigit-everywhere.patch @@ -0,0 +1,388 @@ +From 149a3464ef35fbaa98c57e2775a7a4ab20c2ee75 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Sun, 5 Nov 2023 14:24:49 -0500 +Subject: [PATCH] fix the use of isdigit everywhere + + +Reference:https://github.com/linux-audit/audit-userspace/commit/149a3464ef35fbaa98c57e2775a7a4ab20c2ee75 +Conflict:audisp/plugins/af_unix/audisp-af_unix.c,src/ausearch-options.c + +--- + audisp/plugins/ids/ids_config.c | 2 +- + audisp/plugins/remote/remote-config.c | 2 +- + audisp/plugins/zos-remote/zos-remote-config.c | 6 ++-- + auparse/auditd-config.c | 2 +- + auparse/interpret.c | 6 ++-- + src/auditctl.c | 6 ++-- + src/aureport-options.c | 4 +-- + src/aureport-output.c | 2 +- + src/ausearch-options.c | 36 +++++++++---------- + src/ausearch-parse.c | 2 +- + tools/ausyscall/ausyscall.c | 4 +-- + 11 files changed, 36 insertions(+), 36 deletions(-) + +diff --git a/audisp/plugins/ids/ids_config.c b/audisp/plugins/ids/ids_config.c +index 4da5ca9..f773794 100644 +--- a/audisp/plugins/ids/ids_config.c ++++ b/audisp/plugins/ids/ids_config.c +@@ -345,7 +345,7 @@ static int unsigned_int_parser(struct nv_pair *nv, int line, unsigned int *val) + + /* check that all chars are numbers */ + for (i=0; ptr[i]; i++) { +- if (!isdigit(ptr[i])) { ++ if (!isdigit((unsigned char)ptr[i])) { + syslog(LOG_ERR, + "Value %s should only be numbers - line %d", + nv->value, line); +diff --git a/audisp/plugins/remote/remote-config.c b/audisp/plugins/remote/remote-config.c +index 7d80752..1f05cdd 100644 +--- a/audisp/plugins/remote/remote-config.c ++++ b/audisp/plugins/remote/remote-config.c +@@ -484,7 +484,7 @@ static int parse_uint (const struct nv_pair *nv, int line, unsigned int *valp, + + /* check that all chars are numbers */ + for (i=0; ptr[i]; i++) { +- if (!isdigit(ptr[i])) { ++ if (!isdigit((unsigned char)ptr[i])) { + syslog(LOG_ERR, + "Value %s should only be numbers - line %d", + nv->value, line); +diff --git a/audisp/plugins/zos-remote/zos-remote-config.c b/audisp/plugins/zos-remote/zos-remote-config.c +index b92dc77..2f7e42f 100644 +--- a/audisp/plugins/zos-remote/zos-remote-config.c ++++ b/audisp/plugins/zos-remote/zos-remote-config.c +@@ -301,7 +301,7 @@ static int port_parser(struct nv_pair *nv, int line, plugin_conf_t * c) + + /* check that all chars are numbers */ + for (i = 0; ptr[i]; i++) { +- if (!isdigit(ptr[i])) { ++ if (!isdigit((unsigned char)ptr[i])) { + log_err("Value %s should only be numbers - line %d", nv->value, line); + return 1; + } +@@ -327,7 +327,7 @@ static int timeout_parser(struct nv_pair *nv, int line, plugin_conf_t * c) + + /* check that all chars are numbers */ + for (i = 0; ptr[i]; i++) { +- if (!isdigit(ptr[i])) { ++ if (!isdigit((unsigned char)ptr[i])) { + log_err("Value %s should only be numbers - line %d", nv->value, line); + return 1; + } +@@ -376,7 +376,7 @@ static int q_depth_parser(struct nv_pair *nv, int line, plugin_conf_t * c) + + /* check that all chars are numbers */ + for (i = 0; ptr[i]; i++) { +- if (!isdigit(ptr[i])) { ++ if (!isdigit((unsigned char)ptr[i])) { + log_err("Value %s should only be numbers - line %d", nv->value, line); + return 1; + } +diff --git a/auparse/auditd-config.c b/auparse/auditd-config.c +index bdb9cf8..d0fa746 100644 +--- a/auparse/auditd-config.c ++++ b/auparse/auditd-config.c +@@ -341,7 +341,7 @@ static int eoe_timeout_parser(auparse_state_t *au, const char *val, int line, + + /* check that all