From 51d64c142b4f7e127ea17190ef08983e9392be60 Mon Sep 17 00:00:00 2001 From: Leo Sandoval Date: Tue, 27 Jan 2026 14:37:33 -0600 Subject: [PATCH] Fix several SAST findings SAST findings correspond to 'syslinux-6.04-0.26.el10: RHEL SAST Automation: address 13 High impact true positive(s)' Resolves: #RHEL-51170 Signed-off-by: Leo Sandoval --- ...xfs_dir2.c-fix-use-after-free-return.patch | 37 +++++++ ...onsole.c-initialized-pointer-to-NULL.patch | 43 ++++++++ ...xtlinux-main.c-close-file-descriptor.patch | 37 +++++++ ...installer-advio.c-deallocated-string.patch | 37 +++++++ ...deallocate-devname-string-before-ret.patch | 97 +++++++++++++++++++ syslinux.spec | 12 ++- 6 files changed, 261 insertions(+), 2 deletions(-) create mode 100644 0010-xfs-xfs_dir2.c-fix-use-after-free-return.patch create mode 100644 0011-efi-console.c-initialized-pointer-to-NULL.patch create mode 100644 0012-extlinux-main.c-close-file-descriptor.patch create mode 100644 0013-libinstaller-advio.c-deallocated-string.patch create mode 100644 0014-extlinux-main.c-deallocate-devname-string-before-ret.patch diff --git a/0010-xfs-xfs_dir2.c-fix-use-after-free-return.patch b/0010-xfs-xfs_dir2.c-fix-use-after-free-return.patch new file mode 100644 index 0000000..76b53d9 --- /dev/null +++ b/0010-xfs-xfs_dir2.c-fix-use-after-free-return.patch @@ -0,0 +1,37 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Leo Sandoval +Date: Tue, 27 Jan 2026 13:39:11 -0600 +Subject: [PATCH] xfs/xfs_dir2.c: fix use-after-free return + +Once on the 'failed' scope, 'ip' is deallocated thus function should return +NULL instead of the deallocated variable. + +Fixes: + + Error: USE_AFTER_FREE (CWE-416): [#def8] [important] + syslinux-6.04-pre1/core/fs/xfs/xfs_dir2.c:521:5: freed_arg: "free" frees "ip". [Note: The source code implementation of the function has been overridden by a builtin model.] + syslinux-6.04-pre1/core/fs/xfs/xfs_dir2.c:523:5: use_after_free: Using freed pointer "ip". + # 521| free(ip); + # 522| + # 523|-> return ip; + # 524| } + # 525| + +Signed-off-by: Leo Sandoval +--- + core/fs/xfs/xfs_dir2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/core/fs/xfs/xfs_dir2.c b/core/fs/xfs/xfs_dir2.c +index 2f5928a5..e73e45f1 100644 +--- a/core/fs/xfs/xfs_dir2.c ++++ b/core/fs/xfs/xfs_dir2.c +@@ -520,7 +520,7 @@ found: + failed: + free(ip); + +- return ip; ++ return NULL; + } + + static xfs_fsblock_t diff --git a/0011-efi-console.c-initialized-pointer-to-NULL.patch b/0011-efi-console.c-initialized-pointer-to-NULL.patch new file mode 100644 index 0000000..1ef24db --- /dev/null +++ b/0011-efi-console.c-initialized-pointer-to-NULL.patch @@ -0,0 +1,43 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Leo Sandoval +Date: Tue, 27 Jan 2026 13:44:05 -0600 +Subject: [PATCH] efi/console.c: initialized pointer to NULL + +Fixes: + + Error: UNINIT (CWE-457): [#def9] [important] + syslinux-6.04-pre1/efi/console.c:242:2: var_decl: Declaring variable "first" without initializer. + syslinux-6.04-pre1/efi/console.c:271:3: uninit_use: Using uninitialized value "first". + # 269| &depth, &refresh); + # 270| + # 271|-> if (status == EFI_SUCCESS && (!first || pciio)) { + # 272| width = w; + # 273| height = h; + + Error: UNINIT (CWE-457): [#def10] [important] + syslinux-6.04-pre1/efi/console.c:242:2: var_decl: Declaring variable "first" without initializer. + syslinux-6.04-pre1/efi/console.c:282:2: uninit_use: Using uninitialized value "first". + # 280| } + # 281| + # 282|-> if (!first) + # 283| goto out; + # 284| rv = 1; + +Signed-off-by: Leo Sandoval +--- + efi/console.