From 9d4920db03324847f269ffd8583037e8f0ca1ab9 Mon Sep 17 00:00:00 2001 From: markeryang Date: Wed, 30 Jul 2025 07:30:38 +0000 Subject: [PATCH] backport patches from upstream --- audit.spec | 12 ++- backport-Check-return-of-audit_strsplit.patch | 23 ++++++ ...ote-segfault-on-connection-error-446.patch | 80 +++++++++++++++++++ backport-Fix-fuzzer-induced-parsing.patch | 39 +++++++++ ...ort-Fixup-leaks-in-testing-with-ASAN.patch | 24 ++++++ ...elease-queue-mutexes-during-teardown.patch | 40 ++++++++++ backport-Terminate-a-couple-strncpy.patch | 34 ++++++++ ...ort-cllist_append-append-improvement.patch | 58 ++++++++++++++ 8 files changed, 309 insertions(+), 1 deletion(-) create mode 100644 backport-Check-return-of-audit_strsplit.patch create mode 100644 backport-Fix-audisp-remote-segfault-on-connection-error-446.patch create mode 100644 backport-Fix-fuzzer-induced-parsing.patch create mode 100644 backport-Fixup-leaks-in-testing-with-ASAN.patch create mode 100644 backport-Release-queue-mutexes-during-teardown.patch create mode 100644 backport-Terminate-a-couple-strncpy.patch create mode 100644 backport-cllist_append-append-improvement.patch diff --git a/audit.spec b/audit.spec index 71186e8..a5d6d65 100644 --- a/audit.spec +++ b/audit.spec @@ -2,7 +2,7 @@ Summary: User space tools for kernel auditing Name: audit Epoch: 1 Version: 3.1.2 -Release: 9 +Release: 10 License: GPLv2+ and LGPLv2+ URL: https://people.redhat.com/sgrubb/audit/ Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz @@ -47,6 +47,13 @@ Patch35: backport-Correct-output-when-displaying-rules-with-exe-path-d.patch Patch36: backport-ausearch-format-Fix-display-of-renamed-file-411.patch Patch37: backport-Fix-a-maybe-uninitialized-warning.patch Patch38: backport-ausearch-parse-fix-parsing-for-success-uid-in-parse_.patch +Patch39: backport-Check-return-of-audit_strsplit.patch +Patch40: backport-Fix-audisp-remote-segfault-on-connection-error-446.patch +Patch41: backport-Fix-fuzzer-induced-parsing.patch +Patch42: backport-Fixup-leaks-in-testing-with-ASAN.patch +Patch43: backport-cllist_append-append-improvement.patch +Patch44: backport-Terminate-a-couple-strncpy.patch +Patch45: backport-Release-queue-mutexes-during-teardown.patch BuildRequires: gcc swig libtool systemd kernel-headers >= 2.6.29 BuildRequires: openldap-devel krb5-devel libcap-ng-devel @@ -388,6 +395,9 @@ fi %attr(644,root,root) %{_mandir}/man8/*.8.gz %changelog +* Wed Jul 30 2025 yanglongkang - 1:3.1.2-10 +- backport patches from upstream + * Thu May 15 2025 xuraoqing - 1:3.1.2-9 - copy audit.h do not needed, while swig compile error with flex array has been fixed diff --git a/backport-Check-return-of-audit_strsplit.patch b/backport-Check-return-of-audit_strsplit.patch new file mode 100644 index 0000000..62493a6 --- /dev/null +++ b/backport-Check-return-of-audit_strsplit.patch @@ -0,0 +1,23 @@ +From 0b27bb4d4c309bbef88945ee7b62722f9e54458f Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Mon, 17 Mar 2025 08:27:28 -0400 +Subject: [PATCH] Check return of audit_strsplit + +This fixes Issue #440 +--- + src/ausearch-lol.