chars are numbers */ + for (i=0; ptr[i]; i++) { +- if (!isdigit(ptr[i])) { ++ if (!isdigit((unsigned char)ptr[i])) { + audit_msg(au, LOG_ERR, + "Value %s should only be numbers - line %d", + val, line); +diff --git a/auparse/interpret.c b/auparse/interpret.c +index 84c41ea..cc03a15 100644 +--- a/auparse/interpret.c ++++ b/auparse/interpret.c +@@ -321,7 +321,7 @@ static void key_escape(const char *orig, char *dest, auparse_esc_t escape_mode) + static int is_int_string(const char *str) + { + while (*str) { +- if (!isdigit(*str)) ++ if (!isdigit((unsigned char)*str)) + return 0; + str++; + } +@@ -1381,7 +1381,7 @@ static const char *print_success(const char *val) + { + int res; + +- if (isdigit(*val)) { ++ if (isdigit((unsigned char)*val)) { + errno = 0; + res = strtoul(val, NULL, 10); + if (errno) { +@@ -2185,7 +2185,7 @@ static const char *print_fanotify(const char *val) + { + int res; + +- if (isdigit(*val)) { ++ if (isdigit((unsigned char)*val)) { + errno = 0; + res = strtoul(val, NULL, 10); + if (errno) { +diff --git a/src/auditctl.c b/src/auditctl.c +index 1eb424c..778b374 100644 +--- a/src/auditctl.c ++++ b/src/auditctl.c +@@ -631,7 +631,7 @@ static int setopt(int count, int lineno, char *vars[]) + } + break; + case 'r': +- if (optarg && isdigit(optarg[0])) { ++ if (optarg && isdigit((unsigned char)optarg[0])) { + uint32_t rate; + errno = 0; + rate = strtoul(optarg,NULL,0); +@@ -650,7 +650,7 @@ static int setopt(int count, int lineno, char *vars[]) + } + break; + case 'b': +- if (optarg && isdigit(optarg[0])) { ++ if (optarg && isdigit((unsigned char)optarg[0])) { + uint32_t limit; + errno = 0; + limit = strtoul(optarg,NULL,0); +@@ -1061,7 +1061,7 @@ process_keys: + case 2: + #if HAVE_DECL_AUDIT_VERSION_BACKLOG_WAIT_TIME == 1 || \ + HAVE_DECL_AUDIT_STATUS_BACKLOG_WAIT_TIME == 1 +- if (optarg && isdigit(optarg[0])) { ++ if (optarg && isdigit((unsigned char)optarg[0])) { + uint32_t bwt; + errno = 0; + bwt = strtoul(optarg,NULL,0); +diff --git a/src/aureport-options.c b/src/aureport-options.c +index 7a8d92a..7264d5e 100644 +--- a/src/aureport-options.c ++++ b/src/aureport-options.c +@@ -384,7 +384,7 @@ int check_params(int count, char *vars[]) + // } else { + // UNIMPLEMENTED; + // set_detail(D_SPECIFIC); +-// if (isdigit(optarg[0])) { ++// if (isdigit((unsigned char)optarg[0])) { + // errno = 0; + // event_id = strtoul(optarg, + // NULL, 10); +@@ -763,7 +763,7 @@ int check_params(int count, char *vars[]) + retval = -1; + break; + } +- if (isdigit(optarg[0])) { ++ if (isdigit((unsigned char)optarg[0])) { + errno = 0; + arg_eoe_timeout = (time_t)strtoul(optarg, NULL, 10); + if (errno || arg_eoe_timeout == 0) { +diff --git a/src/aureport-output.c b/src/aureport-output.c +index a635d53..27a2ce2 100644 +--- a/src/aureport-output.c ++++ b/src/aureport-output.c +@@ -976,7 +976,7 @@ static void do_user_summary_output(slist *sptr) + long uid; + char name[64]; + +- if (sn->str[0] == '-' || isdigit(sn->str[0])) { ++ if (sn->str[0] == '-' || isdigit((unsigned char)sn->str[0])) { + uid = strtol(sn->str, NULL, 10); + printf("%u ", sn->hits); + safe_print_string(aulookup_uid(uid, name, +diff --git a/src/ausearch-options.c b/src/ausearch-options.c +index eff0596..aa13590 100644 +--- a/src/ausearch-options.c ++++ b/src/ausearch-options.c +@@ -253,7 +253,7 @@ static int convert_str_to_msg(const char *optarg) + { + int tmp, retval = 0; + +- if (isdigit(optarg[0])) { ++ if (isdigit((unsigned