Hello,

On Thursday, August 7, 2025 12:31:24 PM Eastern Daylight Time Bogdan Harjoc 
wrote:
> the function path_norm() from libauparse.so in audit-4.1.1 still reads one
> byte below the allocated "working" buffer and triggers AddressSanitizer and
> valgrind reports for inputs like "a/../.." or "a/.././..".
> 
> Attached is a test that produces the asan report.

Thanks. I added something like that to the auparse self tests.

> Process paths like these were generated when processing audit syscall
> events for clone and probably others.
> 
> Most of the read underruns in path_norm() were fixed in 2025 and the issue
> mentioned above is apparently the only one remaining in that code.
> 
> Would replacing the while loop with the code below ensure that path_norm
> does not read below the "working" buffer ?
> 
> - while (dest > rpath && (--dest)[-1] != '/');
> 
> + char *slash = (char *)memrchr(rpath, '/', dest - rpath);
> + if (slash)
> + dest = (slash == rpath) ? (rpath + 1) : slash;
> + else
> + dest = rpath;

The fix is simple, see commit 4f01ca0. I want to keep this mostly "as is" 
since it mirrors code from glibc's realpath.

-Steve

_______________________________________________
Linux-audit mailing list -- linux-audit@lists.linux-audit.osci.io
To unsubscribe send an email to linux-audit-le...@lists.linux-audit.osci.io

Reply via email to