From aa92638d777a7ed39ae0515870909c23e3730dec Mon Sep 17 00:00:00 2001 From: steven Y Gui Date: Wed, 1 Sep 2021 16:39:27 +0800 Subject: [PATCH] backport patches for fixing memory leak and double free issues --- audit.spec | 9 +++- ...ing-call-to-free_interpretation_list.patch | 30 ++++++++++++ ...e-memory-leak-caused-in-recent-glibc.patch | 35 ++++++++++++++ ...-Fix-double-free-with-corrupted-logs.patch | 36 +++++++++++++++ ...t-fix-2-more-issues-found-by-fuzzing.patch | 46 +++++++++++++++++++ 5 files changed, 155 insertions(+), 1 deletion(-) create mode 100644 backport-Add-missing-call-to-free_interpretation_list.patch create mode 100644 backport-Fix-an-auparse-memory-leak-caused-in-recent-glibc.patch create mode 100644 backport-Fix-double-free-with-corrupted-logs.patch create mode 100644 backport-fix-2-more-issues-found-by-fuzzing.patch diff --git a/audit.spec b/audit.spec index ec222b7..b30df12 100644 --- a/audit.spec +++ b/audit.spec @@ -2,7 +2,7 @@ Summary: User space tools for kernel auditing Name: audit Epoch: 1 Version: 3.0 -Release: 2 +Release: 3 License: GPLv2+ and LGPLv2+ URL: https://people.redhat.com/sgrubb/audit/ Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz @@ -12,6 +12,10 @@ Patch0: bugfix-audit-support-armv7b.patch Patch1: bugfix-audit-userspace-missing-syscalls-for-aarm64.patch Patch2: bugfix-audit-reload-coredump.patch Patch3: backport-Fix-the-default-location-for-zos-remote.conf-171.patch +Patch4: backport-Add-missing-call-to-free_interpretation_list.patch +Patch5: backport-fix-2-more-issues-found-by-fuzzing.patch +Patch6: backport-Fix-an-auparse-memory-leak-caused-in-recent-glibc.patch +Patch7: backport-Fix-double-free-with-corrupted-logs.patch BuildRequires: gcc swig libtool systemd kernel-headers >= 2.6.29 BuildRequires: openldap-devel krb5-devel libcap-ng-devel @@ -342,6 +346,9 @@ fi %attr(644,root,root) %{_mandir}/man8/*.8.gz %changelog +* Wed Sep 1 2021 steven.ygui - 3.0-3 +- backport some patches to fix memory leak and double free issues + * Fri May 28 2021 yixiangzhike - 3.0-2 - solve the script failure when package upgrade diff --git a/backport-Add-missing-call-to-free_interpretation_list.patch b/backport-Add-missing-call-to-free_interpretation_list.patch new file mode 100644 index 0000000..9f10263 --- /dev/null +++ b/backport-Add-missing-call-to-free_interpretation_list.patch @@ -0,0 +1,30 @@ +From a9668df44bd635d40b6e7b4db2d12e5cf91c8013 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Thu, 5 Aug 2021 09:54:44 -0400 +Subject: [PATCH] Add missing call to free_interpretation_list + +--- + auparse/auparse.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/auparse/auparse.c b/auparse/auparse.c +index ee3c97b..18f1127 100644 +--- a/auparse/auparse.c ++++ b/auparse/auparse.c +@@ -1,5 +1,5 @@ + /* auparse.c -- +- * Copyright 2006-08,2012-19 Red Hat Inc., Durham, North Carolina. ++ * Copyright 2006-08,2012-19,21 Red Hat Inc. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or +@@ -2014,6 +2014,7 @@ const char *auparse_find_field_next(auparse_state_t *au) + r = aup_list_next(au->le); + if (r) { + aup_list_first_field(au->le); ++ free_interpretation_list(); + load_interpretation_list(r->interp); + } + } +-- + diff --git a/backport-Fix-an-auparse-memory-leak-caused-in-recent-glibc.patch b/backport-Fix-an-auparse-memory-leak-caused-in-recent-glibc.patch new file mode 100644 index 0000000..e06ed9b --- /dev/null +++ b/backport-Fix-an-auparse-memory-leak-caused-in-recent-glibc.patch @@ -0,0 +1,35 @@ +From 16246878c503d7395ae668817bf629e05361fec5 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Thu, 29 Jul 2021 18:39:22 -0400 +Subject: [PATCH] Fix an auparse memory leak caused in recent glibc + +--- + auparse/interpret.c | 4 ++++- + 1 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/auparse/interpret.c b/auparse/interpret.c +index 2813acb..33c173e 100644 +--- a/auparse/interpret.c ++++ b/auparse/interpret.c +@@ -50,6 +50,7 @@ + #include + #include + #include ++#include /* PATH_MAX */ + #ifdef USE_FANOTIFY + #include + #else +@@ -865,8 +866,10 @@ static const char *print_escaped_ext(const idata *id) + str1 = NULL; + } + errno = 0; +- out = realpath(str3, NULL); ++ out = malloc(PATH_MAX); ++ realpath(str3, out); + if (errno) { // If there's an error, just return the original ++ free(out); + free(str1); + free(str2); + return str3; +-- + diff --git a/backport-Fix-double-free-with-corrupted-logs.patch b/backport-Fix-double-free-with-corrupted-logs.patch new file mode 100644 index 0000000..c252d88 --- /dev/null +++ b/backport-Fix-double-free-with-corrupted-logs.patch @@ -0,0 +1,36 @@ +From 0177e03f0809da0007f09504b789eba4b8cbe739 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Fri, 6 Aug 2021 17:03:41 -0400 +Subject: [PATCH] Fix double free with corrupted logs + +--- + src/ausearch-parse.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c +index 9ee4a4f..cb7d481 100644 +--- a/src/ausearch-parse.c ++++ b/src/ausearch-parse.c +@@ -420,8 +420,10 @@ try_again: + str = strstr(term, "comm="); + if (str) { + /* Make the syscall one override */ +- if (s->comm) ++ if (s->comm) { + free(s->comm); ++ s->comm = NULL; ++ } + str += 5; + if (*str == '"') { + str++; +@@ -431,7 +433,7 @@ try_again: + *term = 0; + s->comm = strdup(str); + *term = '"'; +- } else ++ } else + s->comm = unescape(str); + } else + return 38; +-- + diff --git a/backport-fix-2-more-issues-found-by-fuzzing.patch b/backport-fix-2-more-issues-found-by-fuzzing.patch new file mode 100644 index 0000000..0a31778 --- /dev/null +++ b/backport-fix-2-more-issues-found-by-fuzzing.patch @@ -0,0 +1,46 @@ +From f4683d04eadb7d76b98497af834f027d6005d893 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Mon, 9 Aug 2021 17:14:17 -0400 +Subject: [PATCH] fix 2 more issues found by fuzzing + +--- + auparse/auparse.c | 8 +++++++- + auparse/ellist.c | 4 +++- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/auparse/auparse.c b/auparse/auparse.c +index b0e685a..3cf512a 100644 +--- a/auparse/auparse.c ++++ b/auparse/auparse.c +@@ -1611,7 +1611,13 @@ static int au_auparse_next_event(auparse_state_t *au) + } + aup_list_create(l); + aup_list_set_event(l, &e); +- aup_list_append(l, au->cur_buf, au->list_idx, au->line_number); ++ if (aup_list_append(l, au->cur_buf, au->list_idx, ++ au->line_number) < 0) { ++ au->cur_buf = NULL; ++ aup_list_clear(l); ++ free(l); ++ continue; ++ } + // Eat standalone EOE - main event was already marked complete + if (l->head->type == AUDIT_EOE) { + au->cur_buf = NULL; +diff --git a/auparse/ellist.c b/auparse/ellist.c +index 7d9c552..dd711bc 100644 +--- a/auparse/ellist.c ++++ b/auparse/ellist.c +@@ -290,7 +290,9 @@ static int parse_up_record(rnode* r) + while (ptr && *ptr != '}') { + len = strlen(ptr); + if ((len+1) >= (256-total)) { +- free(buf); ++ if (nvlist_get_cnt(&r->nv) ++ == 0) ++ free(buf); + return -1; + } + if (tmpctx[0]) { +-- + -- Gitee