char)optarg[0])) { + errno = 0; + tmp = strtoul(optarg, NULL, 10); + if (errno) { +@@ -335,7 +335,7 @@ int check_params(int count, char *vars[]) + retval = -1; + break; + } +- if (isdigit(optarg[0])) { ++ if (isdigit((unsigned char)optarg[0])) { + errno = 0; + event_id = strtoul(optarg, NULL, 10); + if (errno) { +@@ -357,7 +357,7 @@ int check_params(int count, char *vars[]) + retval = -1; + break; + } +- if (isdigit(optarg[0])) { ++ if (isdigit((unsigned char)optarg[0])) { + errno = 0; + arg_eoe_timeout = (time_t)strtoul(optarg, NULL, 10); + if (errno || arg_eoe_timeout == 0) { +@@ -463,7 +463,7 @@ int check_params(int count, char *vars[]) + retval = -1; + break; + } +- if (isdigit(optarg[0])) { ++ if (isdigit((unsigned char)optarg[0])) { + errno = 0; + event_gid = strtoul(optarg,NULL,10); + if (errno) { +@@ -497,7 +497,7 @@ int check_params(int count, char *vars[]) + retval = -1; + break; + } +- if (isdigit(optarg[0])) { ++ if (isdigit((unsigned char)optarg[0])) { + errno = 0; + event_egid = strtoul(optarg,NULL,10); + if (errno) { +@@ -529,7 +529,7 @@ int check_params(int count, char *vars[]) + retval = -1; + break; + } +- if (isdigit(optarg[0])) { ++ if (isdigit((unsigned char)optarg[0])) { + errno = 0; + event_gid = strtoul(optarg,NULL,10); + if (errno) { +@@ -648,7 +648,7 @@ int check_params(int count, char *vars[]) + retval = -1; + break; + } +- if (isdigit(optarg[0])) { ++ if (isdigit((unsigned char)optarg[0])) { + errno = 0; + event_ppid = strtol(optarg,NULL,10); + if (errno) +@@ -669,7 +669,7 @@ int check_params(int count, char *vars[]) + retval = -1; + break; + } +- if (isdigit(optarg[0])) { ++ if (isdigit((unsigned char)optarg[0])) { + errno = 0; + event_pid = strtol(optarg,NULL,10); + if (errno) +@@ -787,7 +787,7 @@ int check_params(int count, char *vars[]) + retval = -1; + break; + } +- if (isdigit(optarg[0])) { ++ if (isdigit((unsigned char)optarg[0])) { + errno = 0; + event_syscall = (int)strtoul(optarg, NULL, 10); + if (errno) { +@@ -886,7 +886,7 @@ int check_params(int count, char *vars[]) + } + { + size_t len = strlen(optarg); +- if (isdigit(optarg[0])) { ++ if (isdigit((unsigned char)optarg[0])) { + errno = 0; + unsigned long optval = strtoul(optarg,NULL,10); + if (errno || optval >= (1ul << 32)) +@@ -894,7 +894,7 @@ int check_params(int count, char *vars[]) + event_session_id = optval; + c++; + } else if (len >= 2 && *(optarg)=='-' && +- (isdigit(optarg[1]))) { ++ (isdigit((unsigned char)optarg[1]))) { + errno = 0; + long optval = strtol(optarg, NULL, 0); + if (errno || optval < INT_MIN || optval > INT_MAX) { +@@ -926,7 +926,7 @@ int check_params(int count, char *vars[]) + } + { + size_t len = strlen(optarg); +- if (isdigit(optarg[0])) { ++ if (isdigit((unsigned char)optarg[0])) { + errno = 0; + event_exit = strtoll(optarg, NULL, 0); + if (errno) { +@@ -935,7 +935,7 @@ int check_params(int count, char *vars[]) + optarg); + } + } else if (len >= 2 && *(optarg)=='-' && +- (isdigit(optarg[1]))) { ++ (isdigit((unsigned char)optarg[1]))) { + errno = 0; + event_exit = strtoll(optarg, NULL, 0); + if (errno) { +@@ -1067,7 +1067,7 @@ int check_params(int count, char *vars[]) + retval = -1; + break; + } +- if (isdigit(optarg[0])) { ++ if (isdigit((unsigned char)optarg[0])) { + errno = 0; + event_uid = strtoul(optarg,NULL,10); + if (errno) { +@@ -1100,7 +1100,7 @@ int check_params(int count, char *vars[]) + retval = -1; + break; + } +- if (isdigit(optarg[0])) { ++ if (isdigit((unsigned char)optarg[0])) { + errno = 0; + event_euid = strtoul(optarg,NULL,10); + if (errno) { +@@ -1133,7 +1133,7 @@ int check_params(int count, char *vars[]) + retval = -1; + break; + } +- if (isdigit(optarg[0])) { ++ if (isdigit((unsigned char)optarg[0])) { + errno = 0; + event_uid = strtoul(optarg,NULL,10); + if (errno) { +@@ -1177,7 +1177,7 @@ int check_params(int count, char *vars[]) + } + { + size_t len = strlen(optarg); +- if (isdigit(optarg[0])) { ++ if (isdigit((unsigned char)optarg[0])) { + errno = 0; + event_loginuid = strtoul(optarg,NULL,10); + if (errno) { +@@ -1187,7 +1187,7 @@ int check_params(int count, char *vars[]) + retval = -1; + } + } else if (len >= 2 && *(optarg)=='-' && +- (isdigit(optarg[1]))) { ++ (isdigit((unsigned char)optarg[1]))) { + errno = 0; + event_loginuid = strtol(optarg, NULL, 0); + if (errno) { +diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c +index 7ee7bd4..f34e21d 100644 +--- a/src/ausearch-parse.c ++++ b/src/ausearch-parse.c +@@ -1115,7 +1115,7 @@ try_again: + return 25; + ptr = str + 4; + term = ptr; +- while (isdigit(*term)) ++ while (isdigit((unsigned char)*term)) + term++; + if (term == ptr) + return 14; +diff --git a/tools/ausyscall/ausyscall.c b/tools/ausyscall/ausyscall.c +index 206e9ff..2ef4ad1 100644 +--- a/tools/ausyscall/ausyscall.c ++++ b/tools/ausyscall/ausyscall.c +@@ -47,9 +47,9 @@ int main(int argc, char *argv[]) + usage(); + } else if (argc < 2) + usage(); +- ++ + for (i=1; i +Date: Thu, 2 Nov 2023 21:20:40 +0100 +Subject: [PATCH] lib: cast to unsigned char for character test functions + (#338) + +Passing a value not representable by unsigned char is undefined +behavior. + +Reference:https://github.com/linux-audit/audit-userspace/commit/3aa3ccb2bb1c8804fbf43b260c93b65e831242c1 +Conflict:lib/libaudit.c + +--- + lib/libaudit.c | 30 +++++++++++++++--------------- + lib/lookup_table.c | 2 +- + 2 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/lib/libaudit.c b/lib/libaudit.c +index 02c263e..5843ac0 100644 +--- a/lib/libaudit.c ++++ b/lib/libaudit.c +@@ -1006,7 +1006,7 @@ int audit_rule_syscallbyname_data(struct audit_rule_data *rule, + return -2; + nr = audit_name_to_syscall(scall, machine); + if (nr < 0) { +- if (isdigit(scall[0])) ++ if (isdigit((unsigned char)scall[0])) + nr = strtol(scall, NULL, 0); + } + if (nr >= 0) +@@ -1535,11 +1535,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, + case AUDIT_OBJ_UID: + // Do positive & negative separate for 32 bit systems + vlen = strlen(v); +- if (isdigit((char)*(v))) ++ if (isdigit((unsigned char)*(v))) + rule->values[rule->field_count] = + strtoul(v, NULL, 0); + else if (vlen >= 2 && *(v)=='-' && +- (isdigit((char)*(v+1)))) ++ (isdigit((unsigned char)*(v+1)))) + rule->values[rule->field_count] = + strtol(v, NULL, 0); + else { +@@ -1559,7 +1559,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, + case AUDIT_SGID: + case AUDIT_FSGID: + case AUDIT_OBJ_GID: +- if (isdigit((char)*(v))) ++ if (isdigit((unsigned char)*(v))) + rule->values[rule->field_count] = + strtol(v, NULL, 0); + else { +@@ -1575,11 +1575,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, + if (flags != AUDIT_FILTER_EXIT) + return -EAU_EXITONLY; + vlen = strlen(v); +- if (isdigit((char)*(v))) ++ if (isdigit((unsigned char)*(v))) + rule->values[rule->field_count] = + strtol(v, NULL, 0); + else if (vlen >= 2 && *(v)=='-' && +- (isdigit((char)*(v+1)))) ++ (isdigit((unsigned char)*(v+1)))) + rule->values[rule->field_count] = + strtol(v, NULL, 0); + else { +@@ -1594,7 +1594,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, + flags != AUDIT_FILTER_USER) + return -EAU_MSGTYPEEXCLUDEUSER; + +- if (isdigit((char)*(v))) ++ if (isdigit((unsigned char)*(v))) + rule->values[rule->field_count] = + strtol(v, NULL, 0); + else +@@ -1665,7 +1665,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, + return -EAU_ARCHMISPLACED; + if (!