Fix issues reported by SAST

* 0004-lib-fix-variable-types-in-common.c-pqos_read.patch: New file. * 0005-lib-set-errno-when-buf-points-to-NULL-in-common.c-pq.patch: Likewise. * intel-cmt-cat.spec (Release): Bump to 5. (Patch3, Patch4): New patches. (%changelog): New record. Resolves: RHEL-40017 Signed-off-by: Eugene Syromiatnikov <esyr@redhat.com>
2024-08-23 13:00:21 +02:00 · 2024-08-23 13:00:21 +02:00 · f85de50fae
commit f85de50fae
parent 0f02b140ce
3 changed files with 91 additions and 1 deletions
--- a/0004-lib-fix-variable-types-in-common.c-pqos_read.patch
+++ b/0004-lib-fix-variable-types-in-common.c-pqos_read.patch
@ -0,0 +1,51 @@
+From aadf13d6c87b6fe8d1393623757f826514eaad77 Mon Sep 17 00:00:00 2001
+From: Eugene Syromiatnikov <esyr@redhat.com>
+Date: Fri, 16 Aug 2024 16:02:40 +0200
+Subject: [PATCH 4/5] lib: fix variable types in common.c:pqos_read()
+
+The types used for len and ret variables in pqos_read do not match
+neither the function prototype, nor read() library call, which may lead
+to possible overflow;  while the ret overflow is arguably hypothetical
+on Linux, as it likely won't return a value greater than 0x7ffff000,
+which is less than INT_MAX, a potential overflow of len seems
+to be possible, as caller might pass count greater than INT_MAX.
+Fix it by changing the type of len to size_t, to match count,
+and the type of ret to ssize_t, to match the return type of read().
+
+Discovered by covscan:
+
+    Error: INTEGER_OVERFLOW (CWE-190):
+    intel-cmt-cat-23.11/lib/common.c:382: tainted_data_return: Called function "read(fd, byte_ptr, len)", and a possible return value may be less than zero.
+    intel-cmt-cat-23.11/lib/common.c:382: cast_overflow: An assign that casts to a different type, which might trigger an overflow.
+    intel-cmt-cat-23.11/lib/common.c:389: overflow: The expression "len" is considered to have possibly overflowed.
+    intel-cmt-cat-23.11/lib/common.c:382: overflow_sink: "len", which might be negative, is passed to "read(fd, byte_ptr, len)". [Note: The source code implementation of the function has been overridden by a builtin model.]
+    #  380|                   return -1;
+    #  381|
+    #  382|->         while (len != 0 && (ret = read(fd, byte_ptr, len)) != 0) {
+    #  383|                   if (ret == -1) {
+    #  384|                           if (errno == EINTR)
+
+Signed-off-by: Eugene Syromiatnikov <esyr@redhat.com>
+---
+ lib/common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/common.c b/lib/common.c
+index 55584b34633a..c9688b82f99d 100644
+--- a/lib/common.c
+++ b/lib/common.c
+@@ -378,9 +378,9 @@ pqos_munmap(void *mem, const uint64_t size)
+ ssize_t
+ pqos_read(int fd, void *buf, size_t count)
+ {
+-        int len = count;
+        size_t len = count;
+         char *byte_ptr = (char *)buf;
+-        int ret;
+        ssize_t ret;
+ 
+         if (buf == NULL)
+                 return -1;
+-- 
+2.28.0
+
--- a/0005-lib-set-errno-when-buf-points-to-NULL-in-common.c-pq.patch
+++ b/0005-lib-set-errno-when-buf-points-to-NULL-in-common.c-pq.patch
@ -0,0 +1,34 @@
+From 182bb7032151e39d6af6fc34992c7940568b1117 Mon Sep 17 00:00:00 2001
+From: Eugene Syromiatnikov <esyr@redhat.com>
+Date: Fri, 16 Aug 2024 16:11:22 +0200
+Subject: [PATCH 5/5] lib: set errno when buf points to NULL in
+ common.c:pqos_read()
+
+There is little need for the check, as the first read() call is supposed
+to fail with EFAULT in case buf is NULL, but if this check is done,
+it would be nice if it matches the error code the call it wraps.
+
+Signed-off-by: Eugene Syromiatnikov <esyr@redhat.com>
+---
+ lib/common.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/common.c b/lib/common.c
+index c9688b82f99d..3273c86d16e8 100644
+--- a/lib/common.c
+++ b/lib/common.c
+@@ -382,8 +382,10 @@ pqos_read(int fd, void *buf, size_t count)
+         char *byte_ptr = (char *)buf;
+         ssize_t ret;
+ 
+-        if (buf == NULL)
+        if (buf == NULL) {
+                errno = EFAULT;
+                 return -1;
+        }
+ 
+         while (len != 0 && (ret = read(fd, byte_ptr, len)) != 0) {
+                 if (ret == -1) {
+-- 
+2.28.0
+
--- a/intel-cmt-cat.spec
+++ b/intel-cmt-cat.spec
@ -7,7 +7,7 @@ including, Cache Monitoring Technology (CMT), Memory Bandwidth Monitoring

 Name:		intel-cmt-cat
 Version:	23.11
-Release:	4%{?dist}
+Release:	5%{?dist}
 Summary:	Intel cache monitoring and allocation technology config tool

 License:	BSD-3-Clause
@ -17,6 +17,8 @@ Source: 	%{url}/archive/v%{version}/%{name}-%{version}.tar.gz
 Patch0:		0001-alter-install-paths.patch
 Patch1:		0002-remove-build-and-install-of-examples.patch
 Patch2:		0003-allow-debian-flags-to-be-added.patch
+Patch3:		0004-lib-fix-variable-types-in-common.c-pqos_read.patch
+Patch4:		0005-lib-set-errno-when-buf-points-to-NULL-in-common.c-pq.patch

 ExclusiveArch:	x86_64

@ -66,6 +68,9 @@ Development files.
 %{_libdir}/libpqos.so

 %changelog
+* Fri Aug 23 2024 Eugene Syromiatnikov <esyr@redhat.com> - 23.11-5
+- Address issues reported by SAST (RHEL-40017)
+
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 23.11-4
 - Bump release for June 2024 mass rebuild