From f85de50fae56c6ce21b293b9fcd62db51a52d45a Mon Sep 17 00:00:00 2001
From: Eugene Syromiatnikov <esyr@redhat.com>
Date: Fri, 23 Aug 2024 13:00:21 +0200
Subject: [PATCH] Fix issues reported by SAST

* 0004-lib-fix-variable-types-in-common.c-pqos_read.patch: New file.
* 0005-lib-set-errno-when-buf-points-to-NULL-in-common.c-pq.patch:
Likewise.
* intel-cmt-cat.spec (Release): Bump to 5.
(Patch3, Patch4): New patches.
(%changelog): New record.

Resolves: RHEL-40017
Signed-off-by: Eugene Syromiatnikov <esyr@redhat.com>
---
 ...variable-types-in-common.c-pqos_read.patch | 51 +++++++++++++++++++
 ...en-buf-points-to-NULL-in-common.c-pq.patch | 34 +++++++++++++
 intel-cmt-cat.spec                            |  7 ++-
 3 files changed, 91 insertions(+), 1 deletion(-)
 create mode 100644 0004-lib-fix-variable-types-in-common.c-pqos_read.patch
 create mode 100644 0005-lib-set-errno-when-buf-points-to-NULL-in-common.c-pq.patch

diff --git a/0004-lib-fix-variable-types-in-common.c-pqos_read.patch b/0004-lib-fix-variable-types-in-common.c-pqos_read.patch
new file mode 100644
index 0000000..5a3fede
--- /dev/null
+++ b/0004-lib-fix-variable-types-in-common.c-pqos_read.patch
@@ -0,0 +1,51 @@
+From aadf13d6c87b6fe8d1393623757f826514eaad77 Mon Sep 17 00:00:00 2001
+From: Eugene Syromiatnikov <esyr@redhat.com>
+Date: Fri, 16 Aug 2024 16:02:40 +0200
+Subject: [PATCH 4/5] lib: fix variable types in common.c:pqos_read()
+
+The types used for len and ret variables in pqos_read do not match
+neither the function prototype, nor read() library call, which may lead
+to possible overflow;  while the ret overflow is arguably hypothetical
+on Linux, as it likely won't return a value greater than 0x7ffff000,
+which is less than INT_MAX, a potential overflow of len seems
+to be possible, as caller might pass count greater than INT_MAX.
+Fix it by changing the type of len to size_t, to match count,
+and the type of ret to ssize_t, to match the return type of read().
+
+Discovered by covscan:
+
+    Error: INTEGER_OVERFLOW (CWE-190):
+    intel-cmt-cat-23.11/lib/common.c:382: tainted_data_return: Called function "read(fd, byte_ptr, len)", and a possible return value may be less than zero.
+    intel-cmt-cat-23.11/lib/common.c:382: cast_overflow: An assign that casts to a different type, which might trigger an overflow.
+    intel-cmt-cat-23.11/lib/common.c:389: overflow: The expression "len" is considered to have possibly overflowed.
+    intel-cmt-cat-23.11/lib/common.c:382: overflow_sink: "len", which might be negative, is passed to "read(fd, byte_ptr, len)". [Note: The source code implementation of the function has been overridden by a builtin model.]
+    #  380|                   return -1;
+    #  381|
+    #  382|->         while (len != 0 && (ret = read(fd, byte_ptr, len)) != 0) {
+    #  383|                   if (ret == -1) {
+    #  384|                           if (errno == EINTR)
+
+Signed-off-by: Eugene Syromiatnikov <esyr@redhat.com>
+---
+ lib/common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/common.c b/lib/common.c
+index 55584b34633a..c9688b82f99d 100644
+--- a/lib/common.c
++++ b/lib/common.c
+@@ -378,9 +378,9 @@ pqos_munmap(void *mem, const uint64_t size)
+ ssize_t
+ pqos_read(int fd, void *buf, size_t count)
+ {
+-        int len = count;
++        size_t len = count;
+         char *byte_ptr = (char *)buf;
+-        int ret;
++        ssize_t ret;
+ 
+         if (buf == NULL)
+                 return -1;
+-- 
+2.28.0
+
diff --git a/0005-lib-set-errno-when-buf-points-to-NULL-in-common.c-pq.patch b/0005-lib-set-errno-when-buf-points-to-NULL-in-common.c-pq.patch
new file mode 100644
index 0000000..dd44cd8
--- /dev/null
+++ b/0005-lib-set-errno-when-buf-points-to-NULL-in-common.c-pq.patch
@@ -0,0 +1,34 @@
+From 182bb7032151e39d6af6fc34992c7940568b1117 Mon Sep 17 00:00:00 2001
+From: Eugene Syromiatnikov <esyr@redhat.com>
+Date: Fri, 16 Aug 2024 16:11:22 +0200
+Subject: [PATCH 5/5] lib: set errno when buf points to NULL in
+ common.c:pqos_read()
+
+There is little need for the check, as the first read() call is supposed
+to fail with EFAULT in case buf is NULL, but if this check is done,
+it would be nice if it matches the error code the call it wraps.
+
+Signed-off-by: Eugene Syromiatnikov <esyr@redhat.com>
+---
+ lib/common.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/common.c b/lib/common.c
+index c9688b82f99d..3273c86d16e8 100644
+--- a/lib/common.c
++++ b/lib/common.c
+@@ -382,8 +382,10 @@ pqos_read(int fd, void *buf, size_t count)
+         char *byte_ptr = (char *)buf;
+         ssize_t ret;
+ 
+-        if (buf == NULL)
++        if (buf == NULL) {
++                errno = EFAULT;
+                 return -1;
++        }
+ 
+         while (len != 0 && (ret = read(fd, byte_ptr, len)) != 0) {
+                 if (ret == -1) {
+-- 
+2.28.0
+
diff --git a/intel-cmt-cat.spec b/intel-cmt-cat.spec
index c778e61..66ff2db 100644
--- a/intel-cmt-cat.spec
+++ b/intel-cmt-cat.spec
@@ -7,7 +7,7 @@ including, Cache Monitoring Technology (CMT), Memory Bandwidth Monitoring
 
 Name:		intel-cmt-cat
 Version:	23.11
-Release:	4%{?dist}
+Release:	5%{?dist}
 Summary:	Intel cache monitoring and allocation technology config tool
 
 License:	BSD-3-Clause
@@ -17,6 +17,8 @@ Source: 	%{url}/archive/v%{version}/%{name}-%{version}.tar.gz
 Patch0:		0001-alter-install-paths.patch
 Patch1:		0002-remove-build-and-install-of-examples.patch
 Patch2:		0003-allow-debian-flags-to-be-added.patch
+Patch3:		0004-lib-fix-variable-types-in-common.c-pqos_read.patch
+Patch4:		0005-lib-set-errno-when-buf-points-to-NULL-in-common.c-pq.patch
 
 ExclusiveArch:	x86_64
 
@@ -66,6 +68,9 @@ Development files.
 %{_libdir}/libpqos.so
 
 %changelog
+* Fri Aug 23 2024 Eugene Syromiatnikov <esyr@redhat.com> - 23.11-5
+- Address issues reported by SAST (RHEL-40017)
+
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 23.11-4
 - Bump release for June 2024 mass rebuild