(op == AUDIT_NOT_EQUAL || op == AUDIT_EQUAL)) + return -EAU_OPEQNOTEQ; +- if (isdigit((char)*(v))) { ++ if (isdigit((unsigned char)*(v))) { + int machine; + + errno = 0; +@@ -1706,7 +1706,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, + return -EAU_STRTOOLONG; + + for (i = 0; i < len; i++) { +- switch (tolower(v[i])) { ++ switch (tolower((unsigned char)v[i])) { + case 'r': + val |= AUDIT_PERM_READ; + break; +@@ -1740,7 +1740,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, + return -EAU_FIELDUNAVAIL; + if (!(op == AUDIT_NOT_EQUAL || op == AUDIT_EQUAL)) + return -EAU_OPEQNOTEQ; +- if (isdigit((char)*(v))) ++ if (isdigit((unsigned char)*(v))) + rule->values[rule->field_count] = + strtoul(v, NULL, 0); + else +@@ -1753,11 +1753,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, + break; + case AUDIT_ARG0...AUDIT_ARG3: + vlen = strlen(v); +- if (isdigit((char)*(v))) ++ if (isdigit((unsigned char)*(v))) + rule->values[rule->field_count] = + strtoul(v, NULL, 0); + else if (vlen >= 2 && *(v)=='-' && +- (isdigit((char)*(v+1)))) ++ (isdigit((unsigned char)*(v+1)))) + rule->values[rule->field_count] = + strtol(v, NULL, 0); + else +@@ -1773,11 +1773,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, + return -EAU_FIELDNOFILTER; + // Do positive & negative separate for 32 bit systems + vlen = strlen(v); +- if (isdigit((char)*(v))) ++ if (isdigit((unsigned char)*(v))) + rule->values[rule->field_count] = + strtoul(v, NULL, 0); + else if (vlen >= 2 && *(v)=='-' && +- (isdigit((char)*(v+1)))) ++ (isdigit((unsigned char)*(v+1)))) + rule->values[rule->field_count] = + strtol(v, NULL, 0); + else if (strcmp(v, "unset") == 0) +@@ -1803,7 +1803,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, + if (field == AUDIT_PPID && !(flags==AUDIT_FILTER_EXIT)) + return -EAU_EXITONLY; + +- if (!isdigit((char)*(v))) ++ if (!isdigit((unsigned char)*(v))) + return -EAU_FIELDVALNUM; + + if (field == AUDIT_INODE) +diff --git a/lib/lookup_table.c b/lib/lookup_table.c +index 23678a4..d97c5fb 100644 +--- a/lib/lookup_table.c ++++ b/lib/lookup_table.c +@@ -223,7 +223,7 @@ int audit_name_to_msg_type(const char *msg_type) + strncpy(buf, msg_type + 8, len); + errno = 0; + return strtol(buf, NULL, 10); +- } else if (isdigit(*msg_type)) { ++ } else if (isdigit((unsigned char)*msg_type)) { + errno = 0; + return strtol(msg_type, NULL, 10); + } +-- +2.33.0 + diff --git a/backport-lib-close-audit-socket-in-load_feature_bitmap-334.patch b/backport-lib-close-audit-socket-in-load_feature_bitmap-334.patch new file mode 100644 index 0000000000000000000000000000000000000000..02367cc1c975c1a4eec0f1d97acee093d1132fff --- /dev/null +++ b/backport-lib-close-audit-socket-in-load_feature_bitmap-334.patch @@ -0,0 +1,35 @@ +From 3f928b21486369c495d9eaca46eb9d506ae576b3 Mon Sep 17 00:00:00 2001 +From: cgzones +Date: Wed, 1 Nov 2023 20:35:40 +0100 +Subject: [PATCH] lib: close audit socket in load_feature_bitmap() (#334) + + +Reference:https://github.com/linux-audit/audit-userspace/commit/3f928b21486369c495d9eaca46eb9d506ae576b3 +Conflict:NA + +--- + lib/libaudit.