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c +index 9d5110e85..c86449707 100644 +--- a/src/ausearch-lol.c ++++ b/src/ausearch-lol.c +@@ -191,6 +191,8 @@ static int extract_timestamp(const char *b, event *e) + if (*ptr == 'n') { + tnode = ptr+5; + ptr = audit_strsplit(NULL); ++ if (ptr == NULL) ++ return 0; + } else + tnode = NULL; + diff --git a/backport-Fix-audisp-remote-segfault-on-connection-error-446.patch b/backport-Fix-audisp-remote-segfault-on-connection-error-446.patch new file mode 100644 index 0000000..66e8593 --- /dev/null +++ b/backport-Fix-audisp-remote-segfault-on-connection-error-446.patch @@ -0,0 +1,80 @@ +From 5163b6d1edc086be6845e3ed6a60d297541330ef Mon Sep 17 00:00:00 2001 +From: Tobias Deiminger +Date: Fri, 11 Apr 2025 17:46:50 +0200 +Subject: [PATCH] Fix audisp-remote segfault on connection error (#446) + +audisp-remote.c:stop_sock lacked NULL pointer checks if build +configuration is with --enable-gssapi-krb5=yes. + +If auditd is started with audisp-remote plugin active and +transport=KRB5, the audisp-remote child crashes on connection errors +with segfault in krb5_cc_close due to NULL pointer dereference. This +will happen immediately at startup if the remote server is not +available, or later if an already established connection breaks. + +It may have been exploited as follows: auditd supervises the +audisp-remote child. If it sees repeated crashes, it'll report +"audisp-remote has exceeded max_restarts" (depends on config). When this +state is reached, auditd stops retrying and remote forwarding remains +broken even if the remote server becomes available again. In other +words, temporarily disturbing the network connection sufficed to +permanently break auditd forwarding. + +To fix it, check pointers in stop_sock before passing them on. + +Co-authored-by: Tobias Deiminger +--- + audisp/plugins/remote/audisp-remote.c | 40 ++++++++++++++++++--------- + 1 file changed, 27 insertions(+), 13 deletions(-) + +diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c +index c7a947ef3..9b2e15b05 100644 +--- a/audisp/plugins/remote/audisp-remote.c ++++ b/audisp/plugins/remote/audisp-remote.c +@@ -1060,19 +1060,33 @@ static int stop_sock(void) + if (sock >= 0) { + #ifdef USE_GSSAPI + if (USE_GSS) { +- OM_uint32 minor_status; +- gss_delete_sec_context(&minor_status, &my_context, +- GSS_C_NO_BUFFER); +- my_context = GSS_C_NO_CONTEXT; +- krb5_cc_close(kcontext, ccache); +- ccache = NULL; +- krb5_kt_close(kcontext, keytab); +- keytab = NULL; +- krb5_free_principal(kcontext, audit_princ); +- krb5_free_default_realm(kcontext, realm_name); +- realm_name = NULL; +- krb5_free_context(kcontext); +- kcontext = NULL; ++ if (my_context != GSS_C_NO_CONTEXT) { ++ OM_uint32 minor_status; ++ gss_delete_sec_context(&minor_status, &my_context, ++ GSS_C_NO_BUFFER); ++ my_context = GSS_C_NO_CONTEXT; ++ } ++ ++ if (kcontext != NULL) { ++ if (ccache != NULL) { ++ krb5_cc_close(kcontext, ccache); ++ ccache = NULL; ++ } ++ if (keytab != NULL) { ++ krb5_kt_close(kcontext, keytab); ++ keytab = NULL; ++ } ++ if (audit_princ != NULL) { ++ krb5_free_principal(kcontext, audit_princ); ++ audit_princ = NULL; ++ } ++ if (realm_name != NULL) { ++ krb5_free_default_realm(kcontext, realm_name); ++ realm_name = NULL; ++ } ++ krb5_free_context(kcontext); ++ kcontext = NULL; ++ } + } + #endif + shutdown(sock, SHUT_RDWR); diff --git a/backport-Fix-fuzzer-induced-parsing.patch b/backport-Fix-fuzzer-induced-parsing.patch new file mode 100644 index 0000000..8011fd1 --- /dev/null +++ b/backport-Fix-fuzzer-induced-parsing.patch @@ -0,0 +1,39 @@ +From f5d0a16f1d18a4df6d44aaa7cbd962f3c8f8b13d Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Sun, 13 Apr 2025 17:44:00 -0400 +Subject: [PATCH] Fix fuzzer induced parsing + +There are 2 places where severely corrupted logs could make +ausearch/report access out of bounds string memeory. Check the +length before using them. See issue #448. +--- + src/ausearch-parse.