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/efi/console.c b/efi/console.c +index d7ed0b4a..206a8131 100644 +--- a/efi/console.c ++++ b/efi/console.c +@@ -239,7 +239,7 @@ struct _EFI_UGA_DRAW_PROTOCOL { + + static int setup_uga(struct screen_info *si) + { +- EFI_UGA_DRAW_PROTOCOL *uga, *first; ++ EFI_UGA_DRAW_PROTOCOL *uga, *first = NULL; + EFI_GUID UgaProtocol = EFI_UGA_PROTOCOL_GUID; + UINT32 width, height; + EFI_STATUS status; diff --git a/0012-extlinux-main.c-close-file-descriptor.patch b/0012-extlinux-main.c-close-file-descriptor.patch new file mode 100644 index 0000000..57e3a06 --- /dev/null +++ b/0012-extlinux-main.c-close-file-descriptor.patch @@ -0,0 +1,37 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Leo Sandoval +Date: Tue, 27 Jan 2026 14:00:55 -0600 +Subject: [PATCH] extlinux/main.c: close file descriptor + +Fixes: + + Error: RESOURCE_LEAK (CWE-772): [#def14] [important] + syslinux-6.04-pre1/extlinux/main.c:623:5: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.] + syslinux-6.04-pre1/extlinux/main.c:623:5: var_assign: Assigning: "fd" = handle returned from "open(c32file, 1053249, 292)". + syslinux-6.04-pre1/extlinux/main.c:630:5: noescape: Resource "fd" is not freed or pointed-to in "xpwrite". + syslinux-6.04-pre1/extlinux/main.c:640:5: leaked_handle: Handle variable "fd" going out of scope leaks the handle. + # 638| free(oldfile); + # 639| free(c32file); + # 640|-> return 0; + # 641| + # 642| bail: + +Signed-off-by: Leo Sandoval +--- + extlinux/main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/extlinux/main.c b/extlinux/main.c +index ebff7eae..8171c025 100644 +--- a/extlinux/main.c ++++ b/extlinux/main.c +@@ -634,6 +634,9 @@ int ext2_fat_install_file(const char *path, int devfd, struct stat *rst) + goto bail; + } + ++ if (fd >= 0) ++ close(fd); ++ + free(file); + free(oldfile); + free(c32file); diff --git a/0013-libinstaller-advio.c-deallocated-string.patch b/0013-libinstaller-advio.c-deallocated-string.patch new file mode 100644 index 0000000..576e488 --- /dev/null +++ b/0013-libinstaller-advio.c-deallocated-string.patch @@ -0,0 +1,37 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Leo Sandoval +Date: Tue, 27 Jan 2026 14:15:10 -0600 +Subject: [PATCH] libinstaller/advio.c: deallocated string + +Fixes: + + Error: RESOURCE_LEAK (CWE-772): [#def26] [important] + syslinux-6.04-pre1/libinstaller/advio.c:104:5: alloc_arg: "asprintf" allocates memory that is stored into "file". [Note: The source code implementation of the function has been overridden by a builtin model.] + syslinux-6.04-pre1/libinstaller/advio.c:112:5: noescape: Resource "file" is not freed or pointed-to in "open". [Note: The source code implementation of the function has been overridden by a user model.] + syslinux-6.04-pre1/libinstaller/advio.c:132:6: noescape: Resource "file" is not freed or pointed-to in "open". [Note: The source code