rpms/syslinux
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix several SAST findings

Browse Source 
SAST findings correspond to 'syslinux-6.04-0.26.el10: RHEL SAST
Automation: address 13 High impact true positive(s)'

Resolves: #RHEL-51170
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
This commit is contained in:
Leo Sandoval 2026-01-27 14:37:33 -06:00
parent 06f860b04f
commit 51d64c142b
6 changed files with 261 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
0010-xfs-xfs_dir2.c-fix-use-after-free-return.patch Normal file
View File

@ -0,0 +1,37 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Leo Sandoval <lsandova@redhat.com>
Date: Tue, 27 Jan 2026 13:39:11 -0600
Subject: [PATCH] xfs/xfs_dir2.c: fix use-after-free return
Once on the 'failed' scope, 'ip' is deallocated thus function should return
NULL instead of the deallocated variable.
Fixes:
Error: USE_AFTER_FREE (CWE-416): [#def8] [important]
syslinux-6.04-pre1/core/fs/xfs/xfs_dir2.c:521:5: freed_arg: "free" frees "ip". [Note: The source code implementation of the function has been overridden by a builtin model.]
syslinux-6.04-pre1/core/fs/xfs/xfs_dir2.c:523:5: use_after_free: Using freed pointer "ip".
# 521| free(ip);
# 522|
# 523|-> return ip;
# 524| }
# 525|
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
---
core/fs/xfs/xfs_dir2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/core/fs/xfs/xfs_dir2.c b/core/fs/xfs/xfs_dir2.c
index 2f5928a5..e73e45f1 100644
--- a/core/fs/xfs/xfs_dir2.c
+++ b/core/fs/xfs/xfs_dir2.c
@@ -520,7 +520,7 @@ found:
failed:
free(ip);
- return ip;
+ return NULL;
}
static xfs_fsblock_t

43
0011-efi-console.c-initialized-pointer-to-NULL.patch Normal file
View File

@ -0,0 +1,43 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Leo Sandoval <lsandova@redhat.com>
Date: Tue, 27 Jan 2026 13:44:05 -0600
Subject: [PATCH] efi/console.c: initialized pointer to NULL
Fixes:
Error: UNINIT (CWE-457): [#def9] [important]
syslinux-6.04-pre1/efi/console.c:242:2: var_decl: Declaring variable "first" without initializer.
syslinux-6.04-pre1/efi/console.c:271:3: uninit_use: Using uninitialized value "first".
# 269| &depth, &refresh);
# 270|
# 271|-> if (status == EFI_SUCCESS && (!first || pciio)) {
# 272| width = w;
# 273| height = h;
Error: UNINIT (CWE-457): [#def10] [important]
syslinux-6.04-pre1/efi/console.c:242:2: var_decl: Declaring variable "first" without initializer.
syslinux-6.04-pre1/efi/console.c:282:2: uninit_use: Using uninitialized value "first".
# 280| }
# 281|
# 282|-> if (!first)
# 283| goto out;
# 284| rv = 1;
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
---
efi/console.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/efi/console.c b/efi/console.c
index d7ed0b4a..206a8131 100644
--- a/efi/console.c
+++ b/efi/console.c
@@ -239,7 +239,7 @@ struct _EFI_UGA_DRAW_PROTOCOL {
static int setup_uga(struct screen_info *si)
{
- EFI_UGA_DRAW_PROTOCOL *uga, *first;
+ EFI_UGA_DRAW_PROTOCOL *uga, *first = NULL;
EFI_GUID UgaProtocol = EFI_UGA_PROTOCOL_GUID;
UINT32 width, height;
EFI_STATUS status;

37
0012-extlinux-main.c-close-file-descriptor.patch Normal file
View File

@ -0,0 +1,37 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Leo Sandoval <lsandova@redhat.com>
Date: Tue, 27 Jan 2026 14:00:55 -0600
Subject: [PATCH] extlinux/main.c: close file descriptor
Fixes:
Error: RESOURCE_LEAK (CWE-772): [#def14] [important]
syslinux-6.04-pre1/extlinux/main.c:623:5: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
syslinux-6.04-pre1/extlinux/main.c:623:5: var_assign: Assigning: "fd" = handle returned from "open(c32file, 1053249, 292)".
syslinux-6.04-pre1/extlinux/main.c:630:5: noescape: Resource "fd" is not freed or pointed-to in "xpwrite".
syslinux-6.04-pre1/extlinux/main.c:640:5: leaked_handle: Handle variable "fd" going out of scope leaks the handle.
# 638| free(oldfile);
# 639| free(c32file);
# 640|-> return 0;
# 641|
# 642| bail:
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
---
extlinux/main.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/extlinux/main.c b/extlinux/main.c
index ebff7eae..8171c025 100644
--- a/extlinux/main.c
+++ b/extlinux/main.c
@@ -634,6 +634,9 @@ int ext2_fat_install_file(const char *path, int devfd, struct stat *rst)
goto bail;
}
+ if (fd >= 0)
+ close(fd);
+
free(file);
free(oldfile);
free(c32file);