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/libaudit.c b/lib/libaudit.c +index ded3ab47..4c317c87 100644 +--- a/lib/libaudit.c ++++ b/lib/libaudit.c +@@ -657,12 +657,14 @@ static void load_feature_bitmap(void) + + /* Found it... */ + features_bitmap = rep.status->feature_bitmap; ++ audit_close(fd); + return; + } + } + } + #endif + features_bitmap = AUDIT_FEATURES_UNSUPPORTED; ++ audit_close(fd); + } + + uint32_t audit_get_features(void) +-- +2.33.0 + diff --git a/backport-lib-enclose-macro-to-avoid-precedence-issues.patch b/backport-lib-enclose-macro-to-avoid-precedence-issues.patch new file mode 100644 index 0000000000000000000000000000000000000000..22b74bcbfc94725167bdb252f4fd71247ed479a4 --- /dev/null +++ b/backport-lib-enclose-macro-to-avoid-precedence-issues.patch @@ -0,0 +1,29 @@ +From e97c79260a2e7bdbf02c5162b0c40451c9555111 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Tue, 31 Oct 2023 16:49:10 +0100 +Subject: [PATCH] lib: enclose macro to avoid precedence issues + + +Reference:https://github.com/linux-audit/audit-userspace/commit/e97c79260a2e7bdbf02c5162b0c40451c9555111 +Conflict:NA + +--- + lib/audit_logging.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/audit_logging.c b/lib/audit_logging.c +index 8b8b6207..e8b79d3e 100644 +--- a/lib/audit_logging.c ++++ b/lib/audit_logging.c +@@ -38,7 +38,7 @@ + #include "private.h" + + #define TTY_PATH 32 +-#define MAX_USER (UT_NAMESIZE * 2) + 8 ++#define MAX_USER ((UT_NAMESIZE * 2) + 8) + + // NOTE: The kernel fills in pid, uid, and loginuid of sender. Therefore, + // these routines do not need to send them. +-- +2.33.0 + diff --git a/backport-memory-allocation-updates-341.patch b/backport-memory-allocation-updates-341.patch new file mode 100644 index 0000000000000000000000000000000000000000..254e6b3114924889ec81c8bc16ce1a0cac578269 --- /dev/null +++ b/backport-memory-allocation-updates-341.patch @@ -0,0 +1,56 @@ +From b92027ac9e29659483a5e920e548fe74126f72af Mon Sep 17 00:00:00 2001 +From: cgzones +Date: Wed, 1 Nov 2023 22:15:40 +0100 +Subject: [PATCH] memory allocation updates (#341) + +* Check memory allocation + +Avoid later NULL dereference. + +* Check memory allocation and merge zeroing + +Avoid later NULL dereference. + +Reference:https://github.com/linux-audit/audit-userspace/commit/b92027ac9e29659483a5e920e548fe74126f72af +Conflict:NA + +--- + auparse/interpret.c | 2 ++ + lib/libaudit.c | 7 +++++-- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/auparse/interpret.c b/auparse/interpret.c +index ecde07ae..76ca2814 100644 +--- a/auparse/interpret.c ++++ b/auparse/interpret.c +@@ -366,6 +366,8 @@ char *au_unescape(char *buf) + // strlen(buf) / 2. + olen = strlen(buf); + str = malloc(olen+1); ++ if (!str) ++ return NULL; + + saved = *ptr; + *ptr = 0; +diff --git a/lib/libaudit.c b/lib/libaudit.c +index 6a42871b..d90d83b8 100644 +--- a/lib/libaudit.c ++++ b/lib/libaudit.c +@@ -891,9 +891,12 @@ int audit_make_equivalent(int fd, const char *mount_point, + struct { + uint32_t sizes[2]; + unsigned char buf[]; +- } *cmd = malloc(sizeof(*cmd) + len1 + len2); ++ } *cmd = calloc(1, sizeof(*cmd) + len1 + len2); + +- memset(cmd, 0, sizeof(*cmd) + len1 + len2); ++ if (!cmd) { ++ audit_msg(LOG_ERR, "Cannot allocate memory!"); ++ return -ENOMEM; ++ } + + cmd->sizes[0] = len1; + cmd->sizes[1] = len2; +-- +2.33.0 +