Hello, On Thursday, August 7, 2025 12:31:24 PM Eastern Daylight Time Bogdan Harjoc wrote: > the function path_norm() from libauparse.so in audit-4.1.1 still reads one > byte below the allocated "working" buffer and triggers AddressSanitizer and > valgrind reports for inputs like "a/../.." or "a/.././..". > > Attached is a test that produces the asan report.
Thanks. I added something like that to the auparse self tests. > Process paths like these were generated when processing audit syscall > events for clone and probably others. > > Most of the read underruns in path_norm() were fixed in 2025 and the issue > mentioned above is apparently the only one remaining in that code. > > Would replacing the while loop with the code below ensure that path_norm > does not read below the "working" buffer ? > > - while (dest > rpath && (--dest)[-1] != '/'); > > + char *slash = (char *)memrchr(rpath, '/', dest - rpath); > + if (slash) > + dest = (slash == rpath) ? (rpath + 1) : slash; > + else > + dest = rpath; The fix is simple, see commit 4f01ca0. I want to keep this mostly "as is" since it mirrors code from glibc's realpath. -Steve _______________________________________________ Linux-audit mailing list -- linux-audit@lists.linux-audit.osci.io To unsubscribe send an email to linux-audit-le...@lists.linux-audit.osci.io