37
0013-libinstaller-advio.c-deallocated-string.patch Normal file
View File

@ -0,0 +1,37 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Leo Sandoval <lsandova@redhat.com>
Date: Tue, 27 Jan 2026 14:15:10 -0600
Subject: [PATCH] libinstaller/advio.c: deallocated string
Fixes:
Error: RESOURCE_LEAK (CWE-772): [#def26] [important]
syslinux-6.04-pre1/libinstaller/advio.c:104:5: alloc_arg: "asprintf" allocates memory that is stored into "file". [Note: The source code implementation of the function has been overridden by a builtin model.]
syslinux-6.04-pre1/libinstaller/advio.c:112:5: noescape: Resource "file" is not freed or pointed-to in "open". [Note: The source code implementation of the function has been overridden by a user model.]
syslinux-6.04-pre1/libinstaller/advio.c:132:6: noescape: Resource "file" is not freed or pointed-to in "open". [Note: The source code implementation of the function has been overridden by a user model.]
syslinux-6.04-pre1/libinstaller/advio.c:134:3: noescape: Resource "file" is not freed or pointed-to in "fprintf". [Note: The source code implementation of the function has been overridden by a builtin model.]
syslinux-6.04-pre1/libinstaller/advio.c:135:3: leaked_storage: Variable "file" going out of scope leaks the storage it points to.
# 133| if (fd < 0) {
# 134| fprintf(stderr, "Cannot open file '%s' in read/write mode !\nFatal error, exiting.\n", file);
# 135|-> return -EACCES;
# 136| } else if (fstat(fd, &xst) || xst.st_ino != st.st_ino ||
# 137| xst.st_dev != st.st_dev || xst.st_size != st.st_size) {
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
---
libinstaller/advio.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libinstaller/advio.c b/libinstaller/advio.c
index e282e11c..65e70715 100644
--- a/libinstaller/advio.c
+++ b/libinstaller/advio.c
@@ -132,6 +132,8 @@ int write_adv(const char *path, const char *cfg)
fd = open(file, O_RDWR | O_SYNC);
if (fd < 0) {
fprintf(stderr, "Cannot open file '%s' in read/write mode !\nFatal error, exiting.\n", file);
+ if (file)
+ free(file);
return -EACCES;
} else if (fstat(fd, &xst) || xst.st_ino != st.st_ino ||
xst.st_dev != st.st_dev || xst.st_size != st.st_size) {

97
0014-extlinux-main.c-deallocate-devname-string-before-ret.patch Normal file
View File