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c +index 68e2b29e5..e4724bf99 100644 +--- a/src/ausearch-parse.c ++++ b/src/ausearch-parse.c +@@ -676,7 +676,9 @@ static int parse_dir(const lnode *n, search_items *s) + char *str, *term; + + if (event_filename) { +- // dont do this search unless needed ++ // dont do this search unless needed ++ if (strlen(n->message) < 34) ++ return 0; + str = strstr(n->message+NAME_OFFSET, " cwd="); + if (str) { + str += 5; +@@ -808,8 +810,10 @@ static int parse_path(const lnode *n, search_items *s) + // anything before that. Its only time and type. + char *str, *term = n->message+NAME_OFFSET; + ++ // dont do this search unless needed ++ if (strlen(n->message) < 35) ++ return 0; + if (event_filename) { +- // dont do this search unless needed + str = strstr(term, " name="); + if (str) { + int rc; diff --git a/backport-Fixup-leaks-in-testing-with-ASAN.patch b/backport-Fixup-leaks-in-testing-with-ASAN.patch new file mode 100644 index 0000000..3650c51 --- /dev/null +++ b/backport-Fixup-leaks-in-testing-with-ASAN.patch @@ -0,0 +1,24 @@ +From 44679d4507829825fa9f0fcf146f44c01107fa1e Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Sun, 15 Jun 2025 13:41:12 -0400 +Subject: [PATCH] Fixup leaks in testing with ASAN + +--- + src/auditd-event.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletion(-) + +diff --git a/src/auditd-event.c b/src/auditd-event.c +index 552dcb26c..a86ad6b45 100644 +--- a/src/auditd-event.c ++++ b/src/auditd-event.c +@@ -268,6 +268,9 @@ static void replace_event_msg(struct auditd_event *e, const char *buf) + if (buf) { + size_t len = strlen(buf); + ++ if (e->reply.message != e->reply.msg.data) ++ free((void *)e->reply.message); ++ + if (len < MAX_AUDIT_MESSAGE_LENGTH - 1) + e->reply.message = strdup(buf); + else { + diff --git a/backport-Release-queue-mutexes-during-teardown.patch b/backport-Release-queue-mutexes-during-teardown.patch new file mode 100644 index 0000000..5825fb6 --- /dev/null +++ b/backport-Release-queue-mutexes-during-teardown.patch @@ -0,0 +1,40 @@ +From bbac8f8bb4dd2fe43388c08c593edac1de712e74 Mon Sep 17 00:00:00 2001 +From: Cropi +Date: Mon, 23 Jun 2025 12:38:15 +0200 +Subject: [PATCH] Release queue mutexes during teardown +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Destroy the queue mutex and condition variable in the zos‑remote cleanup +and destroy the queue mutex in the main audisp queue destructor after +freeing entries. +--- + audisp/plugins/zos-remote/zos-remote-queue.c | 2 ++ + audisp/queue.c | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/audisp/plugins/zos-remote/zos-remote-queue.c b/audisp/plugins/zos-remote/zos-remote-queue.c +index 67397f386..eb2c0da36 100644 +--- a/audisp/plugins/zos-remote/zos-remote-queue.c ++++ b/audisp/plugins/zos-remote/zos-remote-queue.c +@@ -152,5 +152,7 @@ void destroy_queue(void) + } + + free(q); ++ pthread_mutex_destroy(&queue_lock); ++ pthread_cond_destroy(&queue_nonempty); + } + +diff --git a/audisp/queue.c b/audisp/queue.c +index 88bc9c291..f3167125a 100644 +--- a/audisp/queue.c ++++ b/audisp/queue.c +@@ -346,6 +346,7 @@ void destroy_queue(void) + free((void *)q[i]); + + free(q); ++ pthread_mutex_destroy(&queue_lock); + q_last = 0; + q_depth = 0; + processing_suspended = 1; diff --git a/backport-Terminate-a-couple-strncpy.patch b/backport-Terminate-a-couple-strncpy.patch new file mode 100644 index 0000000..ef10727 --- /dev/null +++ b/backport-Terminate-a-couple-strncpy.patch @@ -0,0 +1,34 @@ +From 361f506ab0c626e3b14763372a35005dbb154731 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Thu, 19 Jun 2025 22:21:43 -0400 +Subject: [PATCH] Terminate a couple strncpy + +--- + src/aureport.c | 1 + + src/ausearch.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/aureport.c b/src/aureport.c +index 22618f023..e4560b50b 100644 +--- a/src/aureport.c ++++ b/src/aureport.c +@@ -172,6 +172,7 @@ static int process_logs(void) + clear_config (&config); + + strncpy(dirname, user_file, MAXPATHLEN-32); ++ dirname[MAXPATHLEN-32] = '\0'; + if (dirname[strlen(dirname)-1] != '/') + strcat(dirname, "/"); + strcat (dirname, "audit.log"); +diff --git a/src/ausearch.c b/src/ausearch.c +index cf77ba14c..51e2dffaf 100644 +--- a/src/ausearch.c ++++ b/src/ausearch.c +@@ -244,6 +244,7 @@ static int process_logs(void) + clear_config (&config); + + strncpy(dirname, user_file, MAXPATHLEN-32); ++ dirname[MAXPATHLEN-32] = '\0'; + if (dirname[strlen(dirname)-1] != '/') + strcat(dirname, "/"); + strcat (dirname, "audit.log"); diff --git a/backport-cllist_append-append-improvement.patch b/backport-cllist_append-append-improvement.patch new file mode 100644 index 0000000..f6e8fbb --- /dev/null +++ b/backport-cllist_append-append-improvement.patch @@ -0,0 +1,58 @@ +From 1a483c71b09dc885ddfaa9518117e62b09bb0b04 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Thu, 19 Jun 2025 12:31:38 -0400 +Subject: [PATCH] cllist_append append improvement + +cllist_append() depends on cur always pointing to the tail; appending +after list traversal may corrupt the list. A dedicated tail pointer +would avoid misuse. +--- + auparse/normalize-llist.c | 7 +++++-- + auparse/normalize-llist.h | 1 + + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/auparse/normalize-llist.c b/auparse/normalize-llist.c +index c0b03ae94..18e901ecb 100644 +--- a/auparse/normalize-llist.c ++++ b/auparse/normalize-llist.c +@@ -28,6 +28,7 @@ void cllist_create(cllist *l, void (*cleanup)(void *)) + { + l->head = NULL; + l->cur = NULL; ++ l->tail = NULL; + l->cleanup = cleanup; + l->cnt = 0; + } +@@ -50,6 +51,7 @@ void cllist_clear(cllist *l) + } + l->head = NULL; + l->cur = NULL; ++ l->tail = NULL; + l->cnt = 0; + } + +@@ -78,9 +80,10 @@ int cllist_append(cllist *l, uint32_t num, void *data) + if (l->head == NULL) + l->head = newnode; + else // Otherwise add pointer to newnode +- l->cur->next = newnode; ++ l->tail->next = newnode; + +- // make newnode current ++ // update tail and make newnode current ++ l->tail = newnode; + l->cur = newnode; + l->cnt++; + } +diff --git a/auparse/normalize-llist.h b/auparse/normalize-llist.h +index 30cdd6746..62c15f068 100644 +--- a/auparse/normalize-llist.h ++++ b/auparse/normalize-llist.h +@@ -41,6 +41,7 @@ typedef struct _data_node { + typedef struct { + data_node *head; // List head + data_node *cur; // Pointer to current node ++ data_node *tail; // Pointer to last node + void (*cleanup)(void *); // Function to call when releasing memory + unsigned int cnt; // How many items in this list + } cllist; -- Gitee