auditctl: correct buffer in filter_supported_syscalls to avoid overflow

Resolves: RHEL-59585
2025-02-11 09:44:28 +01:00 · 2025-02-11 09:44:28 +01:00 · 996c7a2a82
commit 996c7a2a82
parent 62a7f6f867
2 changed files with 64 additions and 1 deletions
--- a/audit.spec
+++ b/audit.spec
@ -2,7 +2,7 @@
 Summary: User space tools for kernel auditing
 Name: audit
 Version: 3.1.5
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 URL: http://people.redhat.com/sgrubb/audit/
 Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
@ -15,6 +15,7 @@ Patch4: readonly.patch
 Patch5: disable-protectkernmelmodules.patch
 Patch6: remote-logging-ordering-cycle.patch
 Patch7: permtab-filter-unsupport.patch
+Patch8: auditctl-permtab.patch

 BuildRequires: make gcc swig
 BuildRequires: openldap-devel
@ -104,6 +105,7 @@ cp %{SOURCE1} .
 %patch -P 5 -p1
 %patch -P 6 -p1
 %patch -P 7 -p1
+%patch -P 8 -p1

 autoreconf -fv --install

@ -292,6 +294,10 @@ fi
 %attr(750,root,root) %{_sbindir}/audispd-zos-remote

 %changelog
+* Tue Feb 11 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.5-4
+- auditctl: correct buffer in filter_supported_syscalls to avoid overflow
+  Resolves: RHEL-59585
+
 * Mon Feb 03 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.5-3
 - Don't do "live" operations during rpm-ostree composes
  Resolves: RHEL-69033
--- a/auditctl-permtab.patch
+++ b/auditctl-permtab.patch
@ -0,0 +1,57 @@
+diff -up audit-3.1.5/lib/libaudit.c.orig audit-3.1.5/lib/libaudit.c
+--- audit-3.1.5/lib/libaudit.c.orig	2025-02-11 12:11:17.529016934 +0100
+++ audit-3.1.5/lib/libaudit.c	2025-02-11 12:13:51.206171338 +0100
+@@ -1516,37 +1516,35 @@ static char* filter_supported_syscalls(c
+ 		return NULL;
+ 	}
+ 
+-	// Allocate memory for the filtered syscalls string
+-	char* filtered_syscalls = malloc(strlen(syscalls) + 1);
+-	if (filtered_syscalls == NULL) {
+-		return NULL;
+-	}
+-	filtered_syscalls[0] = '\0'; // Initialize as empty string
+-
+-	// Tokenize the syscalls string and filter unsupported syscalls
+	char buf[512] = "";
+	char* ptr = buf;
+ 	const char* delimiter = ",";
+
+ 	char* syscalls_copy = strdup(syscalls);
+-	if (syscalls_copy == NULL) {
+-		free(filtered_syscalls);
+	if (syscalls_copy == NULL)
+ 		return NULL;
+-	}
+
+ 	char* token = strtok(syscalls_copy, delimiter);
+	int first = 1; // Track if this is the first syscall being added
+
+ 	while (token != NULL) {
+ 		if (audit_name_to_syscall(token, machine) != -1) {
+-			strcat(filtered_syscalls, token);
+-			strcat(filtered_syscalls, delimiter);
+			if (!first)
+				*ptr++ = ',';
+			ptr = stpcpy(ptr, token);
+			first = 0;
+ 		}
+ 		token = strtok(NULL, delimiter);
+ 	}
+
+ 	free(syscalls_copy);
+ 
+-	// Remove the trailing delimiter, if present
+-	size_t len = strlen(filtered_syscalls);
+-	if (len > 0 && filtered_syscalls[len - 1] == ',') {
+-		filtered_syscalls[len - 1] = '\0';
+	// If no valid syscalls were found, return NULL
+	if (ptr == buf) {
+		return NULL;
+ 	}
+ 
+-	return filtered_syscalls;
+	return strdup(buf);
+ }
+ 
+ static int audit_add_perm_syscalls(int perm, struct audit_rule_data *rule)