@ -0,0 +1,97 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Leo Sandoval <lsandova@redhat.com>
Date: Tue, 27 Jan 2026 14:26:15 -0600
Subject: [PATCH] extlinux/main.c: deallocate devname string before return
Fixes:
Error: RESOURCE_LEAK (CWE-772): [#def20] [important]
syslinux-6.04-pre1/extlinux/main.c:1478:5: alloc_arg: "open_device" allocates memory that is stored into "devname".
syslinux-6.04-pre1/extlinux/main.c:1486:2: leaked_storage: Variable "devname" going out of scope leaks the storage it points to.
# 1484| program);
# 1485| close(devfd);
# 1486|-> return 1;
# 1487| }
# 1488|
Error: RESOURCE_LEAK (CWE-772): [#def21] [important]
syslinux-6.04-pre1/extlinux/main.c:1478:5: alloc_arg: "open_device" allocates memory that is stored into "devname".
syslinux-6.04-pre1/extlinux/main.c:1494:2: leaked_storage: Variable "devname" going out of scope leaks the storage it points to.
# 1492| } else if (ext_read_adv(path, devfd, NULL) < 0) {
# 1493| close(devfd);
# 1494|-> return 1;
# 1495| }
# 1496|
Error: RESOURCE_LEAK (CWE-772): [#def22] [important]
syslinux-6.04-pre1/extlinux/main.c:1478:5: alloc_arg: "open_device" allocates memory that is stored into "devname".
syslinux-6.04-pre1/extlinux/main.c:1499:2: leaked_storage: Variable "devname" going out of scope leaks the storage it points to.
# 1497| if (modify_adv() < 0) {
# 1498| close(devfd);
# 1499|-> return 1;
# 1500| }
# 1501|
Error: RESOURCE_LEAK (CWE-772): [#def23] [important]
syslinux-6.04-pre1/extlinux/main.c:1478:5: alloc_arg: "open_device" allocates memory that is stored into "devname".
syslinux-6.04-pre1/extlinux/main.c:1505:2: leaked_storage: Variable "devname" going out of scope leaks the storage it points to.
# 1503| if (install_file(path, devfd, &fst)) {
# 1504| close(devfd);
# 1505|-> return 1;
# 1506| }
# 1507| if (fst.st_dev != st.st_dev) {
Error: RESOURCE_LEAK (CWE-772): [#def24] [important]
syslinux-6.04-pre1/extlinux/main.c:1478:5: alloc_arg: "open_device" allocates memory that is stored into "devname".
syslinux-6.04-pre1/extlinux/main.c:1511:2: leaked_storage: Variable "devname" going out of scope leaks the storage it points to.
# 1509| program);
# 1510| close(devfd);
# 1511|-> return 1;
# 1512| }
# 1513|
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
---
extlinux/main.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/extlinux/main.c b/extlinux/main.c
index 8171c025..a920cd2a 100644
--- a/extlinux/main.c
+++ b/extlinux/main.c
@@ -1485,6 +1485,7 @@ static int install_loader(const char *path, int update_only)
if (update_only && !syslinux_already_installed(devfd)) {
fprintf(stderr, "%s: no previous syslinux boot sector found\n",
program);
+ free(devname);
close(devfd);
return 1;
}
@@ -1493,23 +1494,27 @@ static int install_loader(const char *path, int update_only)
if (opt.reset_adv) {
syslinux_reset_adv(syslinux_adv);
} else if (ext_read_adv(path, devfd, NULL) < 0) {
+ free(devname);
close(devfd);
return 1;
}
if (modify_adv() < 0) {
+ free(devname);
close(devfd);
return 1;
}
/* Install ldlinux.sys */
if (install_file(path, devfd, &fst)) {
+ free(devname);
close(devfd);
return 1;
}
if (fst.st_dev != st.st_dev) {
fprintf(stderr, "%s: file system changed under us - aborting!\n",
program);
+ free(devname);
close(devfd);
return 1;
}

12
syslinux.spec
View File

@ -10,7 +10,7 @@ Summary: Simple kernel loader which boots from a FAT filesystem
Name: syslinux
Version: 6.04
%define tarball_version 6.04-pre1
Release: 0.33%{?dist}
Release: 0.34%{?dist}
License: GPL-2.0-or-later
URL: http://syslinux.zytor.com/wiki/index.php/The_Syslinux_Project
Source0: http://www.kernel.org/pub/linux/utils/boot/syslinux/%{name}-%{tarball_version}.tar.xz
@ -23,7 +23,11 @@ Patch0006: 0006-Replace-builtin-strlen-that-appears-to-get-optimized.patch
Patch0007: 0007-Fix-backspace-when-editing-a-multiline-cmdline.patch
Patch0008: 0008-Fix-build-with-GCC-14.patch
Patch0009: 0009-Rewrite_Digest_SHA1_to_SHA.patch
Patch0010: 0010-Fix-reported-SAST-findings.patch
Patch0010: 0010-xfs-xfs_dir2.c-fix-use-after-free-return.patch
Patch0011: 0011-efi-console.c-initialized-pointer-to-NULL.patch
Patch0012: 0012-extlinux-main.c-close-file-descriptor.patch
Patch0013: 0013-libinstaller-advio.c-deallocated-string.patch
Patch0014: 0014-extlinux-main.c-deallocate-devname-string-before-ret.patch
# this is to keep rpmbuild from thinking the .c32 / .com / .0 / memdisk files
# in noarch packages are a reason to stop the build.
@ -263,6 +267,10 @@ fi
%endif
%changelog
* Tue Jan 27 2026 Leo Sandoval <lsandova@redhat.com> - 6.04-0.34
- Fix more SAST true findings
- Resolves: #RHEL-51170
* Thu Dec 18 2025 Leo Sandoval <lsandova@redhat.com> - 6.04-0.33
- Bump release number
- Resolves: #RHEL-51170