implementation of the function has been overridden by a user model.] + syslinux-6.04-pre1/libinstaller/advio.c:134:3: noescape: Resource "file" is not freed or pointed-to in "fprintf". [Note: The source code implementation of the function has been overridden by a builtin model.] + syslinux-6.04-pre1/libinstaller/advio.c:135:3: leaked_storage: Variable "file" going out of scope leaks the storage it points to. + # 133| if (fd < 0) { + # 134| fprintf(stderr, "Cannot open file '%s' in read/write mode !\nFatal error, exiting.\n", file); + # 135|-> return -EACCES; + # 136| } else if (fstat(fd, &xst) || xst.st_ino != st.st_ino || + # 137| xst.st_dev != st.st_dev || xst.st_size != st.st_size) { + +Signed-off-by: Leo Sandoval +--- + libinstaller/advio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libinstaller/advio.c b/libinstaller/advio.c +index e282e11c..65e70715 100644 +--- a/libinstaller/advio.c ++++ b/libinstaller/advio.c +@@ -132,6 +132,8 @@ int write_adv(const char *path, const char *cfg) + fd = open(file, O_RDWR | O_SYNC); + if (fd < 0) { + fprintf(stderr, "Cannot open file '%s' in read/write mode !\nFatal error, exiting.\n", file); ++ if (file) ++ free(file); + return -EACCES; + } else if (fstat(fd, &xst) || xst.st_ino != st.st_ino || + xst.st_dev != st.st_dev || xst.st_size != st.st_size) { diff --git a/0014-extlinux-main.c-deallocate-devname-string-before-ret.patch b/0014-extlinux-main.c-deallocate-devname-string-before-ret.patch new file mode 100644 index 0000000..0f28f8e --- /dev/null +++ b/0014-extlinux-main.c-deallocate-devname-string-before-ret.patch @@ -0,0 +1,97 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Leo Sandoval +Date: Tue, 27 Jan 2026 14:26:15 -0600 +Subject: [PATCH] extlinux/main.c: deallocate devname string before return + +Fixes: + + Error: RESOURCE_LEAK (CWE-772): [#def20] [important] + syslinux-6.04-pre1/extlinux/main.c:1478:5: alloc_arg: "open_device" allocates memory that is stored into "devname". + syslinux-6.04-pre1/extlinux/main.c:1486:2: leaked_storage: Variable "devname" going out of scope leaks the storage it points to. + # 1484| program); + # 1485| close(devfd); + # 1486|-> return 1; + # 1487| } + # 1488| + + Error: RESOURCE_LEAK (CWE-772): [#def21] [important] + syslinux-6.04-pre1/extlinux/main.c:1478:5: alloc_arg: "open_device" allocates memory that is stored into "devname". + syslinux-6.04-pre1/extlinux/main.c:1494:2: leaked_storage: Variable "devname" going out of scope leaks the storage it points to. + # 1492| } else if (ext_read_adv(path, devfd, NULL) < 0) { + # 1493| close(devfd); + # 1494|-> return 1; + # 1495| } + # 1496| + + Error: RESOURCE_LEAK (CWE-772): [#def22] [important] + syslinux-6.04-pre1/extlinux/main.c:1478:5: alloc_arg: "open_device" allocates memory that is stored into "devname". + syslinux-6.04-pre1/extlinux/main.c:1499:2: leaked_storage: Variable "devname" going out of scope leaks the storage it points to. + # 1497| if (modify_adv() < 0) { + # 1498| close(devfd); + # 1499|-> return 1; + # 1500| } + # 1501| + + Error: RESOURCE_LEAK (CWE-772): [#def23] [important] + syslinux-6.04-pre1/extlinux/main.c:1478:5: alloc_arg: "open_device" allocates memory that is stored into "devname". + syslinux-6.04-pre1/extlinux/main.c:1505:2: leaked_storage: Variable "devname" going out of scope leaks the storage it points to. + # 1503| if (install_file(path, devfd, &fst)) { + # 1504| close(devfd); + # 1505|-> return 1; + # 1506| } + # 1507| if (fst.st_dev != st.st_dev) { + + Error: RESOURCE_LEAK (CWE-772): [#def24] [important] + syslinux-6.04-pre1/extlinux/main.c:1478:5: alloc_arg: "open_device" allocates memory that is stored into "devname". + syslinux-6.04-pre1/extlinux/main.c:1511:2: leaked_storage: Variable "devname" going out of scope leaks the storage it points to. + # 1509| program); + # 1510| close(devfd); + # 1511|-> return 1; + # 1512| } + # 1513| + +Signed-off-by: Leo Sandoval +--- + extlinux/main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/extlinux/main.c b/extlinux/main.c +index 8171c025..a920cd2a 100644 +--- a/extlinux/main.c ++++ b/extlinux/main.c +@@ -1485,6 +1485,7 @@ static int install_loader(const char *path, int update_only) + if (update_only && !syslinux_already_installed(devfd)) { + fprintf(stderr, "%s: no previous syslinux boot sector found\n", + program); ++ free(devname); + close(devfd); + return 1; + } +@@ -1493,23 +1494,27 @@ static int install_loader(const char *path, int update_only) + if (opt.reset_adv) { + syslinux_reset_adv(syslinux_adv); + } else if (ext_read_adv(path, devfd, NULL) < 0) { ++ free(devname); + close(devfd); + return 1; + } + + if (modify_adv() < 0) { ++ free(devname); + close(devfd); + return 1; + } + + /* Install ldlinux.sys */ + if (install_file(path, devfd, &fst)) { ++ free(devname); + close(devfd); + return 1; + } + if (fst.st_dev != st.st_dev) { + fprintf(stderr, "%s: file system changed under us - aborting!\n", + program); ++ free(devname); + close(devfd); + return 1; + } diff --git a/syslinux.spec b/syslinux.spec index 0e3c805..465a2c5 100644 --- a/syslinux.spec +++ b/syslinux.spec @@ -10,7 +10,7 @@ Summary: Simple kernel loader which boots from a FAT filesystem Name: syslinux Version: 6.04 %define tarball_version 6.04-pre1 -Release: 0.33%{?dist} +Release: 0.34%{?dist} License: GPL-2.0-or-later URL: http://syslinux.zytor.com/wiki/index.php/The_Syslinux_Project Source0: http://www.kernel.org/pub/linux/utils/boot/syslinux/%{name}-%{tarball_version}.tar.xz @@ -23,7 +23,11 @@ Patch0006: 0006-Replace-builtin-strlen-that-appears-to-get-optimized.patch Patch0007: 0007-Fix-backspace-when-editing-a-multiline-cmdline.patch Patch0008: 0008-Fix-build-with-GCC-14.patch Patch0009: 0009-Rewrite_Digest_SHA1_to_SHA.patch -Patch0010: 0010-Fix-reported-SAST-findings.patch +Patch0010: 0010-xfs-xfs_dir2.c-fix-use-after-free-return.patch +Patch0011: 0011-efi-console.c-initialized-pointer-to-NULL.patch +Patch0012: 0012-extlinux-main.c-close-file-descriptor.patch +Patch0013: 0013-libinstaller-advio.c-deallocated-string.patch +Patch0014: 0014-extlinux-main.c-deallocate-devname-string-before-ret.patch # this is to keep rpmbuild from thinking the .c32 / .com / .0 / memdisk files # in noarch packages are a reason to stop the build. @@ -263,6 +267,10 @@ fi %endif %changelog +* Tue Jan 27 2026 Leo Sandoval - 6.04-0.34 +- Fix more SAST true findings +- Resolves: #RHEL-51170 + * Thu Dec 18 2025 Leo Sandoval - 6.04-0.33 - Bump release number - Resolves: #RHEL-51170